In the South Central region of the United States, bordered by Texas, Kansas, Missouri, Arkansas, New Mexico and Colorado, lies the tornado-prone land of Oklahoma. This proud state is home to a University with big ambitions and no small amount of competitiveness.
But to truly compete at a higher level, they needed to undergo a digital transformation three years ago, which was triggered by new leadership and the desire to modernise, centralise and standardise their technology environment.
To help achieve this, Aaron Baillio, Chief Information Security Officer, primarily responsible for IT risk and security for the institution, had to transform into more of a “Chief Security Evangelist,” in his words.
Having spent 11 years in the Department of Defense, it’s no surprise that Baillio is a man who likes to protect and serve.
“What drives me on a day to day basis is the fact that we're stopping bad guys. Despite the military and academia being vastly different, those intrinsic values are the same and are part of the reward of being in this profession. Our teams are doing their job; we're legitimately stopping bad things from happening to other people,” he says.
Issues from a distributed IT environment
In his current role as CISO for two years, but with the University for seven, Baillio was aware the institution had multiple campuses that operated very independently, in a very distributed IT model. Baillio explains: “We began to merge operations, from this distributed model across the three campuses to a systemwide approach.”
The University went from three CIOs to one CIO and merged teams from across the campuses to become systemwide groups and organisations. By centralising these teams, the university began to realise millions of dollars of savings, revamping how they approached technology purchases and IT processes.
When asked about consolidation of the CIO into one overarching role, Baillio states that it accelerated the decision making process: “There was a lot of duplicative spending, a lot of decision making that was happening outside of a governance process. So we developed one group that provides governance for the system. The one CIO is responsible for developing strategy and the primary point of contact when looking at institutional risk of purchases. When we have one person to point to, and we have a governance structure, the process becomes more streamlined, making it easier to implement strategy and digitally transform.”
When the IT groups merged from the various campuses, they had over 300 maintenance contracts, requiring 300 different bills that the University was paying for, and some they had already bought. Standardising platforms reduced overall spend and reduced risk, but merging the teams was not easy. As Baillio explains, “one group is accustomed to one software platform, then another group, another software platform. Which tool becomes the definitive tool that the team uses? Or do we go with something completely different and in a different direction?”
Working alongside and in competition with peers
There are several comparison models the university can look to, as they are part of the ‘Big 12’: an American collegiate athletic organisation driven by healthy competition in a number of sports.
“We try to align with our peers and also institutions at comparable Carnegie research levels. We're an R1 research institution, which means we produce a lot of research every year. So certainly as we have gone through this transformation, and we're looking at capabilities and policies, we do certainly compare ourselves across other institutions,” says Baillio.
“When we want to be a leader in one area, or if we find ourselves behind in certain areas, it does help us to benchmark where we want to be. Across academia, it hasn’t been very regulated as far as information technology goes. I think culturally there have been some impacts from how academia works, how research works and where money comes from. But there’s not been a whole lot of focus from a business perspective on IT risk. As things have modernised and we have external policies, laws, and other compliance requirements, that has helped transform not only IT but IT security, which affects the running of an institution like a university,” he adds.
Utilising many strengths
The teams were able to build on the strengths that came from each campus. In the health science centre, the security teams are very adept at policy and governance, as they are driven by HIPAA regulation, a compliance heavy environment.
Meanwhile on the Norman campus, a typical four-year graduate study institution, they were very strong on incident response. Baillio went on to say: “We were able to marry those capabilities and those teams in a way that took those strengths and spread them across the system. Yes, that did involve new technologies and new processes, but we were able to leverage our budget, reducing duplication and standardising on common platforms. We’re now enjoying support from the highest level leaders, who themselves have come in from their industries that have had to deal with IT risk in the past.”
The new culture of growth has contributed to many successes, including enrolling all faculty staff and students on the phishing training program. Baillio insists that this is significant because providing this kind of ‘on the spot’ training to the whole community, as cyber hygiene becomes increasingly important, it reduces the attack surface across the institution. “We consider that a big win,” he says.
“We've been able to centralise endpoint control and management from all of the distributed IT groups, which from a security and risk perspective, covers a lot of areas where we were introducing more risk than was necessary. We'll be able to push our endpoint agents and our detection tools to every endpoint to patch on time,” adds Baillio.
Valuable partnerships held key to transformation
Baillio is keen to credit CrowdStrike and Proofpoint’s roles in helping the IT teams reach their initial goals: “In terms of the endpoint management story, CrowdStrike were crucial in working with us on a security platform that would address all the different types of devices that we have at the university. Universities, in general, have a fairly open bring your own device (BYOD) environment. And so we support a lot of different devices, operating systems and software platforms. So because of that, we needed something that was resilient and could operate a lot of different platforms. And so CrowdStrike has partnered with us as an agent that fit with most of our environment. Even on the Linux side and for those one-off devices.”
From the protection and prevention of malware to endpoint detection response, CrowdStrike covered a wide spectrum of security issues that the university might experience with an endpoint - which numbers around 14,000 and if covering the management of all devices, can even reach the 25,000 range.
“We're looking forward to growing with them and we've got a great deal of use and a lot of training. They've been really great to work with as far as protecting our assets and providing incident response.”
With Proofpoint, the university experienced a very similar kind of growth. The implementation of an email gateway drastically reduced the number of malicious emails that came in, but phished accounts before Proofpoint arrived became a weekly occurrence. Around big campaigns at the start and end of term, Baillio saw an exponential growth of compromised accounts, which became a time drain for his incident response teams.
“That pretty much dried up right away with Proofpoint. And as we've grown with them, we've been able to do more automation, allowing the tool to automatically pull emails from email boxes that are suspicious or malicious. We've been able to leverage automation to automatically lock accounts and enroll people in training. As we now look at the cloud access security broker (CASB) and other things we're doing off 365, we get this great email telemetry from Proofpoint, coupled with the data loss prevention (DLP) and behaviours happening inside of Microsoft 365. There's just a lot of great data” he says.
“We see both those partnerships growing over the next couple of years, as their portfolios expand and our needs continue to expand,” he adds.
The research community
Baillio is proud to support the university's research community, as they are handling more unclassified information than ever before, as well as meeting the government requirements for security.
“We're finding that the ability to meet those needs and to be more dynamic and resilient on that front, we can do that better in the cloud. And so cloud security will be a big focus for us in the coming year,” says Baillio.
The support given by the new IT setup assists the researchers to explore new options and avenues for data and insight. This expands into looking at retention and recruiting, not only from the student side but from a faculty side too.
“We have a lot of maturity efforts, as we publish our strategy and look at things like identity, access management, a zero trust type of concept, affirming our processes and technology, and training our people on incident response. We have a lot of expansion coming up so will be recruiting for several positions on our security teams. I think we have a bright future in 2022 and beyond,” he says.