 I think it's it's it's the appointed time and let me welcome our attendees and thank you for joining us today. I'm Cliff Lynch I'm the director of the coalition for networked information and you have joined us for one of the sessions on the second of the three plenary days of the CNI spring 2021 virtual meeting. I hope you will join us for an additional event later today and for events tomorrow as we complete this virtual meeting. I also invite you to take advantage of the extensive pre recorded project briefings that we made available at the beginning of the meeting last week. There's a lot of really good material in there and I invite you to explore it. This session, like all of the sessions at the spring virtual meeting this year is being recorded and it will be publicly available after the after the meeting concludes. You have a Q&A tool at the bottom of your screen and please use that and or the chat box to comment or post questions at any point during the conversation. The way we're going to do this is Brian Kelly from EDUCAUSE, who is the head of their cybersecurity programs is going to lead off with a little sort of landscape survey of the evolution of automation security officers or CISOs as they call them and chief privacy officers or CPOs. He's going to talk a bit, you know, sort of generally about the landscape. And then we are going to have Kent Wada, who is currently serving as the chief privacy officer at the University of California Los Angeles and who I would note is a former CISO as well and Cheryl Washington, who is currently the CISO at the University of California at Davis. And I want to note also an EDUCAUSE board member and if I'm correct in my understanding you are the first CISO to serve as an EDUCAUSE board member, the first active CISO, which is really wonderful. And I should also add Cheryl is interestingly a former chief privacy officer. So, in fact, we will get very multi dimensional views on this from our participants. After we have some conversation among us for about the last I'm probably 15 minutes or so of the panel. I will take questions from the audience for our panelists. And so please, please feel free to queue those up at any point. The stage a little more for this. I want to note that I know we have many people who are involved in library leadership, who are with us today. And many of them are probably aware that there are these roles on their campus but they may not really know a lot about what they do, or how they relate to each other and to other activities on campus. And I think that a conversation here is increasingly urgent as libraries deal more and more with getting involved in contracts that deal with individual patron information going to third parties, some electronic subscriptions and things. As they get more involved with student success and all of the analytics analytics and data collection that drives a lot of those programs. And indeed as they just act increasingly as advocates and educators about student and faculty privacy in certain spheres. So I really hope that this session will be sort of a launching point for a very fruitful conversation that will continue. With that, I think I have said all the opening things I need to say and I'm going to turn it over to Brian. Thanks Cliff thanks for the introduction and thanks for inviting us today and setting up this this wonderful talk I'm honored to be here and be part of this with with Kent and Cheryl as I said before if I wasn't participating on the panel I'd certainly be attending to listen to the two of them so I'm looking at that and that really lends to a little bit about my role at EDUCAUSE and the cybersecurity program and what we're doing around privacy. I often joke about being sort of the collector and the connector of dots right and I think in this it's really, as you said I think today is the beginning of a conversation not the end right and opens up sort of that collaborative and awareness which is foundational to what we do at EDUCAUSE, what you're doing at CNI and what we're trying to do here today is to really open up the conversation and talk about how both these roles are evolving but they're also complimentary roles and I'm going to turn it over to Kent and Cheryl you'll you'll cover that more detail but I think that's also important to know today about that the complimentary nature of that and I also like to say and I've and Cheryl and Kent have heard this way too much as my friend David Sherry at Princeton is a cultural change from the Chief Information Security Office. I say CISO and I know Cliff you said CISO so it's like tomato tomato, but what David had said is we're really seeing a shift of becoming the office of KNOW the office of we want you to know about cybersecurity about what we're doing, who's doing it, the things that you mentioned around third parties and applications and instead of being the what was traditionally viewed as the office of N-O right the office of no you're doing it insecurely or not doing it correctly so I think that cultural shift is part of the evolution and you know we're seeing that both in those roles right so in evolution in the role of CPO and CISO but also around the sort of the concept or the ideas and the notion of privacy and I know Kent that that's what you all will talk about but I think that's important to know and back in November of 2020 it feels like a lifetime ago EDUCAUSE published a joint research paper that we had produced with Huron and we were introduced to Huron through Kent and UCLA and that paper really explored various ways that the data privacy is managed on campus right so that's sort of the help inform what we're talking about here today and also examine sort of the recent legislation around privacy issues that both existed before COVID and some that have arisen through the COVID-19 pandemic so what we were really trying to do there was uncover some of the challenges but also figure out how we bring forward right and around how we bring forward not only data privacy but privacy more generally in higher education I'll make sure I link that report and get that out in chat so you all have that and I think that brings us to the CISO and the CPOs are sort of at a different level in terms of privacy legislation and we're you know from a compliance and regulatory standpoint and ethics and that's what we're hearing and seeing most readily from our members is that conversation shifting a little bit and I think that's we had research that we published earlier this year and it was student focused it was a student data privacy study but I think it's applicable when we think about faculty, staff, all of our constituents on campus is one of the results was really what students want is they want to protect that information regarding not only their personal lives but their academic and their professional prospects as well and I think one of the interesting parts of that study I'll pull out is that only one in five students said they understood how their institutions were using that their data how the institution was using their personal data. And many of them, they didn't trust that their data will be used responsibly, which I think is noteworthy in the context of sort of trust and in transparency around privacy and I think that is informative for our conversation today. So, there's plenty of research that Edu has has there's plenty of research that that's on your site on CNI I know Cliff you had a paper published toward the end of 2019 that was was spot on so with that. I'll turn it back to you Cliff or to Ken I think can't you were up next but Cliff I'm not sure if we're going to do questions so I'll throw it back over and happy to join the conversation. Thanks so much Brian for that introduction and please do put the link to that paper in the chat because it is a good paper. So, I'm going to start with a question to Kent and Cheryl. In asking you to say a bit about how you see your current role as either a CPO or a CISO, and how you see that relating to the other role that you're not currently occupying. Do you want to start or go ahead start Cheryl. That is a brilliant question. I love it. I think it's safe to say that the title of this session speaks volumes to the role of the CISO, in the sense that CISOs have had to grow up over a long period of time to position ourselves. In a way, whereas Brian pointed out, we are the voice of K in O W, as opposed to in O, which is where a lot of people felt they would hear from a CISO whenever asked a question. To expect to hear the word no in response to a question guess what you stop asking. And what we found was that institutions were creating a huge volume of risk for itself because we stopped asking questions, which is kind of odd because we're educational institutions institutions of higher learning and asking questions is in our DNA. In terms of security, it became a much tougher job as a CISO to get people to feel comfortable asking the question. And the way we got there was by as Brian pointed out, translating or transitioning ourselves from in O W to know K in O W. Let's all figure it out together. And I said, and people asked me, well, what do you do for a living? Well, I'm a security officer. What does that really mean? It means I help the institution, you know, figure it out. I help the institution enable itself to do what it does best, research, teaching and learning and community service. I help, I enable. And so I think, you know, a modern day CISO is is part of the institution's culture in the sense that a modern day CISO is there to help to enable to figure it out. It may not be a very clear path. As we first look at a problem, but our job is to help to figure it out. And so, you know, when I pointed out Cliff in a prior life, I was a CPO. And I think it's very comfortable to say in this seat today, that a CPO and a CISO, if they're doing their jobs well, they're going to overlap quite a bit. You know, our jobs are for all intents and purposes is to work together to again, and I'm going to sound like a broken record all day long, but to enable the institution to do what it does best. And one of the things that Brian mentioned, I think really needs to be teased out in any conversation regarding privacy and security, and that is data. You know, many ways we're talking about data, the protection collection management of data information in many regards and I think that this particular group are librarians, your front and center in the management and processing of data. And in many ways, there's a really great opportunity for a very strong collaboration between privacy and security and the library and librarians in our libraries and ensuring that we can move data along on the right path and yet not violate individuals right to privacy as well as ensure that we protect that information and it becomes part of our collection. So again, I can talk at Nozom about this. I'll pass it over to Kent for a moment. Thanks Cheryl. I'm just thinking about what you said and I privacy is in a little bit of a different space. I'll start by just saying a few years ago I went to a Thanksgiving dinner. I was invited to the only person I knew was one of the guests and she introduced me to the host as UCLA's Chief Privacy Officer and literally not 60 seconds later I was introduced by the host to another guest as UCLA's Chief Security Officer. And I think this is still pretty prevalent today. You know, it's not that people don't don't care or whatever about privacy, it's really they don't understand it still. They understand glimpses of it. And so maybe this session will actually help to a certain extent to clarify. The easy part of privacy I think is really what I'd call data protection. You know, it's like just no more breaches don't have more breaches of personal data of social security numbers don't let people who shouldn't have, you know, access to my patient data, have access to my patient data, that's the easy part. Conceptually, it's really hard to do right, just like security is, and I think security is also in that mode of it's conceptually easy to grasp really hard to do so that it's effective. And that's the part that I think most people think about when you bring to mind privacy, security cameras, you know ubiquitous surveillance big brother that that kind of thing and of course Cheryl just as you spoke it's often about data. You know, the, just the, the unbelievable amount of data that is collected about us, and that we radiate ourselves just through our cell phones, you know, through our use of browsers through our through through just our use of the internet. And that part is a little bit more difficult. I think to grasp because you, there is a privacy implication in in all of those things, but we also see privacy as a, you know, in a in different guises. So if you think about academic freedom, or any of the freedoms intellectual freedom, you know freedom to read freedom to associate of association. All of those freedoms have an underpinning of privacy somewhere in there, and the advocacy role that I play, you know, so that the non data protection piece under, you know, it is interesting for that reason, because we're we're going beyond now, just protecting to thinking about the appropriate use and and responsible use of data, you know what, what should we do. And before I hand this back to Cliff maybe I'll just say, you know, looking at, at, at how, how you approach these questions of appropriate use our laws typically will tell us what we can do. You know, our laws will tell us what we must do, or cannot do. And within those bounds, there's a pretty big discretionary space often, you know where the institution to figure out for itself what it wants to do. But within what we can't or must do is also the should question what should we do, or what shouldn't we do, you know, and that's comes to what Byron was talking about the ethical, you know the ethical issues around data around but I would actually add a third layer to that, because the, you know, the ethical issues, the things that I typically see and in my job on a day to day basis. It's not about, you know, something someone wanting to do something wrong and asking, can I do this wrong thing. Or, I want to do this thing. And there are also good reasons why you shouldn't do this. I mean they're two entirely legitimate reasons that, you know, that the institution would back both positions equally. And so the decision making is around a judgment call of, should we do something or shouldn't we do something when you're comparing an apple and an orange, and both are desired or equally desirable. And, you know, it's that question how do you make those decisions when you are talking about two legitimate needs that are butting heads, as opposed to, you know, something that's pretty clearly okay that's just no, don't do that. And we can agree on that. There is so much in there I want to explore. At some point I want to get back to that advocacy role Kent that you spoke of because I think that's, that's really important, you know, historically there's been a bit of a sense in which both of these roles have been viewed as kind of, you know, administrative roles, counsel, you know, helping helping the institution to decide where its risks are and what it shouldn't shouldn't do and can and cannot do, as you say, but really that advocacy dimension is is increasingly important. And the, the other piece that I want to hopefully come back to is some of the, you know, to go back to Brian's identification of the ethical space here the, the, the scary ethical contradictions of student success analytics. I don't perfectly meet Kent's, you know, yet I can come up with two utterly opposed and highly justifiable positions on this. But before I go there, and I do want to go some other places too. I wonder if you all could say a few words about reporting lines because I know people are very curious about both, both your actual reporting lines as a CISO or CPO, and what what's typical at institutions, and also sort of where your dotted line relationships are. And traditionally, and particularly in higher education, the CISO reports to the CIO. And a lot of the rationale behind that I think is more so legacy than it is perhaps what you might typically find in a private organization or your typical private industries. And again, it's the legacy issue. It's security in many ways was sort of brought up or raised in technology. In the early days are bread and butter our focus was on just ensuring that the network was safe and well protected. Today, we touched on, you know, one of the areas where most CISO spend a great deal of their time and that is managing risk identification and mediation remediation of risk. And to that end, you can easily see that security is far past being a technology discipline. It has to integrate with all facets of an organization particularly one as complex as higher education. Technically speaking, I report to the CIO. Practically speaking, I report to everybody at a certain level to be honest with you. If they call I answer, if they need something I respond. It is not uncommon for me to report out to our chancellor or provost and others about the state of security across our institution. So, I don't think that my life as a CISO here at Davis is theoretically different than many others who are certainly at these large institutions. I think it is quite safe to say that while we don't have formal dotted reporting lines to do our jobs well and be effective at being CISOs, we have to report to a number of individuals, a number of key stakeholders to ensure that they are aware of what's happening in our institutions and part of the rational behind that is at the end of the day, you know, we have a key set of decision makers or individuals who will ultimately be responsible. For example, if something were to go terribly wrong. And in this day and age, these individuals want to know that we're on the right path with the wrong path, and if we're on the wrong path, what steps can we do, what can I recommend that we do to begin that self correction. Kent, I don't know what life is like on the CPO site nowadays but I would imagine that you too have to report to a number of individuals at times. But conceptually that resonates very well. I have to say, I report and have reported to our vice vice provost for it for a long time. This is pretty unusual to have privacy reporting through an IT relationship or an IT line. Our vice provost is not our CIO. Interestingly enough, so there's, you know, it's a it's a complicated complicated administrative organization. Typically, I think privacy offices these days report through compliance. That's very common. Sometimes through the general counsel's office, they may be both privacy attorneys and, and privacy officers, and then there's a whole, you know, raft of other areas where they might land records management. In terms of processing public records act requests, part of the administration in any number of places together with policy. I think this is still showing a little bit, you know, where privacy is pretty immature in higher education, because it doesn't, you know, it lands in so many different places there's no one accepted place. I think it's tending to converge on, on, on compliance though is probably the closest and in fact that UCLA that is likely where the privacy function is going to move relatively soon. The one thing though that I think is actually important to think about in, as you say, Cheryl, in many ways, you know, the information security function, the data protection function. And in fact, I think like to think of data protection as being sort of the combination of information privacy and information security, you know, and they're very complimentary roles in protecting our data, including protecting data about people. We have a much larger purview and protecting all data and all infrastructure, computing infrastructure. But we work hand in hand and so that sort of traditional privacy versus security argument just doesn't really hold there. What does though start to get, get into the verses rather than the, than the together is when we think about that advocacy, part of, of privacy, where we're, you know, thinking really about the individual and so this is a I think a big differentiator on on on half of the privacy house. And that is, you know, both information security and information privacy is really as you said, we're thinking about how do we reduce risk to the institution. And as a byproduct, of course, reducing risk to two individuals. I don't want to discount that but the privacy role, you know, on the only advocate on the advocacy half is really about protecting individuals, as opposed to protecting the institution. And so it's a combination. You know, sometimes when you're protecting individuals, you are going counter to, to what would be best for the institution. So we get into this odd position of it can be privacy, you know, one type of privacy versus another, rather than privacy versus security. It's a really strong point and I completely agree. One of the, I guess approaches that you see on develop to address that that balancing act that we need to perform on both sides, believe it or not so I think while Kent is expressing the views as a privacy officer I completely share his views as a security officer that there are times when there's a conflict between individuals rights to privacy and institutions need to protect itself. When I returned to the University of California returned at a time when there was a huge discussion about privacy and can't remember the privacy initiative that he and others spearheaded. One of the beauties of that document was this, this idea this concept of a balancing test. We don't always have the answers laws may not give us the answers. But I think if we took our time and thought our way through the needs of the rights of individuals versus the needs to continue to protect the institution. We can find a path forward. And this kind of goes back to what we're saying before about the evolution of these roles. Not everything is written down for us there there's not a cookbook that's going to prescribe what you do in any adverse situation. Sometimes you do have to think your way through this. And I think the balancing test, taking this back to the privacy conversation, at least maybe the tension between privacy and security was designed to force us to think to sit around the table to have these discussions and debates about where we might want to learn and learn at the speed land in a way where we are indeed protecting the rights of the individual just really important, along with the rights of the institution which is equally important. Maybe not quite at the same level, but you get my meaning. And I would just chime in that I think that lines to cliff a little bit about learning analytics and student success and those type of initiatives because it's the sort of that intersection of the individual privacy, the needs of the institution, and how we balance that from a transparency standpoint because at the end, all of those initiatives are based upon data, collecting data, analyzing data, doing something with that so I think that awareness is really important and I know our president John O'Brien has written and talked a lot in 2020 around that learning analytics and ethics and things along those lines I think that's important to him and Austin as you pointed out Cliff. I think for your audience it really is understanding the roles and why we're here today right the roles of both that individual privacy and the institutional value you get from that data. And I just note that edge of cause has done some very thoughtful presentations on particularly the ethics around student analytics. I've seen several over the past year or two have been really good. Let me go in a slightly different direction, but one that actually connects up with some of the things that both Cheryl and Kent were saying. I think as part of our spring meeting. I convened three roundtables, each with different institutions to look at post COVID strategies, strategies they're informing people's planning for the 21 22 academic year and beyond. One of the things that was tagged there was that there has been and it looks like there will continue to be a substantial investment in technology broadly to support public health and wellness. And that that has some very unusual aspects to it, for example, in some cases universities are sharing data with county health departments and things of that nature. And it was also a many of those systems were frankly, you know, let's be honest rushed out in the past year in the face of terrific and urgent need. And, you know, sometimes without all of the considerations that might have been given in more normal times. One of the observations that I heard was that in some sense, all of the stuff that's been done for the pandemic and that may stay in place to help manage, you know, the tail end of the pandemic and all of the issues about bringing students back helping them to succeed student wellness and mental health and all of those concerns that are very much on the minds of university presidents. There was there was a concern that these may have normalized a bunch of privacy compromises that maybe we really want to be careful about normalizing and may want to try and walk back a bit. And I'm wondering if you have any reactions or thoughts on that complex of observations. Sure. So I look at this actually as a, it's very similar to what happened after 911 with the USA Patriot Act, which modified, you know, tremendous amounts of legislation, much of which impacted privacy. And I think also as a byproduct galvanize the library community. In fact, to become very active in terms of thinking about privacy. It's certainly true, you know, so much of what we do on an emergency basis we have of course we have to do things that whether it's a national security imperative or a public health imperative. There are just things we have to do. But if we're not careful to put sunset clauses or review clauses and things. Then it is as you say very easily, you know, just something you continue to do because it's convenient it doesn't take more work, and in fact could be actually really helpful in other situations. Like to think, you know, about data, one of the lessons is, you know, once you collect any kind of data. Someone at some point is going to think of another use, you know, another bright idea for how to use that data. And it's not that we shouldn't use reuse that data. But there are all sorts of considerations, you know, when you when you have secondary and tertiary and, and so on uses of data that you've already collected for a purpose, and now you're repurposing it. So, yes, I mean I think that's one of the, one of the foundational concerns that privacy people have that we, we normalize things and in fact we socialize them, you know, inadvertently sometimes before we even had a chance for example to think about what it meant to socialize and socialize facial recognition. You know, on the one hand people are very concerned on the other they have no problems just putting their phones in front of their face, and unlocking it without thinking about what you know implications that really has, and however many 10s of millions of people do that around the world every day, several times a day. I mentioned a couple of things that I really want to emphasize. It is absolutely true that many of us had to rush to get new technologies new processes, basically a whole new world in place in a very short period of time, and response to the pandemic. We've gone through, not quite the same experience but maybe comparable experiences, taught us some lessons from those prior experiences and one key lesson, again something that can't mention was to insert clauses or milestones or moments where you take a step back you breathe you ask, maybe a slightly different set of questions, and perhaps adjust accordingly. So, you know, normalization is one thing but etching something in stone, where it can't be changed is something else. And I think many of us knew that we were working fast and furious and that at some point when, you know, I can't say since emergency died down because it hasn't died down but when we got a moment to breathe, we would take a step back. and make the necessary corrections to sort of right size our environment. Having said that pandemic has opened up a slightly different world for us. Many of our institutions now use the term work from home as part of our DNA. And it has created at least for me, both opportunity as well as challenge to figure out how do I extend the reach of the university security profile into areas where it may not feel so like the home. We have as many people working from home in the near future as we have today, then the home becomes in some degree, and we can debate what that degree value is. It becomes an extension of the university. We have workstations we have data we have people who are in their homes doing what they would normally do here on prem. We have challenges in front of us. I'm not even close to saying that life is normal yet. Even though we've created a slightly different journey for ourselves, I think we still have quite a bit of work ahead of ourselves and ensuring that that new journey for us is as secure as the old journey was. I'll just add from a sorry, from a from a privacy viewpoint that remote working is also definitely affecting the privacy side as you sort of alluded to, you know, their privacy implications of people who are not in a, in a, in a space where they can show their background or prefer not to show their background or, or literally have to share their space with others, you know, even as they're even as they're talking or presenting or taking tests. All sorts of equity diversity and inclusion issues, you know, around, around the work from home model. Thanks. That really is a wonderfully helpful perspective from both of you on that this whole situation we're facing and thoughts on how to how to move past it and, you know, think about sun setting things. I want to turn to to final areas before I open this up to to questions from the audience. And this is a pair of developments that I've been watching and I know my colleagues in the library have been watching with growing unease. One is the development of electronic textbooks, electronic interactive learning platforms, things of, you know, things of that nature from commercial companies, where those tools, you know, it's very easy for a faculty member to say, Well, I'm assigning this as the textbook. And yet, the student, in order to use that textbook has to buy into a lot of, you know, very invasive transmission of his or her interactions back to a commercial provider that will do heaven knows what with it subsequently. And that's been a very hard transition, because, you know, they used to just be books and faculty absolutely defended their right to select the appropriate the textbook they thought was appropriate and assign it. That's been a very nasty transition to navigate and get, you know, some policy and ethical handles on. And then there's a kind of a parallel situation that libraries run into where as key journals have made the transition from print to electronic. All of a sudden, the ability to ensure that their patrons are not being tracked and that that information isn't being reused and resold is much harder to deal with and really largely has to be handled contractually as part of those license agreements and that's been another one that's been challenging for libraries to step up to. You don't always find, you know, sort of the kind of language you'd like in those license agreements. And so I'm very concerned with both of those scenarios and I like your take on these from the privacy and security. And I think that's a key point of view, as well as perhaps your thoughts for how you could work with libraries, faculty instructional technologists and others to get a handle on some of these challenges. I don't mind starting. My world that you described is perhaps for me today, the number one challenge, I'll be frank, as more and more of our institutions engage with third parties. It used to be, you know, all we have to do is sign a contract. And, you know, we all go our merry way. Today, I would suggest to all of us that that's the easy step. Now we have to manage the relationship between institution and vendor or institution and third party for all the reasons that you describe. And that is as our suppliers grow in their capabilities and their desire to collect more and more information about us. We have to be on our toes and do all that we can to remain aware of what they're asking of our students or our faculty, or of ourselves. Each time we click on a web page or sign up for a new expanded service that sounds beautiful on the surface but underneath the surface to your point, you've now given away your mortgage, I'm being facetious here but you get the point. And part of what I have done in response to that challenge is in our security program we have a vendor management program. And I've got a team, a team of individuals who spend a great deal of their time working with many of our stakeholders our libraries and other parties on campus to engage vendors from start to the end of our engagement with them so from start to finish. We spend a lot of time going through their security posture trying to understand what they can do with our data once it's in their hands. But that's not the end of the story. Many of these companies grow over time and their services grow over time their capabilities grow over time and their wants with for our data grows over time. And so our vendor management program has to remain in touch with these vendors through the course of the engagement with them. So it's not a one and done once you sign your contract it is an engagement. And I think that our program is not alone. I think many institutions and Brian maybe can speak to this, knowing some of the other universities across the country. Many of them are grappling with the same challenge of how do we maintain our supplier relationships so that things don't go out of hand that we're not inadvertently sending them more information that perhaps our original intent was. So you're hitting on, from my perspective, a substantial challenge for higher education. Now, having said that there's a challenge there I'll see light at the end of the tunnel. We're a community that often shares information and we're quick to do so. When we find a bad actor, and I mean that in the right way that a vendor who's maybe not working according to plan. We have no qualms about sharing that information with with our peers. And between all of us, we often, if we do our jobs well, can put pressure on vendors to self correct before things get totally out of hand. The word that comes to mind when you were described in the scenario was vigilance. We have to maintain vigilance when we're dealing with a lot of these third parties. I'll stop there. Brian can. What are you guys and I would just I would echo Charlie think what we're hearing and seeing an education I mean we're looking at creating sort of a vendor risk management program to help sort of with the extension of the heck that provide a resource that students can look at. And I know Kent may talk about this as he co chairs are our CPO group, the sort of, you know, the questions that you're managing right now with regard to security and third parties and vendors. I think that's important because it all ties back to that awareness that we started with right is raising awareness of the stakeholders of the institution to be asking those questions and have that tempo to manage that so I think you're on the right track. Okay. Can we can't hear you. We agree I have to say I, I wish I had a team like yours, Cheryl. I wish I had a team, period. It's not big enough, but they're, they're working hard. So, so completely agree in every way that the whole supplier management vendor management issue is is is so forefront today particularly in terms of the data. We had one other piece and that's the fact that exactly the kinds of practices and uses of data that we decry in our in our third party partners. We often do ourselves within our own institution in terms of use for predictive analytics in terms of student success initiatives. You know we use all the same data, because we feel it's ours. I think it's in fact a more complicated question because over the last several years I think we've proven that student data is a valuable asset. And that's why there's such a big fight over over who controls it who owns it. And, but independent of the ownership issue. You know we can identify at least three sort of cohorts who have vested interest and certainly the supply of the third party, our own institutions and the students themselves, you know that they're the they're the subject matter they're the creators of the data in some sense or at least the data is created about them. And surely they have a vested interest in in how that how their own data is being used. So, you know, I think it's, it is a more complicated question, because internally we use this data for all sorts of reasons that students may or may not agree with you know they may or may not agree that they want to have a student success initiative applied to them. It appears coercive for example, or if you can't prove to them that the algorithms that are being used to make predictions are not biased or not extending bias that we already have. So just just adding layers of complexity here to to to the to this whole issue of how we use data appropriately and and that applies to us as well. Isn't that that's really that again, you've put a whole added dimension on this. That is very helpful. I, we've got about 10 minutes left and I think we better open it up to the attendees here and allow them to raise a few questions please put it in chat, put it in the Q&A box, or if you want to ask a question by voice, I can make that happen as well. And here we have our first question. Thanks for an excellent talk here at Lehigh we have emerged organization libraries reporting to the same VP as the CTO and CISO a useful an interesting and fruitful structure. But still, I often think what folks like you think about us is this kind of merged organization, a good idea. Cyber security is going to be a growth sort of a growth area, a more central area for higher education. Is this going to start constraining resources that libraries can select. How do we scale up to handle this kind of set of demands and threats. And is there are there national structures that are liable to be helpful here. So that's actually a lot of questions. I'm sorry. Well, I'm just going to say openly I don't know of any other organization that's configured in the manner described but I'll say on a personal level. I work very closely with our chief librarian. And in fact, she's done a remarkable job of helping the institution begin to think about another concept that is data management. And through her work, we have privacy security librarians and others talking to one another about our arenas. And I think the conversation is wonderful. It doesn't really address the reporting line question but I'm just sort of teasing out the reporting line question and asking myself, it's the conversation worth having and the answer is absolutely yes. Before coming to Davis, in the early stages of my career as a CSO, I spent a lot of time with our librarians and learn quite a bit about their area, which actually, when you think about it is it there's clear differences but there's some parallels. And what our librarians were trying to achieve and what I was trying to achieve as CSO. And in fact, that relationship where those relationships worked out equally beautifully, because I could see and highly respect the work that the librarians had to do. In order to continue to keep an environment that was open yet, you know, well managed put it that way. I don't want to use the word control I want to use the word managed. If I could tease out from that question. Is it good for these three individuals to converse. The answer is absolutely yes, whether or not the reporting to the same person or in the same group. I'm not sure if that matters as much to me is whether or not that conversations taking place at all. And it sounds like it is so I think it's a good thing. Brian Kent, you want to comment on that. I was just I was trying to read through that question as well I think you know obviously the information security report was sort of in some areas of one version of potential future right it's not a predictive it's a report that highlights potential future so I think that growth scenario was really around to some degree just the importance of both and it wasn't focused on privacy was more information security, although they weren't sort of uniquely separated. It does show sort of I think there was a question about national infrastructure, we at educause are always working with cybersecurity infrastructure security is administration system. And the FBI and others to try to make sure that higher ed is included in those conversations. That higher ed will be designated a critical infrastructure. Anytime soon it would give us some national protection that's a, that's probably another webinar for another day so I'll sort of leave it at that. Yeah, and there are certainly a number of key national structures like rent and I said, I can think of that nature. You want to comment, can't. I think, Sheryl and Brian have covered it all. Okay, let me move on to the next question. And it's a, it's a more pointed in and in some ways easier one. How concerned should universities be about foreign government cyber threats and what threat vectors are most concerning. Oh, I, you know, I have to sit back and take a deep breath. I am on a personal level very concerned as the CESA for UC Davis, very concerned and emphasize the word very largely because of the scope of our presence across the globe. Most of these institutions ourselves included, we have a global presence, while we are physically here in state of California, we're literally all over the world. It just makes for a path into our environment in ways that many of us cannot begin to imagine. We are seeing and Brian probably could speak to this as well that across the nation. There are some global tensions that are manifesting themselves in cyberspace and universities are not immune to being caught in the middle of some of these conflicts. It's not going to be as delicate as I can be. But the short answer to the question is, we should be concerned. The response to that concern would be, we should be aware, and we should have practices in place to accept the fact that we're in a new world, a different reality. It doesn't mean we stop living, stop opening up our libraries to even foreign patrons. It just simply means that it's a slightly different dynamic that we have to contend with. And believe it or not, we are so concerned, yes, but we're working on it. Brian. I would echo everything you said, Charles, I think that, you know, I was on a call yesterday with the federal student aid administration and I said, you know, very much what you just said, the higher ed is working on it. And, you know, we are doing things I think we'll continue education will continue to do that I think awareness I keep coming back to awareness right, and our role and education and on each campus is to raise the awareness of those threats to make us are constituents aware of that, and what remedies they can take so, you know, being recorded and, you know, being careful around the threats I think I echo everything sure that you put forward. I'll answer the second question, the threat vectors that are most concerning. There isn't a one split that way as a C so I have to look at the broader picture. And I think to our institution, no matter where the institution may physically be is a threat vector for me, and it will concern me. So if we have someone in Timbuktu. I am as concerned about their welfare and their security capabilities as I am somewhat as concerned about someone here on prem. As I said, we often hear about these advanced nation state attacks, oftentimes the threat vector still remains email, simple, a simple email starts that chain and in in process so that still remains a viable threat vector. Here's one that I think is quite interesting and I love to hear Kent and Cheryl's view on this. What's on the skills that you wish principal investigators and researchers would focus on in in areas relevant to your work. Kent, would you like to start. Sure, it's true I think when we're when we're talking about how you give training and awareness or even awareness to the research researcher community. You do have to take a different approach than than the rest of, say the institution and in fact, I'm just going to put in here a link to a link to. I hope I didn't close that question accidentally to a program. It's called trusted CI. It's an NSF cyber center of excellence. And they do spend, I mean, a lot of their focus is in fact on how do you do security, I think, effectively within an academic environment and a research environment and this particular link I sent is about the trusted CI fellows program, where they're, you know, taking people of all backgrounds and and giving you know elevating them in terms of their security knowledge so they can become ambassadors really back to their own research communities. I think a really interesting and well personally I have a vested interest because I got to speak to them. I don't mind about privacy, since this is mainly about security, but I think a really interesting program, and I'm sorry it's only you know it's such a such a small cadre every year that they can accept. I should just mention that trusted CI program broadly is really very good and has put on a number of wonderful webinars that are open to anybody who's interested and I would urge you to look at them if you're not familiar with their offerings. Cheryl. I think that I spend a lot of time with our research community and will likely end up doing more so in the near future. I think we touched on regulatory compliance obligations early on in our talk and I'm beginning to see and I think some of our PIs are beginning to see that this this new swath of regulations is hitting them pretty hard and fast and furious. In many many ways. I really appreciate the question because it would be the first question I would ask now how do I get started how I get my arms around all of this. And I think, for me, the, I would probably approach this in multiple dimensions. One is to Kent's point there are some pretty good resources out there. So the earlier comments about trusted CI, I've worked with that group as well and I think some of the materials are fabulous and just readily available online. The other thing I would do is to engage in the conversations with your CIS or your CPO, and just, you know, talk about what you're doing from a research perspective or what you'd like to do with your research. Let's, again, as I said early on figure out a path forward before we find ourselves, you know, in a sort of emergency crisis situation, you know, try to answer questions that perhaps we could have anticipated. And then lastly, I would suggest is, is, you know, not trying to solve this problem yourself. I fully appreciate the work of many of our researchers, our PIs, even our postdocs and others. It's a heavy lift to do something so incredibly new and different. Perhaps the last thing you want to think about is security and privacy and controls and risk and all the stuff that that I do. Perhaps maybe an easier approach would be. A conversation allow me and my staff and staffs that I can pull together, you know, help you figure out how best to protect and secure your infrastructure to say it a little bit differently. A conversation and a collaboration might be the first step I take as opposed to trying to figure out all the answers to these questions by yourself. Well, we are a little past time. Let me just thank you all for a wonderful panel. This has been very informative. And I think our attendees have learned a lot here. I hope as I said at the outset that this can be the start of a conversation and I would welcome any role of you back in future to continue aspects of it. I would also welcome and be happy to facilitate any outreach that you would like to do to the CNI community to gain more information or insight or thoughts on developments as we go forward. So with that, I'm going to declare the session finished with my heartfelt thanks to all three of you it has been such a pleasure to be able to do this with you. Thank you for having me. It's been a delight.