How the California State University System CISO Spends His Tuesdays
Spinning plates
I am often asked what a “typical” day for a higher education CISO is like. Typical for me, and I suspect most CISOs, is that of being in a constant state of being ready to respond to the unexpected, while balancing the known and planned for. Not unlike that guy on TV with the spinning plates, or sometimes it feels like juggling chain saws, and I love it.
I joined the CSU in 2009 as the ISO at our Chico State campus before joining the system headquarters team at our Chancellors Office as Deputy CISO in 2013 and moving into the CISO role about three years ago. Prior to that I worked in the private sector for various companies delivering cyber security services to many different industries including health care, financial, higher education even food service.
I am fortunate to serve as the CISO for the California State University system where I get to bring all of that together. The CSU is the largest four-year public university system in the country with 23 campuses and 8 off campus centers stretched along the 800-mile length of California from Humboldt to San Diego. In the fall of 2020 the CSU enrolled 481,929 students from incredibly diverse backgrounds and we support more than 53,000 faculty and staff. Considered the “jobs engine” of California we confer over half of the states bachelor’s degrees providing more than 127,000 graduates into the workforce each year. No day is “typical” at this scale.
While there are regular and repetitive tasks as we advance our strategic goals, any of them can be sidetracked by the sudden influx of notices from a vendor that they have suffered a breach, as many of us in higher education experienced a few weeks ago. A campus itself can experience a data exposure or incident, and as the CISO one of my primary duties is to manage each of these events where sensitive data is involved, marshalling resources for the campus, coordinating our Office of General Counsel, Risk Management, Media Communications and technical resources to respond.
Up at Dawn
My typical day starts at 5:30 when I get up to workout. This takes the form of a run with my rescue boxer Chloe or a spin on the stationary bike followed by exercises, stretching and then meditation time. If I could give any aspiring CISO want-to-be any advice it would be to take time to take care of yourself physically and mentally. Burn out and stress are significant issues in our field and as our CIO likes to say, “we have to follow the airplane rule: put your mask on first.”
With a smoothie and coffee in the French press I sit down around 7:30 for “i-time” my individual time to review the news, the emails that came in, my schedule for the day and any new alerts or developments from the night before and adjust priorities accordingly. This also gives me a chance to approve time off requests, time and absence entries for my team or other documents needing attention. I have email rules set up for each of my direct reports so I can quickly see if they have sent me anything needing attention. We check in each day via our closed Slack space where I try to keep the mood upbeat by providing them an elephant joke each day. I think secretly they enjoy it, and that’s the story I tell myself.
At 8:45 its time for the IT Senior Leadership stand up, via zoom to check in with my colleagues and the boss, our systemwide CIO, to get the latest on other projects, the current budget, and further adjust the day, or keep those plates spinning.
Time now for a quick impromptu zoom with my amazing admin who wants to check on ideas for Octobers Cyber Security Awareness Month activities since we are all remote now. She takes the lead on this annual effort which last year had me sitting atop a Dunk Tank where employees could earn tickets to throw balls and dunk me by answering various cyber security questions on phishing, passwords, multi-factor authentication and other topics we want to reinforce. Not sure what she has up her sleeve this year.
On this particular Tuesday at 10:00 its time for the monthly meeting of all the campus Information Security Officers and their teams via zoom. We keep the first 45 minutes of this two hour zoom meeting closed for any sensitive discussions but we have opened it after that for anyone from the CSU community who wants to learn about what we do, and what we are doing. Increasing transparency and communication to other constituent groups has been a priority for me since stepping into this role.
A quick lunch around noon and a walk with the dog in the nearby park let us both stretch our legs and get away from the screen and keyboard. On my return it’s time to check e-mail again, see what’s happening in our Slack spaces where there are always lively conversations with people helping each other solve issues. The CSU has wonderfully talented technologists and I truly feel there is no problem they can’t find a solution to, and they are willing to share.
The afternoon
By now everyone else at the Chancellors Office and on our campuses have spent their mornings at various tasks and I usually see an influx of items come in right after lunch as they are brought to my attention or there are requests for meetings.
My Tuesdays from 2:00–3:00 are always double booked with two important meetings. We have a multi-campus log aggregation project that has taken off and we meet on Tuesdays with our managed service provider and the technical leads to discuss progress and where things are working well, or not. This is also the time that our systemwide Policy and Standards team meet. This group made up of ISOs from several campuses and led by one of my direct reports has been working on a major project to align our policies with ISO 27001:2013 and to make them more consumable by our CSU community. Historically our information security policy was written by information security, for information security (and Audit) but not easily utilized by those who have to follow it. This group has made great strides in reimagining how this will occur and so I try to at least pop in and see how things are going.
I get a short break to review and edit some contracts sent to me by our procurement team, review vendor assessments and to meet with vendors to help them understand why we need them to agree to our terms and conditions. A really valuable tool for this has been the inclusion of the EDUCAUSE Higher Education Community Vendor Assessment Tool (HECVAT) into our process and this is where I spend a fair amount of time review those submitted to us.
Right now, we are finishing annual performance reviews, so this is gives me some time to continue working on those. I am so fortunate to have an incredible team of hard working and high performing individuals who also work exceedingly well together. They have pivoted to working from home while balancing family and the impact of the pandemic and an increased workload as we support the system readying for fall and online instruction, repopulation of workspaces and the unknown of what will come next.
Professional Development
I end every day with a final hour of i-time to gather together all the new items and adjust priorities, but Tuesdays are where I set aside for my own professional development and to assist others. Right now, I am mentoring one of our new campus ISOs so we frequently meet via zoom during this period. I am also working with a executive coach on refining and continuing to develop my own leadership and she regularly tasks me with outside reading which I do during this slot in my day. Most recently I finished “Emotional Agility” by Susan David and it is an amazing read that I recommend to everyone. I also use this time to check in on my work-related Twitter. I try and post regularly but often my time is spent reading posts from the many amazing CIOs and CISOs that I follow and who serve as great mentors themselves.
Often during this time slot, I am working on tasks related to my EDUCAUSE efforts. I have served as faculty and faculty director for the Management Institute and currently working with this great organization on delivering the New IT Managers curriculum online this fall.
End of Day
There is no set time to call the day over but at some point I will get through the priorities for the day, check my direct reports and leadership team email feeds and somewhere in there the dog will once again be giving me the side eye signal that it’s time for her to check her own “messaging” at every tree in the park. The plates are still spinning, and a couple need a little jostle before I step away.
Dinner and some television are usually in order before checking my email one last time, flagging anything for the next day and checking my schedule to make sure I aware of what is on my calendar. If I have to email anyone, I try to save to draft to send the next day, but I am not always as good at that as I would like. It is especially challenging to separate work and home when your desk is right there, and we all have to be really intentional about how we approach and balance work and home life.
Around 9:30 I call it a day for screen time. No more TV or computer or tablet. I crack open a good old-fashioned book and read for a bit before turning the lights out. Right now, I am finishing “The Overstory” by Richard Powers. The novel tells the story of nine people and their unique life experiences around trees and the destruction of our forests. It is a Pulitzer Prize winner and a nice diversion from technology.
In Closing
As I paused to gather my thoughts and write this it called to mind why I love the work we do. It is varied and presents new challenges constantly. I have a great team and am part of a great team of leaders. Everyone around me is committed and passionate about what we do and why we do it. I love doing new hire orientation myself as it gives me the chance to meet new staff. I always ask who comes from outside higher education and who has been on a campus previously. At the system office its often easy to forget, or to not see the impact we have on the academic attainment of our students. Our “product” our “widget” if you will, is educated people and that directly impacts communities. I encourage those new employees to volunteer at one of our campuses graduations ceremonies, or as I call it, Product Roll Out.
Thank you for reading and feel free to follow me on Twitter @CalState CISO and to send me any new book recommendations.
