The Download: Feature Articles
Talking Security with NYU’s Global CISO, Maria Suarez
By Keith Allison | December 10, 2019
On November 6, 2019 at the NYU Global Center in New York, NYU TorchTech hosted Meet the CISO: A Q&A with Maria Suarez. The event marked the conclusion of National Cybersecurity Awareness Month, which was observed at NYU with a wide range of events, contests, and educational opportunities for the NYU community.
The TorchTech Q&A, which attracted nearly 100 people, presented a unique, first-hand opportunity to learn about some of the latest IT security trends and NYU strategies, and to hear cybersecurity tips from NYU’s resident expert: our Global Chief Information Security Officer, Maria Suarez. The conversation was moderated by NYU Dentistry’s Chief Information Officer Ken Fauerbach.
Maria and Ken kicked things off by discussing Maria’s background in healthcare, finance, higher education, and consulting prior to joining NYU in May of 2019. She reflected that she’s ridden the wave of privacy and cybersecurity—and the dilemma of what to do about them—for many years, in many industries. “My perspective, therefore, is multi-dimensional,” Suarez said. “I have so much varied experience and I really like that because I’ve taken the best of it all and hope to bring it here.”
Securing a Global Network
When asked how NYU’s global nature impacts the security challenges our institution faces, Maria observed that it brings many compliance situations into play and requires good governance. She noted that NYU’s governance is well-structured, but that it could use expansion. She estimated that it would take a few years to raise the University’s cybersecurity maturity to target levels, and that this could be accomplished in part through the standardizing of training and services.
Maria described herself as having strict expectations and plans to make NYU “way above average,” and that reaching these goals will involve a lot more than just technology. “I need all of you to get [this] going,” she said to attendees, mentioning her plans of pooling global security teams and forging new partnerships with other interested parties at the University. “I have a vision and we are marching towards that in phases. We are prioritizing because we can’t do everything at once.”
Tools and Teamwork
Maria reflected positively on the support she’s receiving at the highest levels of the University for her vision in terms of resources and an organizational restructuring that shifted the CISO position to report directly to the global CIO, elevating and expanding her team. She also cited high trustee engagement and interest in cybersecurity matters, which she sees as a good sign.
In further discussing her team and the tools at their disposal, Maria described how there are so many visibility tools on the market that the key will be to get the ones that work for us, and ensure we have enough talented people to monitor and act on the information those tools surface. The balance, she said, comes in knowing where your risks lie. It’s not possible to protect all the information at the same time or in the same way, nor does it need to be, so the balance lies in partnering with the University to assess the criticality of various data and the risks that are presenting themselves so that they can be appropriately addressed.
“Everybody is receiving a lot of hack attempts […] there’s a whole entire ecosystem of hackers that are supported by billions of dollars,” Maria said. “It’s become a huge threat, and so we have to protect against all of that while they only need to get in one way. So, we have to understand the mindset of the hacker and what they’re after, and what we need to protect are the backdoors to the information that is most critical, that they would most likely go after.” That kind of analysis, she explained, is currently not possible with technology alone—it requires the visibility that cybersecurity technologies provide, plus forensic analysis by talented human experts to predict, prevent, and respond to attacks.
Open and Secure
Ken noted how one of the core beliefs of academia is openness, and asked Maria for her thoughts on the balance between strong security and the need for faculty, students, and researchers to do the things they want and need to do on NYU’s networks. Maria reflected that the internet was invented to be open and that we as a university have to be open, but that we also have to be secure. “The best analogy that I’ve come up with is the car. We no longer have to ask for brakes when we buy a car, they’re just there. And all the other safety and security-related items in a car; they’re just there. I’d like us to get to that point where we’re able to do that with security. It really should be invisible. But to get there, it requires a change of culture and mindset that has to pervade throughout the entire community.”
Maria and her team’s plans include targeted sessions to learn more about the community’s needs and opportunities for partnerships, and to increase security awareness about best practices and risks. She has also established a global security working group to assist with governance, frameworks, and policies and to help bring our global university increasingly into alignment with industry best practices and standards.
To learn more about the Office of Information Security and its service offerings, see www.nyu.edu/it/security. Readers may also be interested in Maria’s essay in the 2019 NYU IT Annual Report: Five Emerging IT Security Trends.