Cybersecurity – Protecting a global research universitywith Mary Ann Blair
Mary Ann Blair is the Chief Information Security Officer at Carnegie Mellon University. She is responsible for information security engineering and operations; incident prevention, detection, and response; policy and compliance; training and awareness; and identity and access management services.
Episode 21: Cybersecurity – Protecting a global research university
Public Sector Future
In this episode host Olivia Neal speaks to Mary Ann Blair, the Chief Information Security Officer of Carnegie Mellon University. Blair and her team, the Information Security Office, protect the global research university from cyber threats that attack the confidentiality, integrity and availability of information and systems. Hear her challenges, priorities, and lessons learned since starting her role in 2004.
Listen to this episode on any of these podcast platforms:
Protecting a global research university
Mary Ann Blair is the Chief Information Security Officer of Carnegie Mellon University. Blair and her team, the Information Security Office, protect the global research university from cyber threats that attack the confidentiality, integrity and availability of information and systems.
- – Mary Ann Blair, Chief Information Security Officer, Carnegie Mellon University
- – Mary Ann Blair, Chief Information Security Officer, Carnegie Mellon University
What does it mean to be Chief Information Security Officer at Carnegie Mellon?
In her role, Blair shared she is “responsible for collaborating with our global community of faculty, staff, students, alumni, parents, affiliates, as well as internal service providers and external research sponsors, our vendors, our regulators, our sharing communities, professional associations and even law enforcement.”
In her own words, her work is “to ensure that Carnegie Mellon, its community members, its computing infrastructure, our information assets, our research data, intellectual property is protected from and resilient to threats, whether those are internal, inadvertent threats or external, intentional threats.”
“Our end goal is to enable and support and actively participate in the University’s mission of transformative teaching and learning, research and entrepreneurship, artistic expression and creativity, and ultimately societal impact through knowledge, transfer and innovation,” she continued.
Carnegie Mellon University – the first computer emergency response team
Carnegie Mellon University is in Pittsburgh in the United States and has campuses and programs around the world, from Qatar to Rwanda.
“Carnegie Mellon prides itself as being the birthplace of the first computer emergency response team,” Blair shared.
“In the late ‘80s, the Morris worm hit the Internet. That was the first major Internet worm,” Blair explained.
The Morris worm caused concern about cyberthreats.
“At the time, Carnegie Mellon, through its Software Engineering Institute, was world renowned for developing the capability maturity model for software,” Blair said.
The Defense Advanced Research Projects Agency (DARPA), commissioned Carnegie Mellon’s Software Engineering Institute (SEI) to develop a response capability.
“That came to be known as the CERT Coordination Center at Carnegie Mellon. Their responsibility was to research software security, but that obviously branched into lots of other areas in terms of information security response, concerns about incidents, malware detection, malware, reverse engineering, and eventually other areas of interest, such as insider threat, forensic examination, monitoring, and tools for all those capabilities,” Blair explained.
Carnegie Mellon’s CyLab Institute
In addition to the CERT and the Software Engineering Institute, Carnegie Mellon is home to the CyLab Institute, which “is a multidisciplinary home for research and cybersecurity education,” Blair shared.
“From where we sit as the operational arm of the university’s cyber response, we partner as much as we can with our researchers to investigate problem and solution spaces and then integrate their research results into our operation,” Blair continued.
This bridges theory and practice in a continuous cycle.
“When we have a problem of interest, we may reach out to our researchers to study that on our behalf, and then we incorporate the learnings, and they of course share their research results to everyone. And so, we all improve as a result,” Blair explained.
Blair’s initial priorities as CISO – Crisis management and incident response strategy
Blair described that her role was unique as she started the program back in 2004.
“I’ve had the benefit of both sort of conceiving the need for an office and then also building it and watching how we’ve changed on the priority setting process over time,” she explained.
Initially she took a crisis management approach and started with a good incident response strategy.
At that time the first state breach notification laws passed in the United States, which requires notification of customers if their data has been breached, as well as some of the first security safeguards rules. Blair’s team started from there and worked to find where the concerning data was and remove it from systems that didn’t need it.
“We started with reducing the risk footprint, but also making sure we had good incident response strategies because you couldn’t start off preventing everything,” Blair said.
Shifting priorities as CISO – “Prep and step”
From there, Blair and her team moved on to more policy, training, and guidance. Because they were starting out, they had many possible targets.
“We chose to grow organically by actively responding to community inquiries and the business drivers. And so, we used what people were asking for to begin to build our document and our guidance repository,” Blair shared.
They used crises happening at other institutions to raise the bar for themselves.
“In a strategy that I called prep and step, we first did our homework to understand how we would combat the same threat that was being experienced other places. And when compliance requirements came along, we sort of had our strategy built in advance so we could quickly deliver,” Blair explained.
Prioritizing workforce development
As concerns grew about cybersecurity, the workforce was not prepared for all the demand.
Blair shared that workforce development was a priority, by hiring “good people, smart people, people who could do what I cannot do was very, very important.”
“We emphasized workforce certifications for our individuals so that we could take on more and more,” Blair explained
Detection as a priority
From incident response, the next priority that Blair and her team chose was detection.
“First, you want to be able to respond quickly and then you move to how can I detect more quickly to limit the impact? And then eventually, over the years, more and more prevention was able to occur,” Blair shared.
“This in a way, was sort of building the program backwards. We started again with response and then moved to detection,” Blair explained.
Higher education spans across industries
Blair explained that higher education is unique as it spans across industries and focuses on academic freedom, openness, and inviting people into your network for collaboration.
“Beginning to understand how we needed to lock things down, those were some cultural barriers that we worked on over time,” Blair shared.
She outlined different compliance requirements to meet a university setting, such as privacy requirements for handling credit cards, financial safeguards for offering student loans and financial aid, health care compliance, and location-based statutes for hiring around the world.
“We consolidated into one overarching design that met the needs of all of those different business drivers. And those continue to evolve and as they evolve, they continue to set our priorities,” Blair said.
Risk management to allow innovation
“It’s not risk elimination, it’s risk management because with any great endeavor or any innovation, you’re going to run some risk,” Blair said.
“There are unknown unknowns. And for us, we want folks to sort of understand what the potential risks may be, not to slow or stop, but to have mitigations in place that allow that innovation to move forward,” Blair explained.
“We talk a lot about the upside of risk. In some ways, I want the work of the ISO office to be able to help folks take more risk, be more comfortable with taking risk as they explore those innovations,” she continued.
Her team helps their researchers and entrepreneurs think of things they haven’t thought about and ensure they have good backups in place. They aim to change the dialog between security and business by making sure they are speaking the language of the business to create a partnership.
Lessons learned from Blair’s cybersecurity journey
Blair shared lessons she has learned in her role as CISO and her recommendations for other people who are going on this journey with cybersecurity:
- See cybersecurity as a community effort
- Be engaged with your business leaders, customers, and researchers
- Take the position of a learner to improve your message
- Understand the business you’re in and understand the risk tolerance of the organization you’re in within that business context
- Reach out to your customers with humility to take feedback and adjust to that
- Develop your own network across your peers and the peer group outside your peer group
- Treat yourself well and treat your team well
- Hire well and retain good talent
- Remember what the mission is
“It’s quite an ecosystem and we’re all sort of codependent,” Blair shared, mentioning that the ecosystem must be in sync and moving along together to work and flourish.
Subject matter experts and researchers need to be at the cutting edge of knowing what’s going on. They must be ahead of the regulators and at times have a role in advocating for what kind of things need to be thought about now and need to come up in regulation and compliance.
“The marketplace needs to hire people who hopefully have come through an organization like Carnegie Mellon. Our researchers are sort of testing product and strategy. In our case, our CyLab organization, they work directly with corporate sponsors on areas of research and concern. And so, there’s just this constant flux that then ends up in product that I’m looking to buy,” Blair explained.
“You start to see how all of these connections over time, eventually get us all in a better place. And so, it’s great to have the experience of being able to contribute. Whether that’s directly or indirectly, I feel like that’s a victory for us all,” Blair stated.
Where Blair finds inspiration
“Every organization can be inspiring in a specific thing, and we’re constantly leapfrogging each other,” Blair shared. She mentioned three groups where she draws inspiration from.
- REN-ISAC, which is Research Education Networking Information Sharing and Analysis Center for higher education
“This is an opportunity for us to, in a safe place, share real-time intelligence, attacks that may be happening on our network with our peers. And in any given day, any one of those institutions is my absolute hero because they just shared an indicator that will stop my institution from being the next victim,” Blair explained.
- Law enforcement partners
“I’m inspired by their commitment to the cyber-threat and their willingness to share information and to take information in and run programs, like the CISO program that the FBI runs out of Quantico, so that you understand better as a CISO how important it is to share information with law enforcement and what they do with it and how that finds its way back to protecting us,” Blair shared.
- Her team at Carnegie Mellon and the university at large
“Their dedication to the task, their willingness to continually improve themselves, to research and develop their own networks and bring that back, their dedication, I find that probably the most inspiring of all,” she concluded.
To find out more:
Cybersecurity at Carnegie Mellon University
CyLab at Carnegie Mellon University
The CERT Division at Carnegie Mellon University
Carnegie Mellon University Information Security Office
Cybersecurity Center Development at Carnegie Mellon University
Cybersecurity Engineering at Carnegie Mellon University
REN-ISAC (Research Education Networking Information Sharing & Analysis Center)
Microsoft Cybersecurity Scholarship Program
Learn about Microsoft’s new security certifications
Learn more about Microsoft Security
About the Center of Expertise
Microsoft’s Public Sector Center of Expertise brings together thought leadership and research relating to digital transformation in the public sector. The Center of Expertise highlights the efforts and success stories of public servants around the globe, while fostering a community of decision makers with a variety of resources from podcasts and webinars to white papers and new research. Join us as we discover and share the learnings and achievements of public sector communities.
Questions or suggestions?