New Directions for the EDUCAUSE Cybersecurity and Privacy Program

John O'Brien: Welcome everyone for a new Community Conversation, and I'm excited today to be joined by Joe Potchanant, our new, relatively new, director of our cybersecurity and privacy program here at EDUCAUSE. Welcome, Joe.

Joe Potchanant: Thank you very much, John.

John O'Brien: Joe, I'm always really curious how people end up in the jobs they end up in. Did you grow up saying "One day, I'm going to lead a privacy and cybersecurity program?" Tell us a little bit about your journey, that led you to this wonderful destination.

Joe Potchanant: Actually, no, I really thought, when I was a kid, I grew up in a working class family, so pretty much, the only jobs that seemed like the next step were being a doctor or a lawyer. But I always had this proclivity towards technology. When I was a kid, I was the one in the family, that was the one that would set all the clocks or "Hey, can you program the VCR? Can you do this? Can you do this with my computer?" once I got a little older and that technology was there. So I was really interested in technology from a young age. And then, when I was in college, it was really great, because our dorms had ethernet. So it was high speed internet, no more modems. But this was also the time where computers didn't come with networking equipment, so you had to wait for someone to come to your room and install a network card.

So I had the network card, they gave it to us in our mailbox, and it was just sitting there. And weeks and weeks and weeks went by and nothing came of it, because your appointment was weeks away. So I just decided "I'm going to do it myself. I'll figure it out." So I did, and then, while we were waiting for our appointment to come around, for the people that lived on my floor, even more people said, "Hey, do you know how to do this?" So I started doing it, and then, after a while, I got to thinking, "Wait a minute, if I can do this, why aren't I'm the person to go around fixing this and be a part of that and get paid for it?" So I started doing that. I changed my major to computer science, and then, I started to do information technology support as a professional. And I absolutely loved it.

And then, as my career went on, I began to notice there was a shift in what we were seeing, some of the problems. And that also leads back into, if you looked at the EDUCAUSE Top 10, information security wasn't anywhere on the map round 2012. But by 2016, it was at the top of the list. So that was right about the time in my career, thinking "There is something to information security that I want to be a part of." But it was so mysterious. People didn't talk about it. It was this black box, "Oh, you can't talk about security." And it made people nervous to talk about it.

And I thought, "Well, this is a really odd idea," because in technical support, the way that you get through the problem is by making the user more informed and making them not scared of the technology. And then, they do a much better job with it, and they're able to handle it. So I started to think, in the back of my mind, how could you combine that mindset of information technology support and information security to have a better experience for everyone? And that's what led me to REN-ISAC and changing that mentality there. And then, when this position became available, last fall, I thought, "Oh my goodness, this is a fantastic opportunity." And I jumped at it. So that's how I got here.

John O'Brien: We're glad you jumped and we're glad you're here. I have to say, your tech nerd history is way more dignified than mine. I was the guy who was spiriting away technology devices, bringing them down to the basement and taking them apart. And so, instead of our family being grateful for my tech support, it would be "What happened to the radio? Why doesn't this work right anymore?" So different paths to a similar fascination and calling, I think. So thanks for sharing a little bit of your story. I think, for those of us who don't live and breathe cybersecurity and privacy, we are overwhelmed at times by the headlines, and the headlines are what they are. And if I were to believe the headlines, I would believe that higher education was struggling mightily, not well. I would believe that higher education is being hit disproportionately hard compared to other industries. I wonder how much of that's actually true.

Joe Potchanant: Actually, if you look at the data, it's not true. If you look at things, like the Verizon Data Breach Report, it is across all areas that there are more cybersecurity incidents. As far as why higher ed gets picked on, I think, partially because the state of the attacks have changed, as far as targeting the individual user. Because of the rise of technology, like bring your own device and everyone has a smart device, they have their own computers, it's a much larger landscape for bad actors to go after, because they're attacking the individual, not necessarily the system, as it once was. They're using the individual person to get deeper into the system. So part of it might be because higher education institutions have a footprint of tens of thousands of students at a larger institution. So your user base is bigger to attack. It's kind of disparate from what higher ed's mission is.

We have this fortress mentality around information security, but higher education's mission is to educate and to collaborate, so for higher ed to try to lock things down. We're doing a good job, we really are, but it is not in our nature to try to make information not available to our constituents. It just doesn't jive with how we're set up. Whereas, in banking, it is yours, it is no one else's, it's okay to try to lock things down as tight as you can, because the only person that should see that information is you, rather than "I want to collaborate with another colleague at another institution to further the betterment of everyone."

John O'Brien: I agree with you that there's a internal productive tension in higher education between the need for the fortress mentality and the need for the open exchange of ideas. Do you think that, in the end, that openness is going to have to be eroded? Where do you see that? I think it'll always be a struggle and a balance, but do you think that, in the end, it's going to require some sacrifices in the openness?

Joe Potchanant: In the end, I think it's going to take more user education and individuals understanding where their data is and how it relates to everything else. So if you have a educated user base and they understand the technology a little more, you can give them a little more reins, as far as how they can use the technology. And it doesn't have to be so locked down, because if the users understand two-factor authentication, why you would approve like in a two-factor authentication, like Duo or something like that, to click on it and say, "Yes, I logged in right there," if they understood that, just because it pops up, they shouldn't say "yes," then you wouldn't have to worry as much about that, and you could be collaborative. But I think it's all going to come down to user education and understanding and demystifying the entire technology.

John O'Brien: I agree that it does come down to awareness and understanding and broadening that depth of understanding. I think our own data, over the years, has shown that there's a lot of work to be done, both in terms of the amount of money that campuses invest, typically in security, cybersecurity, privacy awareness, is not where it probably needs to be. And I would also say we've seen data in the student and the faculty studies that suggest that there's not the high level of confidence we would want among those two key constituents, that their data is being guarded and their privacy is being protected. That's been an ongoing challenge.

Joe Potchanant: Depending on where an institution is on their own cybersecurity maturity model, some of them don't have a chief privacy officer, some of them don't have a privacy office, and some of them are so at the beginning stages of their development, they may not have dedicated information security staff. So yes, throwing money at the problem seems like a losing battle to some degree, but we have to start somewhere.

John O'Brien: Clearly, keeping up with cybersecurity changes is a challenge, and you're running to keep up. And it's arguably impossible to keep up, because the bad actors have a very narrow scope of the badness they need to do. And meanwhile, you're trying to protect. We all know that the challenges are significant, so how do you keep up as a leader of a program? We can't keep doing the same things and expecting different results, so where do you want to take the cybersecurity and privacy program in the years ahead?

Joe Potchanant: The first part was, just a few years ago, the name of our conference was the Cybersecurities Professionals Conference, but now, it is the Cybersecurity Privacy and Professionals Conference. We've actually added "Privacy" to the title, and I don't think that's just for window dressing. We're understanding that privacy is a distinct and separate field and that it is no less important than security, but it's different. And to answer your previous question, how do I keep up with that? Most of that is coming from listening to the community. I spend a good chunk of my week listening to the community groups speak, as far as the chief privacy officers and the highest privacy group. They're speaking and they're telling me what they're seeing on the ground. And just the other day, they were talking about working on their own elevator pitch to their institution presidents or those that are in charge of saying they need more resources.

But unfortunately, a lot of times, they were saying that they would state the need for more resources for privacy, and they said, "Yes, that is absolutely important." And they gave the money to security and not to the privacy group, because they're still not understanding the nuance between the two. So as far as the direction of the program goes, I really want to have both privacy and security on equal footing. They need to be seen as co-related fields, but there are professionals in each area. And they're not the same, but they work in tandem to protect everyone.

John O'Brien: So you've doubled your job by recently adding privacy to cybersecurity, which is absolutely the right thing to do. I agree. The other thing that makes it challenging to serve the EDUCAUSE community is because the community is so broad. I think of my week. In a couple days, I'm going to meet with a group of community college leaders, some of the most chronically under-resourced campuses, serving some of the most important demographic populations around the world. And then, a couple days later, I'm meeting with some of the most research intensive doctoral R1s in the world as well. And they have different needs. The under-resourced campuses are lucky if they have a privacy officer and/or a CSO. And then, meanwhile, the large R1s have so much more private data, protected data, defense data. So how in the world do you serve this sprawling, in a good way, community with one program?

Joe Potchanant: Really, it is finding the connections between the two, so we can help the underserved institutions by leveraging what the larger institutions have learned through their own development. And they can use to shepherd them into the next level of their development. And also, all boats rise. So if many of those students that are going to maybe start out at a community college might end up at a four year institution at some point in their career. So anything that the larger schools can do to help the students at all those other institutions is going to help the community at large. So really, it is making sure that they're not in their own echo chambers, making sure that R1s are just talking to R1s, and community college folks are just talking to community college folks. They all need to be talking together and build that sense of community and help each other find those solutions.

John O'Brien: When it comes to cybersecurity incidents, what trends are you seeing? And maybe in particular, are you seeing a trend toward more self-insurance now than in the past?

Joe Potchanant: We're still seeing a huge, huge amount of ransomware. It still seems to be one of the biggest issues that we're seeing out there, whether it's institutions, that have hospitals. All different sorts of higher ed institutions are seeing some type of cybersecurity incident. And as far as cyber insurance goes, depending on the terms of their insurance, they may not be covered, because of they didn't have a robust program there. For any number of reasons, they wouldn't pay. So some institutions are moving to a self-insurance model, just to make sure that they wouldn't be denied in their claim. But unfortunately, it's those that have the resources to do that, whereas, those that are the smaller institutions that you were speaking of would not have the resources to do that. So if they were denied in their claim, they would be hurting, and then, they may disappear. One institution I'm aware of, they actually unfortunately had to shutter their doors, because of a cybersecurity incident.

John O'Brien: As you think about self-insurance versus insurance providers, I've heard two things I'd love to hear you talk about. One is whether insurance providers are getting out of the game and that that's going to be harder to get. And the second is, I hear again and again, institutions that are enacting proven cybersecurity practices, specifically because their insurance required it. And I wonder, if you move to self-insurance, if it takes some of that incentive away.

Joe Potchanant: I think, really, having those standards, and some of it may not just be insurance. Of course, you're absolutely right that some of them are moving to that, so that they can check off all the boxes. But some of them, depending on state requirements, depending on what state they're in, may have that you need to have a robust program, depending on whether they fall under the auspice of the Federal Trade Commission. They have requirements that you have to do. So there's a whole gambit of regulatory institutions that may force you to have a particular program, in order to be in compliance. And I don't think that any institution would just decide, "Yes, we're going to self-insure, so we're going to throw caution to the wind." I think they're probably the institutions that have the resources and have the maturity in their program to already be doing those things. So I don't think that they would choose the self-insurance route and just throw caution to the wind. I think they would already be doing those things and have those programs in place.

John O'Brien: One of the other trends we're seeing these days is increasing regulatory pressures, telling higher ed how to protect itself. How are you working with our policy team to stay one step ahead of that?

Joe Potchanant: We have some great policy people here at EDUCAUSE, Jarret, yeah, I listen to him tell me everything that's going on from the government landscape on a weekly basis. And some of it is stuff that he's hearing behind the scenes. And some of it is just a little vague, because the agency says, "Okay, you need to do this," but there are not enough tangible guidelines to put pen to paper. So a lot of the institutions are wondering, "Does this apply to me?" And they're unsure. So that's one of the great conversations that we have in a lot of these community groups, of these institutions coming together, "What are you doing? Because the way our lawyers have interpreted this is way different than X institution." So using that collective knowledge of trying to build a framework of "This is how we are going to comply with the FTC Safeguards Rule or whatever alphabet soup of different agencies have." But by working together, they're going to be able to find that solution that works for all of higher ed.

John O'Brien: I really encourage folks to go to the policy blog, if you're not already subscribed and reading it regularly, because that world of cybersecurity and policy and regulation and legislation is dynamically changing. And the best way to keep up to date on that is to go to Jarret's policy blog and keep up to date that way. And I think it's really important that our two teams are working closely together there. It's easy to go down the rabbit hole of things to worry about. What keeps you up at night?

Joe Potchanant: Not much keeps me up at night, because I'm usually exhausted from my three children. But when I do lie awake, thinking about things, especially in my time at REN-ISAC and being part of the National Council of ISACs, thinking about all the different international threats we were facing, that really scared me. So I'm glad that I don't have to look at that as much anymore, because that part kept me awake. But also, just thinking about, if you could talk to one more person or you could educate one more, one more student, one more faculty member, about what they should be doing for their own cybersecurity, hygiene and privacy, a feeling that your job is not done, that feeling keeps me awake.

Because there are never enough hours in the day to reach everyone. But I hope that, with the collective good of everyone, we might be able to reach all those people and to turn it around for some people, so they won't have to face a ransomware incident or having their life savings wiped out or their W-2 stolen and someone files for their tax refund without them knowing about it. So if we can help as many people as possible, getting that one more person, that kind of keeps me up at night.

John O'Brien: The fact that in your talking about what keeps you up at night led you into talking about what inspires and gives you hope makes me feel great that you're the head of our program, because it's easy to get totally depressed about just the challenges before us. And there is something to this, I want to say, almost gallows humor, that, when the odds are against you, you come together in a really unique way. And I do feel that that's a characteristic of your community, is that willingness to come together to be vulnerable in the reality that we're all vulnerable, and the only person who's really in trouble is the one who thinks they're not. But I think this idea of partnership is key. And so, how do you partner? How do you see partnership as a capacity happening in your community?

Joe Potchanant: There is not enough resources to do everything. So partnerships is really the only way to collectively make good use of the scarce resources that we have. So part of it is the community groups. Part of it is networking, going to events, if your budget allows, so that you can meet other people and be inspired by those ideas. So we've got CPPC coming up in a few weeks, in early May, and I hope that people can come to their network, find others that have seen the problems you've seen before, or maybe both of your institutions haven't quite figured it out, but together, you're going to figure it out. So really, it is all about collaboration, finding others out there, finding people that have already solved this problem, but just haven't advertised it. Finding those in industry.

And there are different companies or startups that have created a product, to solve a problem that is totally novel. So seeing those on an exhibition floor. Just talk to people. I think we sometimes are so afraid to look up from our own set of problems and look for help, because they're ashamed, they're afraid, they're too worried about feeling less intelligent than their colleagues, to just ask for help or just to ask the question. Because they feel like they're going to be shot down. But the only way that we're ever going to learn is by people to talk to one another.

John O'Brien: I agree completely. And another good reason to plug our community group around cybersecurity and privacy. That's where the EDUCAUSE community comes together to talk about things that matter. And it couldn't be more important, because alas, the bad actors talk together. We call it the dark web. So they're always exchanging best practices, worst practices. It almost becomes an imperative that we partner and talk and share, just as a survival strategy, I think.

Joe Potchanant: Absolutely.

John O'Brien: So Joe, thank you for coming. And for those who are listening and who are maybe new or newer to the cybersecurity and privacy program, what would be a couple ways you would encourage them to get involved, get interested, and learn more?

Joe Potchanant: What I would suggest doing is first go to the EDUCAUSE website. There are so many different resources there. It's how you can find ways to connect with others. You can look at the Privacy and Cybersecurity 101 Showcase, that we started in January. That would be a great primer for people to start. You can listen to conversations with CPOs and learn about Privacy by Design and is a great place to get started and for you to learn more about the different communities that we've been talking about.

John O'Brien: So it's funny, as you've been talking, I've been in my head thinking about our newly approved EDUCAUSE values that the board approved a few months ago. You've talked about almost all of them. One of them is "We can accomplish more together than we can alone." That is your program, the cybersecurity privacy programs, strength is its ability to work together to stay ahead of the bad actors. Another value is "Resilience fueled by our hope for the future." You've talked about that. Another value is "We believe an inclusive community is a strong community." And you've talked about the program trying to bring together all of these disparate voices and institution types, with a shared purpose and passion. The last value I haven't heard you talk about, it is "We take our work seriously and have fun in the process." Now, fun probably isn't on the tip of people's tongues when they think about cybersecurity and privacy. Do you manage to have fun, now and again?

Joe Potchanant: I'm so glad that you asked this, because so much of cybersecurity uses three things, fear, uncertainty, and doubt. And we hit people over the head with that. Whereas, as far as educating people, there has to be an element of fun into it. If you think back to your time as a student, like in grade school or high school or something like that, that one professor, that one teacher that made things fun for you, you retained that. I was just thinking about there are things that I remember from Sesame Street, so many decades later, because it was fun. If you have fun and you enjoy what you're doing at the time, the education part is going to sink in.

You talked about gallows humor. Sometimes you just have to laugh, because otherwise, you would cry all the time of the dangers that we're facing. But having a positive attitude, understanding that we're all in this together, and bonding with the community, that makes it fun. A lot of those meetings, people are telling jokes, people are talking about interesting things that happen to them, or just catastrophic things that have happened to them, but they're talking about it. And people can laugh about it, because we're all human and we're all fallible. But that sense of community makes it fun. So that's where the fun comes in. So think fun, not fud.

John O'Brien: Before I let you go, remind me, when is the conference, and where?

Joe Potchanant: The conference is going to be May 1st through third in Bellevue, Washington. On May 1st will be the pre-conferences events, with May 2nd and 3rd being the conference proper. And I hope to see everyone there. We've got a great show in store for you.

John O'Brien: And that's in my backyard, because I live in Seattle. So I'm looking forward to having the time to be there to listen and learn together with this wonderful, thriving community. Thanks a lot, Joe.

Joe Potchanant: Thank you so much, John, for having me.