Lorna Koppel wrote the book on information security—literally. She’s the coauthor of Information Protection Playbook and a former information security expert at Iron Mountain and Kohler. But she has always wanted to apply her talents to higher education, and was looking for opportunities in that realm. At the same time, as Tufts University embraces a global approach to elite education, it needed someone to pioneer ways to secure previously unimagined styles of collaboration and innovation. The university found that person in
Koppel, and her expertise is guiding the way Tufts secures its expansive future.
Sync: Tell us the story of how you arrived at Tufts. What made you leave a security position at Iron Mountain to take on the world of higher education?
Lorna Koppel: I have dreamt about a career in higher education and the sciences since I was in high school. I loved the thought of being involved with the energy and passion for continued learning and research. I discovered that I could bring my years of security and operational process experience to a top-notch university.
Sync: What is uniquely challenging in the higher education environment?
Koppel: You have a number of challenges that are the extreme of what some corporations face. The main challenge is the sheer breadth of different personal devices that people bring into the environment. You also have very high throughput needs and extensive collaboration with a wide range of external organizations and individuals. There are a lot of things that you have to enable and still try to figure out how to protect, without having as much dictatorial control over the environment as a corporation would.
Corporations tend to lock everything down, minimize what their employees can do, and only allow the use of the things they need for business. Universities historically start from a fundamentally different philosophy: they seek to enable everything. Now, with the rise of security threats, they have to creatively scale back what people can do, in order to eliminate risk.
“Corporations tend to lock everything down. Universities historically start from a fundamentally different philosophy: they seek to enable everything.”
Sync: What are the keys to protecting and enabling the university from an information perspective?
Koppel: The students want to do their schoolwork and research with no impediments, pursue their hobbies, and do the things that help them relax. Those things can be vastly different—especially at a university with students from all over the world.
The faculty needs access to their tools to teach courses, and they want to have a lot of flexibility in presenting their materials. More and more, they may need IT technologies that traditionally haven’t been in the classroom. We also have to consider the diverse types of research that requires everything from high-computing needs to highly reliable communications to the collection and analysis of sensitive data with no room for data corruption or leakage.
In a diverse environment such as Tufts, everyone has focused on their own areas and they don’t necessarily know the other departments and resources they can leverage. The key to working at a university is making sure there’s good communication that builds trust and information sharing, so we will hear about initiatives in time for us to help enable everyone to do their jobs safely.
Meet the Tufts IT Team
Koppel utilizes a team of specialized technology experts to keep Tufts’s security architecture robust and effective. She describes what each of them brings to the table in her department.
Senior Information Risk Consultant
Designs solutions and manages risk mitigation efforts for new university initiatives to meet evolving threats and compliance needs
IS Application Risk Consultant
Develops tools for use by diverse people across the university, including the security team, to understand data trends and to help respond to and manage efforts to reduce risk
Sync: How does your corporate experience inform your approach to what you’re doing at Tufts?
Koppel: The great part of my corporate experience is the ability it has given me to bring hope, through suggesting ideas of how to deal with seemingly unmovable roadblocks, to people beyond security.
Sync: Are there examples you could share of how you advise up front to reduce risk?
Koppel: It’s always easier and cheaper to reduce your risk before something gets put in place than having to go back and fix it later. It’s not always possible, but it’s easier. Two processes are important to that.
The first is vetting your vendors. In recent large breaches covered in the news, the breach usually started at the third-party vendor and its access to the victim’s network. It’s important to vet your vendors before you use them. Their weakest link can become your weakest link. Understanding their security stance is hard, but it’s an important thing to do.
Downstream from that, doing reviews of projects before they get too far into their lifecycle is important. There may be some needed tweaks where stuff gets installed in the network and in how the data is handled and accessed. You can also scan for vulnerabilities in the applications so you can fix them before you plug them into the network. Every IT project needs to have some sort of security analysis done at the beginning, so we can guide where the process is going to go and bake in security along the way. Finally, it is important to then do another review prior to going live.
Sync: What are some ways that Tufts is upgrading its detection and response abilities?
Koppel: One of the big trends that higher education has to focus more on is the need to be able to detect and respond to potential threats much faster. Historically, we have intentionally let the horse out of the barn as learning environments are more open, but now we need to have a monitor on the horse so that we can see where he’s going before he’s gotten too far down the road!
That requires a ton of data. You need to gather data on all different kinds of activities from multiple sources on the network. No human can look at that data on a 24/7/365 basis and analyze it. So you need the tools to bring that all together. You need good computers, good programs, and the heuristics to analyze that data. You need to reduce all of the noise in the data so that you can pick up the anomalies and respond to them.
The other thing that’s going on is the Trojan horse concept—attacks masquerading as legitimate traffic or websites. You need tools that are able to be closer to the data before it gets encrypted to see if it’s being handled in ways that it shouldn’t, or you need methods that are able to keep people from getting tricked into going to malicious websites. You need tools that are designed to look at the content of the traffic and what is being done with the data. Overall, being able to take a forensic approach to looking at traffic and usage activities is really important.
Photos by Matthew Healey
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.