In-Depth

Security in the University, Part 2 of 2

Ohio State University’s CISO Charles Morrow-Jones looks at the cost of guarding against breaches, plus a best practice for all IT shops.

• By Chris DeVoney
• 07/03/2007

Charles Morrow-Jones is Director, CyberSecurity for the Ohio State University in Columbus, Ohio. He is an 18-year veteran at the institution serving in various information-technology administrative roles since 1990 and is a graduate of OSU. He has taught information technology courses at the University of Colorado, Boulder.

Ohio State, Columbus has the highest student enrollment of any university campus with 51,818 students. The university employs almost 32,200 people and includes its academic hospital, the Ohio State University Medical Center, which has its own IT staff and CISO.

In the first part of our two-part series, Mr. Jones spoke with Enterprise Strategies’ Chris DeVoney, an IT specialist within the University of Washington’s School of Medicine, about his experiences and the impact of a distributive, collaborative university environment on security. This week Mr. Jones addresses the cost of mitigating breaches, responding to problems promptly, and the importance of guarding assets 24/7.

ESJ: Do you find the cost to mitigate the breach more than, less than, or equal to the cost of implementing security in the first place?

CMJ: I think the cost of an individual breach is less than an overall security effort. The breach with the SQL injection involved about 17,000 people. It happened two months ago and we are still seeing costs come in, but the costs so far are mid-six figures. It doesn’t take too many of those to fund a pretty high-powered security effort.

The message I’ve conveyed is, “Look, if you do nothing, you’re going to have more beaches. I can’t tell you how many a year, but there will be definitely more like this and you’ll spend six figures again. Do you want to get nicked for six figures two, three, or four times a year, or do want to try to expend some funds now and reduce, but I can’t say ‘eliminate,’ breaches.”

The folks here viewed the 17,000 as a major breach, but look at what its cost UCLA to have a breach in the 700,000s than the ten-ish thousands. I’m hearing they spent a quarter of a million dollars just on postage.

The whole breach-cost versus prevention-cost is coming into sharp focus around here. We have the financial types engaged now applying classic risk analysis, looking at the risk of a breach, and the cost if there is a breach. We have some real hard numbers for that and what’s the cost to decrease the probably of the breach. Sorry, that was my soap box.

Traditionally, universities have been slow to respond to computer security issues. Why is that?

I think up to this point, there have been too many places that were deemed higher priorities to put limited resources. I know everybody has rather limited resources. One thing universities can’t do that the private sector can do is change their bottom line, at least quickly.

In the private sector, you have flexibilities to make security help the bottom line and get a bigger slice. In higher education, it’s a long, slow process to increase the size of the pie, so either you get increased state aid, increase tuition, or receive an increase in the overhead funding from grants, and all of those take time.

There has been a more tightly-constrained environment for higher education, particularly in the rust belt, over the last few years. We went though years with budget cuts, zero salary raises, that kind of thing. When you are an educational institution trying to survive those economic circumstances, security is not your first priority.

Another area very different from the private sector is that we have not been as heavily effected by the legislative climate. For example, HIPAA affected those with some relationship to health and health insurance, but not institution-wide. Sarbanes Oxley affects publicly-traded companies but not us. The banking industry has been under the microscope and keeps getting new regulations which tighten their security considerably. The regulatory environment hasn’t affected us. In some ways, that lack of regulatory attention has hurt us in terms of paying attention to security.

What advice do you give to corporations to help themselves?

One of the things corporate guys could do, and what we are trying to do, is going back to the basics on watching the hen house all the time instead of just Monday through Friday, eight to five. So whether that is automated monitoring or a person is not as important as it should be 24/7.

That’s what we are really trying to hammer into our departments to meet logging standards. Try to log “everything that moves” but, at a minimum, log all transaction information with your databases. Whether it’s a person physically looking at them (and over time you get a feel for the tempo and type of the transactions) or it’s automation, somebody needs to be on it.

I’ll go back to our breach. Our breach happened over a Saturday and a Sunday. It was identified by somebody looking at the database logs, which is good. But not looking at them until first thing Monday morning (because there was no weekend staffing) wasn’t so good.

You may have operations people 24/7, but essentially they hang tapes and rip printouts. You need people who have a much higher level of training and much higher level of tech savvy than that.

There was a really interesting report recently in InfoWorld in which 40 percent of the IT managers surveyed either knew that they not logging their database transactions or didn’t know if their database transactions were being logged.

Given that 40 percent result of not looking or not knowing, I think that says we all both corporate or higher education need to do a better job monitoring the use of our resources. If that particular group had either their own 24/7 staffing or even outsourced staffed monitoring, they might not have prevented the whole breach but they would have caught it by end of Saturday and prevented the Sunday activity.

How can corporations help you?

One opportunity is to be more collaborative. Here in Columbus, for example, we have a number of major insurance companies like Nationwide. We go to the same meetings but interact at a fairly surface level.

It would be helpful to interact at a deeper level. Go into a room, lock the door, say nothing leaves the room, and exchange the top five attacks last week, where they came from, and what they got. Probably that would be phenomenally useful for both of us.

To generalize that improved interaction between public-sector security, which tends by necessity just a bit more open, and private-sector security, which is more closed? The ability to interact more at the level deeper than we do now would help generate ideas on ways to mitigate threats, plan strategies, spotting future targets, and so forth.