A New CISO at the University of Washington
First some background
I started working in IT at the University of Washington when I was an undergrad in the ’90s. After graduating, I got a full time job with the central IT department (now known as UW-IT) and with the exception of about nine months in 2000 when I took time off to focus on my first year of graduate school, I have worked for them in one capacity or another ever since.
In January 2013 I took my first job in the UW Office of the CISO (which sits within UW-IT) as a security engineer, focusing mostly on incident response. Over the years, I worked my way up into management, and in late February of this year, I was offered the position of interim CISO as my boss was getting ready to retire. The idea was for me to slowly transition into the interim role starting March 1, with a two month overlap when we would both be working. That plan was thrown out the window one week later when UW-IT became one of the first departments on campus to move to remote work for the majority of staff. What should have been a gradual transition filled with lots of sideline conversations about the job became nothing of the sort; instead it was a frantic “let’s all figure out how to work from home” with an occasional phone call with the boss to make sure the two of us were on the same page. But fast forward a couple of months, everyone has adjusted to working remotely, and I have now completed the first 60 days of being in the CISO role in an official “permanent” capacity. During that short period of time, I have discovered that my “typical” day has gone from having lots of meetings to having even more meetings.
Pre-Work
My day starts with a 6:00 AM alarm. Except on rare occasions, I hit a 10-minute snooze button and lay in bed for a few minutes trying to wake up. My goal is to open my eyes and check email from my phone before the alarm goes off for a second time. (I’m usually successful but there have been times where the snooze alarm wakes me up again so I’m always glad I set it!) The quick email check lets me know if anything urgent came in overnight and whether or not I need to be online earlier than usual. Thankfully on this Tuesday, there was nothing that needed immediate attention.
For the first hour after I wake up, it’s my time to focus on myself and get a workout in. I typically do a short strength session followed by a longer cardio workout. Tuesdays happen to be the day when I race myself on a bike that goes nowhere. I find these workouts to be a great way to focus my mind, forget about work or other stressors (life is full of them these days!), and feel ready for the day ahead. No matter how tired I was when my alarm went off or how sweaty and winded I am at the end of the workout, I always feel more energized and am glad that I took the time to do it.
I’m typically showered and ready for work sometime between 7:30 and 7:45 so I grab my coffee and laptop and start my 30-second commute to the backyard. My commute is only that long because I take a quick detour by the chicken coop to let the hens into their yard and check for eggs, then it’s off to our storage shed where I’ve cleared enough room to set up an office. During the start of the pandemic, I worked from my dining room table but quickly found that with family and pets all home, our small house was a bit too chaotic to handle Zoom meetings. While it feels a little awkward to be on video calls with a background of shelved boxes (not to mention a chorus of chickens in the background), I finally have an office with windows! (And yes, I know I can use a virtual background but for several reasons I won’t go into, I don’t have one.)
Morning
I spend the first part of the morning catching up on email and responding to messages I read the night before but didn’t take action on (more about that later). I also make note of any trends that I see in the latest phishing campaigns (this week is numerous COVID-19 work-from-home scams) and check in via Slack with my staff if I have any questions or concerns. I also try to think about how we can improve our user education and outreach, especially this time of year as we are about to get a new population of students for the fall. Security is, afterall, only as strong as its weakest link and that weak link is typically people. I don’t fault them — everyone has their own area of expertise — but I do spend a lot of time thinking about how we can engage with people to bring a certain level of awareness about cybersecurity to our campus.
My first meeting of the day on Tuesdays is at 9:30 and it covers open incidents shared between my office and the University’s Privacy Office. At the UW, delegated authority for handling potential data breaches is split among several different offices, depending on the type of information involved. This Tuesday meeting is an opportunity to discuss new incidents and coordinate the investigative response.
Immediately following the incident meeting is a team meeting involving the entire Office of the CISO. The purpose of this meeting is for everyone to provide quick updates on what they are working on and to bring awareness of that work to others in case there are questions or opportunities for collaboration. While we have been able to maintain a basic level of awareness based on emails and smaller team meetings/chats, there’s something to be said for the office environment that allows people to interact more spontaneously to share information and I miss that when working remotely.
On this particular Tuesday, the team meeting was followed immediately by my monthly meeting with our CTO to discuss technology and security concerns, how we may be able to save money (so many of us are facing budget cuts with the impact of COVID-19), and other areas of mutual interest between our units. My office relies heavily on networking tools provided by the CTO’s team so it is good to be able to discuss those tools and potential enhancements that would benefit not only my team but others on campus as well. And as a new member of the Strategic Leadership Team in UW-IT, this meeting, and others like it, provides me time to build a professional relationship that will hopefully build trust and collaboration.
Lunch
After signing off from my last meeting of the morning, I return to my inbox to get caught up again (or as close to caught up as possible) before lunch. Back when I was working from the office, I would work through lunch more often than not, usually taking only 5 or 10 minutes to heat up and prepare food (usually leftovers or whatever freezer meal I had stocked up on), and then eating at my desk as I continued to work. Since I have been working from home, however, I find that I need to take a break during lunch if for no other reason than I am no longer walking in between meetings and getting blood flowing to some degree. I find that going from one Zoom meeting to another without short breaks in between is exhausting unless I’m able to take a real break during lunch. Whenever possible, my lunch hour consists of a short meal followed by a long walk around the neighborhood. I’m not sure yet what I am going to do when the weather turns cold and wet but for now I am really enjoying my afternoon walks.
Afternoon
My afternoons look a lot like my mornings: more email to catch up on and more meetings. The topics on this particular day centered around the effects of COVID-19, including a discussion about faculty concerns regarding the security and privacy of international students doing remote learning as well as a meeting meant to provide updates on COVID-19 within the state and the University’s response plan. I also had a meeting to discuss IT Vendor Risk Management and how we can expand and improve our work in that area.
During the latter part of each day, I try to set aside time to review my next day’s agenda and to prepare for any meetings. I also update my to-do list by adding new items, crossing off finished items, and possibly reordering the priority level for each one. With me being new to the CISO role, one of my priority to-do items is to present my strategic plan for the office so I spent some time working on that. I am also in the process of backfilling my Director role so I spent a little time writing interview questions. At 5PM I answered a phone call from someone in my contact list (I get a lot of vendor calls so if I don’t recognize the number, I typically let the call go to voicemail). The phone conversation took about 20 minutes, after which I packed up my laptop and headed back to the house.
Evening
For me my workday doesn’t really end at the time I head back into the house but I do try to take a break to help with dinner and spend time with my family. After dinner I will resume checking email but I try to be very intentional about whether or not I respond. Unless it is something urgent, I try to hold off on responding to any emails until the next morning so that the person I’m responding to doesn’t feel like they need to work after hours. I know my staff all put in a lot of time at their job and it’s important to me that they have a good work/life balance.
Even though I do continue to check email throughout the evening or work on high priority tasks that didn’t get as much attention as needed during the day, I find my own work/life balance by scheduling intentional “time off” during the evenings. On this particular Tuesday, I went for a socially-distanced bike ride with a couple of friends; other evenings may include watching a sports game on TV, or going for another long walk. I am really going to miss the long daylight hours and beautiful weather we have been enjoying here in Seattle this summer.
My time to finally stop checking email each evening is 9:00 PM regardless of how late I stay up. (My only exception to that is email from the few people who are marked as “VIP” — those will result in an alert on my phone and I will read them after 9PM.) The rest of the evening is my time to relax, stream something on TV, or read a book.
The last thing I do before bed, other than turning out the light, is to check my calendar one last time for the following day. I already checked it during the late afternoon as I was preparing for the next day but I check it again just to give myself an opportunity to think about anything I may have missed and to get mentally prepared for my morning. By this time I will also know whether or not I need to set my alarm for earlier, which thankfully is a rare occurrence.
Final thoughts
The last few months have felt particularly chaotic as I adjust to the reality of living in a pandemic as well as taking on the role of CISO. The world of security can be a very stressful and challenging place but I find that challenge to also be rewarding. I really enjoy the people I work with and the work that we do to help contribute to the mission of the University.
I do look forward to returning to the office and interacting with people face-to-face but I am also very grateful for the fact that I and my team can work remotely. I just have to remember to mute my mic if I don’t want to be interrupted by chickens announcing their latest egg.
