The REN-ISAC Cybersecurity Peer Assessment Program enables colleges and universities to get an unbiased assessment and actionable recommendations from cybersecurity experts specializing in the higher education sector. But what is it like to be a peer assessor?
Hal Stone knows. Hal is one of the highly experienced, cybersecurity professionals in REN-ISAC’s cadre of assessors and Chief Information Security Officer (retired) for Clemson University. Hal took time out of his busy schedule to give us some insight into his experience as an assessor.
Q. What inspired you to become a REN-ISAC Peer Assessor.
A. I saw it as an opportunity to contribute to the security community overall. As a security professional, that is of real interest to me. Also, it allowed me to expand my experience by seeing how other universities handle the security challenges we’re all faced with.
Q. What is it like being an assessor?
A. I’ve participated in two assessments, so far, and it’s a cool experience. You get to explore new security environments with people you’ve never met before, and by the end of that three to four-day period, you feel like you know the people. You’ve developed a very good opinion of the things they do or don’t do.
It’s certainly a time investment, though. It takes a great deal of energy and time to go through the process of interviewing staff and reviewing their documentation.
Q. What type of experience or training do you think is necessary to be an assessor?
A. Having a good, holistic understanding of the university environment, of how it operates as a business is very helpful. You have to understand higher ed in general because it is a very unique industry. The ability to ask questions and take notes at the same time is also very helpful.
Q. What specific elements of the assessment have you worked on?
A. A little bit of everything: technology, data security, identity management. I guess they assume that if you are at the CISO level you can float like a butterfly (laughs), so it tends to vary.
Q. What is your favorite part of the assessment process?
A. Meeting the people at other universities, definitely. Not only the clients, but also the other assessors. Developing relationships with them has been very beneficial for me, and I hope they’d feel the same way.
Also, it was really neat to visit other campuses. I think universities are some of the most beautiful places we have in the US.
Q. What do you think you have learned from being an assessor?
A. Seeing and realizing that there are other angles to approach security issues is really useful. Let’s use administrative policies, or the structures that surround a security program, as an example. Generally, I feel like have a good understanding of that after years of experience, but they are all done through the focus of my home institution. Going out and seeing how other people are approaching those policies has been very helpful.
Also, there’s been a realization or confirmation of things I thought I knew. I can bring home the experiences of other security professionals to improve elements of security at Clemson. This latest engagement allowed me to refocus on certain elements of our security, particularly endpoint management. It’s not something I didn’t know, but the process highlighted an issue for the clients, and it struck me that it’s also an issue for us here at Clemson. Now we’re going take that perspective and address our current set up.
Q. Why should people become an assessor? What do they get out of it?
A. It is a good thing to participate in. I’ve recommended it to a few folks, and they are beginning that process now. It’s just a great opportunity to get insight into other schools and other environments. Security professionals, especially if they’ve been somewhere for 26 years like I have, see the world though the communal knowledge of their home institution, but if you go to these other environments, you get exposed to how others see the world. I think as much as I’ve helped other professionals and other institutions that I’ve been involved with, I can tell you for a fact that the experience has helped me just as much when I come back to my home university.
Q. Why are assessments important?
A. We’ve had two done at Clemson since 2008. I think it’s a good way to measure the progress of your program and measure the progress of security at your institution. It provides a good general look at, not just applicational security, but the bigger picture: funding, organization, impact. It’s an opportunity that every school should take every 5-10 years. Bring in a team, do an assessment, get a report, and let it be a guide for you, whether it confirms you’re doing the right things or it tells you you’ve gotten off course somewhere.
Q. How does REN-ISAC’s Cybersecurity Peer Assessment Program address the unique needs of security in higher education?
A. At Clemson, we’ve had auditors and others come in that you could tell didn’t have experience with higher education. They were trying to apply corporate type standards, but not understanding that those weren’t going to work here. This is a different industry.
When the REN-ISAC peer assessment program develops a team of assessors, it’s bringing together a team with decades of experience in higher education to come into your environment. They use that experience to assess what you are doing today, and they leave you with recommendations for how you can improve those programs going forward. That’s huge in my opinion.
Thank you, Hal for sharing your peer assessment experience with us. If you are interested in becoming a peer assessor, contact Susan Snyder.