Thomas Siu is Michigan State University's new chief information security officer. As CISO, Tom leads the Security Engineering; Security Operations; Incident Response; and Governance, Risk and Compliance teams within the Information Security department and is responsible for the university-wide information security strategy.
Siu is from the Cleveland Ohio area and came to MSU from Case Western Reserve University.
“I'm really excited to come to Michigan State and learn another organization structure, a whole lot of new people, and build new relationships,” says Siu. “I hope to bring what I have in terms of experience and goals to help develop the leadership among IT teams and the security team overall and help Michigan State become a little more agile from an IT standpoint and able to respond to the constantly growing security threats.”
Siu shares his definition for information security and says it’s important to distinguish between data and information.
“We keep thinking about how we are protecting information by balancing out the risk of deploying it, giving it away, and making it more broadly available to the community because that's what the mission of university is, to discover knowledge and disseminate it and share it.
“I didn't say data. I said knowledge, and knowledge is on the top of the stack of information. So I have data that helps us define information, and then you use that to create knowledge. Protecting that means making sure its integrity has not been modified. Knowledge grows and evolves. As the chief information security officer, my role is to help ensure that all the IT systems and all the workflow that goes on around that helps the education and research missions achieve their goals.
“I'm essentially going to be Michigan State's IT risk manager. And that means not running away from risk. It means taking some and understanding what those qualities are that it takes to take risks without exposing us too far. Obviously, information security in higher education has run into broad challenges as we've moved a lot of things into cloud-based resources. It's clear that information technology has revolutionized how higher education works in the last 20 years.”
Siu talks about some of his short and long-term goals for protecting MSU information security.
“We are really going to refine the security strategy for the university, the information security strategy in particular. I'm looking forward to connecting with decision makers and stakeholders to get their input on how we make decisions on the information security side because we don't succeed when we make decisions in a vacuum. That's a key lesson learned from working at any university. There are stakeholders and they have varying points of interest, and sometimes how research is done in higher education often means you've got government requirements to lay specific security programs.”
Challenges and opportunities to achieving these goals?
“The very first one that's obvious to us all is COVID-19 has changed the way we operate. It's changed the economy of the world. Most of Michigan State is virtual and remote, and that changes the threat envelope or the threat exposure of user computers working remotely from home. They don't have some of the same controls to protect them from attack from internet based sources. And so that's spread out our threat surface. That's probably the top thing right now, how we help users who weren't used to working from home and now have been doing so for several months.
“The second piece is, Michigan State had a ransomware attack last spring. The attackers have pivoted the way they adjust their response because they want money. And they've been demanding ransoms by encrypting your infrastructure and taking you offline out of business. And now they've actually pivoted to ex-filtrating data and threatening to disclose that, especially if it was sensitive information. So now do you trust them to not disclose it if you pay the ransom? I think that's one of our problems we have to deal with all together. And that's not just Michigan State. I'm pretty much certain that's everybody in the higher education environment plus anybody that has any IT infrastructure exposed to the internet, which is pretty much everybody.”
October is Cybersecurity Awareness Month. Phishing and spoofed emails are areas we all need to be more aware of.
“We want to make sure people are aware that if you receive emails that have what looks like an attachment or an invoice that maybe mirroring a business process you're familiar with, you have to still be very wary of those. That is how most of the ransomware attacks are still occurring. They send you an attachment and the email systems don't filter that out. And oftentimes it's a Microsoft word document that you have to download and operate, and it will take advantage of unknown vulnerabilities within your desktop and then start to infect your machine. And then it works its way across your networking and that can happen at blistering speeds.
“The second thing to think about that I've seen in the past five or six months is still the spoofed email. The attackers look up your department directory and they see who all the faculty members are. They spoof in the name of one and they say, ‘Hey, I need your help.’ That's their classic gift card scan. ‘I'm in a meeting and I can't get back to you right now. So just send me this stuff. Can you go buy me some gift cards and I'll pay you back? I promise.’ And that has turned out to be something that people are quite susceptible to.
“We are going to be making some more concerted campaigns about using two factor authentication throughout all of Michigan State University authentication environments.
“I look forward to coming up to the campus. I live in Ohio right now and am working remotely. At some point you'll see me around campus. I wear a cowboy hat and boots. I think that'll fit right in with the Spartans.
“There are challenges to higher education. It starts with data, moves to information, then moves to knowledge. Those three different steps have security issues in each one of them. Security is going to be able to enable and enhance a number of those things and hopefully inhibit the problems that do occur from being in a world where respect for boundaries like that on the internet are gone. It's important for us to understand that and understand where we're going. And I hope to bring that sort of focus and attention to these issues throughout my future here at Michigan State University.”