CISO Tuesday, San Diego Supercomputer Center at UCSD

A super place to work

SDSC is part of the University of California, San Diego (UCSD). SDSC hosts supercomputers, general purpose compute systems, storage, etc. used to perform a wide variety of research. SDSC provides resources, services, and expertise to the national research community including academia, industry, and government. SDSC supports hundreds of multidisciplinary programs spanning a wide variety of domains, from astrophysics and bioinformatics to environmental sciences and health IT. I have been the CISO at the San Diego Supercomputer Center (SDSC) for ten years. My role is to work with programs, Staff, and Researchers to implement security controls and policies to protect data and IT systems. I work closely in this capacity with the UCSD Campus and UCSD Health Systems CISOs.

Tuesday Mornings:

I wake up, around 6am, get out of bed, and drag a comb across my head. I find my way to the kitchen and drink a cup. Sound familiar? Of course my morning routine is always accompanied by Beatles music (A Day in the Life) with a background orchestra.

Once my eyes are uncrossed I dive for my keyboard to check my email and schedule. The sky only fell twice last night? No meetings until 9am…? Great, I can actually take action on the long list of action items gathered from the previous days meetings.

I plan my day over a cup of coffee. Oh what amazing things can I accomplish today in the two hours I have between meetings? The opportunities are limitless.

My initial daily work plan conceived (Rev OD) I reach for my morning survival gear. Armed with my second cup in one hand and my TV remote in the other, I devour the recorded morning news. Sufficiently deflated I look to the online newspaper for inspiration. I should have stuck to the TV news. No wonder I am a sports fan. Go Lakers and Padres !

A quick morning core workout to protect my back from a day of sitting and then I settle in for battle (i.e. I sit).

I spend the next hour or so catching up on email issues. Some email are informational, some are like a giant spider web just waiting for me to stumble into it. One misstep and I will spend the day wiping the cobwebs off my face and searching for where that spider landed. Each day has at least one such issue. “What, that contract I signed meant I really can’t put compliance data on this system?” No problem. We have a small team just living for the opportunity to analyze your system logs to determine if that data was accessed by the appropriate personnel. Daily work plan revised (Rev A).

My role involves supporting customers with a wide range of security requirements. We host open research that requires very little in the way of IT security. On the other end of the spectrum we deal with compliance data with very prescriptive regulatory requirements. Also, there is a lot of work that falls in between those two ends of the spectrum. The variety of requirements keeps things interesting. I enjoy the challenge and it keeps my brain fresh. I respect the work performed by researchers and try not to be the inflexible security person whose stance is “my way or the highway”. I enjoy working with both customers, security staff, and system administrators to find ways to meet challenges without “heavily” impacting the true goal of getting the work done. Notice I used the word “heavily”. There always is a price to security. Especially in the compliance world. I try and communicate and work with customers to find that balance.

First meeting. I join my first Zoom call with great anticipation. I stare at a Zoom matrix of names and initials. OK, I guess I will spare the rest of the meeting attendees my blurry eyes and shaggy hair. I defer to my Zoom profile mug shot of me with groomed hair and clear eyes. The topic/goal of this morning’s meeting is basically getting agreement between two government agencies, a prime contractor, and the representatives, including yours truly, from the San Diego Supercomputer Center (SDSC) at UCSD to agree on the most appropriate location for hosting this engagement. Things are pretty Cloudy on this subject lately. However, the Team is surprisingly cooperative and supportive of each other. The tentative plan hatched, it will require conversations with others but an initial plan has been agreed to. A good start for my first meeting of the day.

No time to dilly dally. I jump in to Zoom meeting number two. We discuss the aforementioned topic of compliance and determine where this customer belongs (i.e. computing environment not purgatory) and how to properly lock down a system to meet the appropriate compliance requirements. This is where CISO plays the Shell Answer Man (remember that one?) of Security. I turn to my Ouija board and provide interpretations of federal security compliance standards. Who can doubt the insights and accuracy of the Ouija board? We agree on a list of potential controls to investigate. Once investigated and agreed upon by the customer, they will be documented in a new policy document.

Tuesday afternoon:

Time for a quick bite to eat then it is time for, drum roll, let’s play Policy update. I navigate the commute from my home kitchen to my home office. Unfortunately, my kitchen table, scratch that, office table doesn’t have room for a toaster oven. Ah, but I digress. When your institution hosts data that falls under compliance requirements there are many lifecycle documents required. These policies take constant update to keep current with evolving requirements and changing architectures. Add in the accompanying follow-up discussions, Table Top Tests, training, etc. and it is a large work pill. Finish one document and it is time to update another. One of the biggest challenges is determining the best way to effectively meet a security requirement without creating a huge amount of work for the System Administrator or Researcher that must meet the requirement. It requires coordination, communication, investigation, etc. I sort through and resolve as many reviewer comments as possible and shoot off some email on suggested document changes. I spend time reading the federal requirement and google some nuances of the requirement. If we get stuck on a particular requirement we may engage a vendor to get their opinion. For instance, we may talk to a Cloud hosting vendor who tend to have experts on staff. We may not always get a definitive answer in these instances but more information gathered tends to help eventually get to the bottom of the issue.

Times up, time for a Zoom status meeting with a security Staff member. This is the day’s highlight. I am fortunate to work with a great team of people. Smart, capable, and holding of positive attitudes. We discuss how we are surviving these crazy times. This is the Zoom equivalent of the hallway conversation. Having solved the world’s problems, we review a list of status items. These are the people who do the real work. We review the status of vulnerability scans, configuring of new log alerts, issues with impacts of security controls on a developer team, etc. With us each loaded up with a sufficient list of action items we end the call. Typically each of us ends up with an action to meet or communicate with someone to resolve an issue. Sometimes it’s resolution of a miscommunication and many times it is asking them to put a security issue (e.g. patching of a software application) higher on their priority list.

Tuesday Evening:

When the days meetings are done it is back to email to see all that has transpired while I have been in meetings. I work with a fast crowd and if I am going to weigh in on an issue it has to be timely or the plan will be finalized without my viewpoint. Not that I still can’t change the direction of an issue but it is counterproductive to change direction once progress is being made. My eye’s blurred and crossed I stare at the hummingbirds fighting over my feeder. They are one of my favorite animals but darn, they sure don’t share very well.

Most of the day’s emails reviewed it is break time. Time permitting, I jump on my bike and ride a local hill that has been conveniently located to provide me a COVID workout ride. I ride up the hill in 30 minutes and down in 10. Exercise one way and adrenaline rush the other. Having completed my brush with mortality (aka frogger video game with bike vs cars), it is time for dinner and more email. Sufficiently caught up on email, time for more music. Joe Walsh, Life’s Been Good.