Harvard CISO shares 5 pearls of IT security wisdom

Harvard University Chief Information Security Officer shares best practices, discusses BYOD and Internet of Things

Chief Information Security Officer Christian Hamer, who is responsible for policy and awareness across Harvard University and whose team handles security operations and incident response, took part on a panel last week at the Campus Technology conference in Boston (Campus Technology's Rhea Kelly moderated; ESET researcher Lysa Myers was also an expert panelist). Here's a selection of Hamer's more notable observations:

  • Most important steps for protecting your network: We think all too often about IT security or information security [as being] about the bits and bytes, and what kind of widget we put on the network or somebody's computer to protect it... But in general we have populations that want to do the right thing. They're a lot more aware of the threats now because a lot of them have been in the media quite a bit recently. But they're just not sure what to do or how to do it. And that's probably the No. 1 thing that people could double down on. Does your community know what to do? Do they know how to do it? And do they know who to ask if they have trouble understanding that?

  • Mobile security: "There's a great industry around mobile device management and an interesting debate about whether this is something appropriate for higher ed or not... I don't see myself asking a faculty member to install software on his or her personal phone. These things are really quite personal -- if you're not sure about that ask [New England Patriots quarterback] Tom Brady about how he felt about his phone. That said, this is an important area... that doesn't mean you can just ignore this. I think it's really about trying to abstract the data from the device. When you think about bringing your own device and mobile, that's the way you need to think about it. I've heard plenty of people talk about these great MDM programs that they've come up with in higher ed, and then I'll ask them, 'So how many faculty members are using it?" and that's usually where the conversation ends."'
  • Best practices for security awareness among end users: "We're going to be rolling out a campaign very soon focused around four best practices. (1) We want them to apply updates whether that's on their phone, on their operating system on their computer, or for the individual pieces of software. That's probably one of the single best ways to protect yourself. (2) We want them to use strong passwords, and that means unique and difficult to guess. But we also want to offer them tools, whether it's things like password managers [Harvard has done an extensive pilot with LastPass via Internet2] or pieces like 2-step verification. (3) We want to make sure that people click wisely, going back to phishing issues. If we can get the user to recognize that there might be something a little off about this and not go there. (4) The last piece is about knowing your data. It's really important to understand what do you have, whether it's on your machine or a file share. Why do you have it? If you really still need it, and if you don't, how can you get rid of it securely."
  • Convincing users to buy into best practices: "[One] way to enforce the point is that these are just good practices that people should use in their online life whether it's at work, as a student or faculty member, or just at home. There ought to be a lot of self interest there."
  • The Internet of Things: "[This is] a giant issue. If you didn't see the news about Chrysler [a Jeep being remotely hacked] and weren't sure about how big an issue it is, it's gigantic. I think the best thing we can do is understand where these devices are and try to wall them off from things, because at least in my experience they are not designed with security in mind at all... [People] are surprised when we come by and say that thing that they think is a digital sign actually has malware on it and needs to be taken off the network. The real danger area is where those things can intersect with critical data. We've seen proposals to put devices on our network that would collect recyclables and involve credit cards somehow, and that's the part where you have to say OK, wait a minute, we need to separate these two things... [The long view] is that smart devices make our lives better and that's fantastic but we need to understand that they're not designed at this point with security in mind."

Join the CSO newsletter!

Error: Please check your email address.

Tags harvard universitymyersecurity

More about BradyHarvard UniversityInternet2Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place