Keep up-to-date with the new technology. Don’t assume you’re doing all you can do.
Be sure your policies are up-to-date and accurate.
If there is an issue, communicate quickly and accurately. Be transparent and honest.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dr. Ashley Norris.
Dr. Ashley Norris is ProctorU’s chief academic officer & CCO. Dr. Norris has a background in policy and procedure development, regulatory and accreditation compliance, and assessing and reducing potential risk both internally and in collaboration with external partner organizations. She leads ProctorU’s academic partnerships as well as data privacy and security and works with organizations and institutions on developing policies, best practices and procedures to support their innovation, accreditation, and accessibility needs.
Dr. Norris has spent nearly 15 years in higher education as both a faculty member and administrator across major institutions including the University of Alabama and Samford University. Most recently, she served as the dean of programmatic accreditation and regulatory affairs at the University of Phoenix. There, she led thought leadership on ethics and integrity in education and continues to spearhead similar efforts for ProctorU’s key initiatives in academic integrity.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I am from Huntsville, Alabama and my childhood was, I think, fairly typical for the time and place. We stressed family and education and community. I was fortunate to go to school in a larger city in Texas, which I loved. But I was also very happy to return to Alabama to complete my education.
My mom was a professor. She helped run the space camp and special education programs for NASA. That gave me an early and great look at the power of education and technology, how they can be put together to make real differences in people’s lives.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
A great deal of my study and thinking has been around the psychology of vulnerability. In particular, how people can let their guard down so easily. That has led naturally into issues of compliance and looking at how and why people can be so trusting, especially when it comes to things like data or information about themselves. We are so used to sharing it, we don’t think twice, we don’t guard that as much as we probably should.
In social media apps, for example, we all freely share information as a way to connect, find others and create a community. We use that to say, “This is who I am” but we often have no concept that what we share by doing so can create a serious vulnerability.
Can you share the most interesting story that happened to you since you began this fascinating career?
The best, most interesting stories I probably cannot share.
Those experiences, however, have taught me to understand how students need to be communicated with, how important it is to understand their security awareness. To help them best, it’s important to know what they think about and often don’t consider.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Really, it’s my mom. Being a single mother, she went back to school to get her doctorate and achieved a great career in tech and learning. Seeing her success gave me a great role model and, I think and hope, a role model for many others as well.
Another is a mentor, Stephen Thoma, who created one of the first moral psychology inventories. He taught me how to create assessments and design and gave me a deep love for statistics. It’s what I’ve focused on my entire career.
Are you working on any exciting new projects now? How do you think that will help people?
I am thrilled to be working at the cutting edge of distance learning at ProctorU, helping millions of students reach their educational goals and dreams by being able to take their tests and exams online, in a safe and fair environment. Since test integrity is key to all education, safeguarding it in remote learning is essential. And, being part of the team that does that, in a time of a major increase in online learning and major threats to academic integrity (essentially, cheating) as well as cyber threats, makes for a very challenging and rewarding career.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Find a way to relieve stress and tension, whatever that is — exercise, reading, live music. Don’t force yourself to do something that you don’t actually enjoy. I also suggest continuing to learn. Go to conferences, read, become an expert in whatever it is that interests you. Together, I think those things keep you fresh.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I like that it’s always moving, you have to keep learning. Today’s threats won’t be anything like what we will see tomorrow and the learning part covers understanding technology and preparing for creativity. The technology gets better but so do the bad actors.
I also like that there’s a bit of good and bad in my job — people who want to break things, steal, extort and cause chaos as well those who want to stop them. It’s pretty binary and I like being on the side of the good guys.
I guess it’s also kind of exciting, though not always in the best ways, that you have no idea what will happen. The field, the threats are very unpredictable. You can prepare, but you seldom expect. It keeps everyone engaged and alert.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The threats are not new. They are actually ancient. Some people want to tear things down, take shortcuts and sow chaos. Others want to build things that help people, build things that last.
But the age of the dynamic does not signify its critical nature. The more connected we are and the more that what we do every day is digital — education, medical, financial, personal — the more critical those threats are.
To answer more directly, I worry that where the bad actors used to have a clear reason for their actions — money, taking down what they thought was bad in some way — they increasingly will crash things just to show they can. That makes them much harder to stop.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I cannot talk about anything like that.
But I will say that I think it’s a challenge for everyone in this area to communicate in ways that are both timely and accurate, and that reflect a sense of scale and context. Not all “breach” incidents are actually dangerous or even significant. We need better rules and a better syntax and some public understanding of when an incident is one thing and when it’s the other.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Because our systems are under double-threat, both by hackers generally, as most systems are, and by people who want to cheat on their exams or steal from exam companies, we cannot discuss any of the tools we use. Sorry.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
If you’re dealing with moderate amounts of data or your data isn’t especially valuable, “over the counter” is probably fine. You usually don’t need armed security guards to protect your purse. But if you have large data volume or it’s especially sensitive — personal, financial — simple solutions probably aren’t enough. Every situation is different but you probably don’t want to ever be in a position to wish you did more.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
I think it’s important to always be diligent in paying attention to your data and always be in touch with your team. Ask about anomalies.
You are right that even constant attention won’t prepare you or necessarily tip you off. Many breaches can be unexpected and can take you completely by surprise no matter how vigilant you are. And unfortunately, I would not say there are any specific signs for a security professional or a lay person.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
There are two elements to it, I think. One element is communicating clearly and quickly and confidently. Do not speculate. This is important to restoring confidence.
The other element is the technology, closing any doors or windows that may have been pried open. This varies greatly every time. They rarely use the same trick twice so it’s impossible to say what future protection will look like.
At my company, ProctorU, we developed a website to help students understand their rights with respect to their privacy. It’s called StudentTestingRights.org and its intent is to clearly spell out what students can expect regarding data and privacy. Another goal is to draw attention to data protection, helping students understand in layman’s terms that institutions actually own and control the data but that education technology companies must be responsible stewards. My point is that consumers need to be informed and sites like this go a long way to making data protection easier to understand.
We happily and diligently comply with any and all rules protecting data privacy and increasing the level of security. I don’t know that any recent privacy measures have impacted our business much, if at all because we have always been in compliance. There were already very strong rules in place for protecting student privacy, and we have complied and always will comply with them.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Not sure I can comment about others, but I will say that it’s important to be sure your company’s privacy policies are up-to-date and accurate. Many times people update or change their technology or procedures and just forget to update their language. That causes confusion and can undermine trust.
Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I don’t know that we’ve seen an uptick in errors, but we have definitely seen an uptick in demand. More people testing online means more data exists and consequently, there is an increased emphasis on protecting that data.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?
- Keep up-to-date with the new technology. Don’t assume you’re doing all you can do.
- Pay attention to incidents at other companies, even in other sectors.
- Check on your process regularly and frequently. Know your data professionals.
- Be sure your policies are up-to-date and accurate.
- If there is an issue, communicate quickly and accurately. Be transparent and honest.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
I wish everyone would take a class, many classes in areas that inspire or fascinate them. Keep their mental focus in education and learning. Keep growing. It’s so easy to do that now, for fun and for free.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.