Yale's CISO shares his vision

September 20, 2018

Paul Rivers, Chief Information Security Officer (CISO) at Yale, leads a team that focuses on identifying and addressing cybersecurity concerns at the University. He is also Yale’s Health Insurance Portability and Accountability Act (HIPAA) Security Officer, responsible for protecting personal health information within Yale’s covered entity.

With more than 26 years in the field under his belt - 12 of them previously at University of California Berkeley - Paul came to Yale last fall, bringing with him an approach to risk management that emphasizes collaboration. Paul and his team are focused on:

  • Providing clear and detailed guidance for IT and non-IT roles in meeting Yale’s security standards.
  • Improving visibility to detect vulnerabilities, attacks, and compromises, and increased automation to respond to those events.
  • Strengthening credential management, including more user-friendly, risk-based authentication methods, better lifecycle management, and authorization management.
  • An overhaul of Yale’s approach to cyber risk reporting, exception handling, and acceptance decisions.
  • Improving third-party risk management and providing more modular terms-and-conditions templates for addresing cyber-risk.

Yale’s Information Security team currently includes over 20 information security professionals and is presently recruiting. There is a high demand for cybersecurity professionals in the workforce today, making it difficult to fill open positions.

“We have four teams,” said Paul. “One group provides risk assessments and consultations with departments, and ensures Yale’s compliance with external cyber-security regulatory requirements. Another team focuses on automated detection and responses to attacks and compromises on the university network, including threat hunting. A third group works on disaster recovery and resilience efforts, and the fourth addresses identity and access management.”

The role of information security at Yale can be divided into two broad areas of responsibility:

  1. Defining appropriate levels of risk for Yale, and how the university should respond to elevated levels of risk, once identified. “Our job is to bring risk advice and guidance to the various groups on campus - researchers, faculty, university leadership, and staff,” said Paul.
  2. Operating a number of cybersecurity monitoring programs. Some of these programs, or controls, are more effective and cost-efficient when operated centrally. Other controls are better left to local execution to facility local control and skills, and to address the myriad of different needs across Yale.

Paul wants everybody in the Yale community to be aware and take an active and informed role in protecting their electronic devices and private information. “I don’t see myself as a traffic cop; I’m more like a cybersecurity coordinator.” Paul deeply appreciates the openness inherent in research institutions, and insists upon adapting cyber-security programs and best practices to fit the specific needs of an organization. This openness and collaboration, while it does make cybersecurity more challenging, is fundamental to Yale’s ongoing success and must be preserved.

Over the course of the next year, one significant change in information technology at Yale will be more detailed minimum security standards, written as engineering specifications, that define minimum levels of due care for safeguarding Yale’s data and IT resources. These controls will be published online, to fully remove the guesswork for IT as they engage with their role in cybersecurity. The standards development effort will include a steering committee to ensure the process is collaborative, and adequately addresses the diverse needs of the community.

Ultimately, security comes down to individuals and local effort. When people are well-informed and have clarity on guidelines and understand their role, the university has a better chance of establishing a stronger cybersecurity posture. According to Paul, “This is why providing clarity on guidelines is the top priority. The team is here to help people understand risk levels and ensure people know what actions to take.” In other words, cybersecurity is, or should be, part of everyone’s job at Yale. “If the only people at Yale addressing cybersecurity risks is our team, we are in trouble, ” Paul concluded.