 Good morning. I hope everyone enjoyed that keynote by Ms. Pearson. Very enlightening. First full day of our Security Professionals 2014 conference. My name is Hunter Ealy. I'm the CISO for Tulane University and a member of the 2014 program committee. So on behalf of the committee, welcome to the first full day. Don Faulkner is the presenter. He's been with the University of Arkansas for five and a half years. And started the first CISO. Started as the first full time CISO for University of Arkansas. Is that correct? A year and a half ago. So we welcome Don to the first presentation of the day. Thank you. Alright, so good morning. Thank you all for coming. I'd like to say hello to the web audience as well. Hope you all enjoy this. I'd like to begin by talking about something that has nothing to do with my job, and that's the slide that you see on the screen right now. We're here to do education. Security is important. But at the end of the day, if we're not inspiring some students and helping them to be their best, then we're not doing our jobs. I had a wonderful opportunity to play with a Tesla coil in front of a bunch of middle schoolers last week. And I had a blast. They had a blast. And I will tie that into my presentation in a moment, I promise. But I want to really encourage you, if you have an opportunity to get out into your university and work with your students there, or to work with other students in high school and middle schools and junior highs throughout your community, do so. You will not regret it. I promise you. So my talk is entitled Zero to See So in 60 Seconds, and that's about what it felt like about a year and a half ago. We've been on a pretty wild ride. At least that's what it's felt like over in my department. I'm not sure that everybody else on the Central IT team and on the departments across campus would agree with me that it's been wild. But it has certainly been interesting. My goal is to tell my story and to talk about some of the challenges that we've had. I can't promise that the solutions that I've developed and the ways we've approached the problems will work for you. But at least it will give you an idea of some things that work for me and maybe that'll spur some imaginative thinking on your part. So I am relatively new to higher ed. I've only been here about five and a half years. I have done InfoSec work since the mid-90s. That's all been in the private sector. I was a consultant for Rainbow Technologies, which is now part of SafeNet. So I've worked for federal, state and local governments. I've done work for big business. I've done work for small business. Pretty much every level in place. While at Rainbow, I was a Chief Security Officer for one of their divisions. So this is not a new thing to me, although it is new in other ways. Let's talk about the U of A for just a minute. The University of Arkansas, it was founded in 1871. We have an annual budget of approximately $500 million. We are the state flagship. And so the photo is Old Main. This is the oldest building on campus. And we're still using it for classes today. It's a beautiful building, and that's the face of the University that you're most likely to see unless you're looking at a razorback. We have about 25,000 students, 4,500 faculty and staff. We're working towards some higher goals as far as our research arm is concerned. But we're already ready to best value for education by a number of different reviews. The photo here is of our Northwest Quad. This is one of our newer student housing facilities on campus. It holds about 600 students. I guess I would call it a mid-sized campus, 300 acres, 100 plus buildings. The numbers are old because we've had a building boom in recent years, like the building that's here. This is our now technology facility. These are the guys who gave me the Tesla Coal to play with, and they have some amazing gear there. They're one of my success stories that I'll talk about here in a little bit. So we just straight into the point of the presentation. My predecessor's title, I mentioned my predecessor, Scott Finley, is in the audience today, High Scott. He's the reason I'm CISO. He left me for greener pastures at the University of Alabama at Birmingham. And when that happened, I was magically offered the title of CISO. You might wonder if maybe they were afraid I was going to leave too. I do think that when they offered me the title, they didn't necessarily realize what that meant or what I might do with it. Sometimes your management is not always prepared for you to act in the capacity of a chief officer of anything, let alone information security. And so they're going to be surprised when you start making decisions that are appropriate to your level. So as the slide says, not only was it my first day of CISO at the University, it was also the University's first day with the CISO, and that was the beginning of a bumpy ride. How did it change things? This is our old org chart. You can see us down there at the bottom. I've changed the names of our groups not to protect the innocent or guilty, but because the names don't always accurately reflect what they do, and I thought that would be more useful for everyone to see. We were embedded inside of a group called Tech Services that was responsible for the data center, the mainframe, open systems operations, databases, and things of that nature. And so if I was going to cross that line and go over to our network team or to our enterprise windows team or to our student information systems team, I had to get permission. I had to clear what I was going to do to a certain extent. And there was, you know, there's always that political concern of, you know, are you crossing lines in an appropriate fashion? Here we are today. There's been a small amount of reorganization. About six months before I became CISO, we acquired a new chief information officer as well, our old one retired and our interim became the permanent CIO. I'm now part of his direct report staff and other organizations have been broken up as well. That gives us a little bit more autonomy to move around within the central IT organization. And it also helps with our visibility on campus quite a bit. So that's what happened on January 1st. This also happened on January 1st. It's a wonderful thing to see the horizon. It's not so wonderful to be alone in the desert and that's really how I felt for about four months. We had two positions that needed to be filled and I was sick half the time because I was trying to do it all by myself and I'm not exaggerating. I literally was sick, ill, away from the office and that didn't help things at all either. We started hiring people and I'm going to be selfish and claim the role of Mal here. I'll let you guys figure out when you meet my staff which one is which with there on this photo. But it took them time to adapt to being in a security organization in higher ed. It took them time to adapt to how things work at the University of Arkansas. So we were about four or five months in before we were really operationally effective. Until that time we were marking time trying to get things done. We were very reactive in our strategy if you want to call it that. And this is one of the biggest problems that we inherited because information security had been deep down in the org chart. Every team inside of Central IT had decided that they were themselves responsible for information security. So we had this jumble of people trying to do our work on their own team. And in some ways they did a great job. In some ways not so great. And I think the biggest problem is there was very very little coordination between those teams of what they were doing. Sometimes people would just approve firewall rules because well somebody asked for it so let's approve it. Maybe the security configuration of servers was not what it should have been. But you know whenever you talk to people you get a unique answer from them and that was that well I don't need to be involved with information security because they have it handled. So I can just go back to my office and do whatever it is I do. But aren't I doing information security? So we had some problems to work out there. The biggest one was this fear of the central authority of information security. Oh no, Don's going to make us do something that we don't want to do. We were really trying to make this a new strategic initiative for the campus. And nobody on campus was used to thinking strategically about information security. That's what it's been my job to change over the last year. So one of the biggest ways we do that is this slide right here. I view and I encourage my staff to view and I think if you talk to my staff who are here this week they'll tell you the exact same thing. We view everybody on campus from other departments inside of central IT to now tech to different colleges to business affairs. Everybody is a customer and we treat you all like you are important, like you are an important customer of ours and we want to build that customer relationship with you. We do this because we don't want to be the doctor with the needle. You know, when you have your kids and you take them to their doctor they don't want to go. And the reason is every time they do here comes the nurse with a needle and they're, I'm going to get a shot. I don't want that. Well, that's how your groups across campus see you. You are the doctor with the shot. Oh no, you've been hacked. We've got a virus. We have to wipe this hard drive. We're going to have to impound this. We've got to shut off your printers. Whatever it is we're doing, all we're doing is inconveniencing our staff. And no one's going to want to talk to us. I was, I was invited over to our housing environment. A few months ago we were starting an RFP for a new, for new housing software. We had a set of IT for housing and after I left he told me that everybody came into his office and said, why was Don here? Are we okay? Was something hacked? What's going on? Eric was very, very smart about this. His response was not to calm their fears. He said, why? Why are you worried about that? Is there something I should know? And so I came back and we had a more friendly conversation and we had a fun time. But that's what, that is the perception of information security across campus that we've been trying to deal with. So we ask a bunch of questions and our goal is to make you feel at home, make the different departments really feel like they can trust us and they can come to us with questions. And we're really looking for opportunities to help, to help you guys and shake our fingers at them. We've put together and I'm sure this list is going to grow over the next year or two. We've put together a set of tools that we can hand out to people as, well I'll just say that we think of this as a toolkit for increasing customer engagement. I'll talk about the first three, Splunk, Certificates but our goal here is to provide tools that the customer on campus, whatever that department is can use and so that they come to us and ask for help because they know that we have tools that can help them. We serve as a liaison to our local FBI office and other law enforcement. That's a big help because you know, if you work in the history department, the history department was the scapegoat in my last session yesterday, so I'll continue with that. If you're in the history department and something bad happens, chances are you've never dealt with the FBI. You've never dealt with that kind of law enforcement before and we can be an assistant at that point. We have encouraged the development of cross-team participation within Central IT. That was actually a new thing. The idea that I could go and spend a day with the help desk and learn how the help desk does their work or go spend a day with the network team or they could come and spend a day with us. That idea of crossing boundaries in the org chart was a new thing and so we've jump-started that. That's not only helped us, but other departments across campus have taken that up as well and they've gotten a lot of positive outcomes of that as well. So let's talk about a big win I had. I said I'd talk more about nanotech and here it is. The nanotechnology group came to us and asked us for help moving data securely. How many people here have various expensive instruments like microscopes and x-ray spectrometer things and things that I don't know what they do on campus. I'm guessing that over half of the people in the audience I think and I'm guessing on the web that's about the same. We have an 8 million dollar scanning electron microscope and I think it runs Windows XP. I can't put that on my network. I couldn't do that before and even when XP was current I couldn't do that because the XP workstation that runs that microscope cannot be hooked to the domain. You cannot update the operating system. You can't install patches. You can't install antivirus. You can't really change that system in any way because the slightest thing might break the driver and then you've totally broken a million dollar instrument. So if you can't put them on the network how do you get the data off these machines? So what we built and the other thing that made this interesting is we have industry coming in, local startups wanting to use all their wonderful gadgets and they were worried that company A would see company B's work and beat them to the patent or something like that. We built a very simple design that's made them very happy so far. The pilot is going to progress when we get home. Essentially it's a private network that connects the instruments to an isolated file server and another private network that connects the file server to a VPN. So you can get your files to the file server and then you can go home and get them off. And that seems like a very simple kind of thing that you might put together as far as an infrastructure design goes but just working with that team has made huge differences across campus for us and for them. And it wasn't all dull work either. I'm going to toot the horn of working with STEM in middle schools again. I was asked because my son is in that school to go and participate in this STEM expo and I brought some fiber optic cable. I brought some computer things but I realized that would be a little bit boring so I called my friends that I had made in Nanotech and they gave me the Vandegraaf you see here. They gave me the Tesla Coal you saw on the first slide. They gave me rail guns and they gave me 30 liters of liquid nitrogen. And I made frozen Cheetos that made smoke come out of your mouth and I had so much fun with these kids. I was easily the most popular table at the expo and I'm not one bit ashamed of that because every time I did something they were all grinning like this. And I know that we had some people very excited by the time that we got done. Would I have been able to do that if I hadn't made friends at Nano? I think that question answers itself. Okay, so let's talk about in common certificates. We were like most universities a few years ago buying certificates piecemeal. We've been able to convert over to the in common certificate platform and we now give certificates away for free to anyone who asks for them on campus. The numbers on this slide speak for themselves. $15,000 investment has yielded $25,000 and actually issued certificates at this point and that doesn't count all the certificates we had to reissue because of Heartbleat. We're looking at taking it even further into the realms of personal certificates and how we might participate at a system level or beyond. If there's anybody in the room who is with in common, I'd like to talk to you after the session as well. But this is a great example of a carrot that actually works. The moment that people realize they could have certificates for free we started getting requests and we get five or six a week now. We're able to turn those certificates around in generally two hours or less. It's very often 30 minutes but it just depends on when we get the email for that. I think that's made campus very happy. We are a Splunk customer. We use it internally in central IT for security audit logs, exchange logs, and of course the things you'd normally imagine that we do. But we do something else with it. We take this out to the departments across campus and we invite them to bring their logs into Splunk. The idea that we have here is if you share your data with me I will share my tool with you. All the departments across campus if they share their data they can have an account in the Splunk infrastructure. They can use Splunk's really wonderful tools to do data analytics on their data. That's one us a lot of friends as well. One really good example of that is our Blackboard install. The gentleman who runs that is a fellow named Chris Bray. He is a Blackboard MVP and I think the reason he is a Blackboard MVP is because he did this wonderful presentation about how to use Splunk by reviewing the Blackboard logs. So that's an amazing thing that we can do right there. And then Shibboleth which we have branded as Central Login. We started this because we knew we needed identity management and yes I know that this is not identity management. I spent a long time convincing everybody else that this is not identity management but this was our first step down that road. We sort of put the cart before the horse but it's been successful. We have people now who are asking to be included in our web single sign-on environment. And we can bring them on board as long as their application is ready for it we can bring them on board in about half an hour. And that's it's a pretty good service turnaround and it's also one us a lot of friends. When I go home I'm going to wrap up our identity management program and I think Shibboleth has really contributed to that program being willing Shibboleth has contributed to the departments across campus being willing to talk about identity management after four years of me saying the words over and over again. There have been of course a few problems. Nothing's ever perfect I need to share the setbacks with you because this is really what you need to hear. The biggest problem is that I get distracted very easily. I have a problem answering my email usually because I'm too busy doing real work. I'm a CISO with a staff of two below me and so a lot of the work that I do is still promoting development assessments, things of that nature and I love that kind of work but I need to be moving more into the strategic level of planning and organizing how the security infrastructure for campus is developed on a policy level and I haven't been able to do that. It's one of the reasons I'm hiring an architect. I have that position open I've requested several new positions for the next hiring cycle. We'll see if we get them maybe we will, maybe we won't but we've got to grow the ability to execute so that I can get out of that job and start focusing on the strategic level of things. Another big setback for us was the reputation information security across campus. Partly due to the fact that I don't answer email as well as I should and partly due to that concern over what's my role versus maybe the windows team's role with respect to information security there was this reluctance in central IT to really work with us. It's really funny I have a better reputation on campus than I do in my central IT organization. Now that's slowly changing and I think now I would say that this was very true as of December last year and it was still true January, February. By now I would say that that reputation and my ability to work inside of central IT has really improved but it took a concert effort on my part to reach out to the different team leads across central IT and to work directly with them and to encourage them to let me help. It's funny, the moment I started doing that I got good questions I gave sensible answers and people started listening to me but that's really the answer is you got to stop trying to force your way or I had to stop trying to force my way into things. I was asked to help with some of our phishing problems and one of the ways that we when I was asked to do that we realized that we didn't have any of our email logs coming into Splunk so I went to the exchange group and I said I'd like to collect Splunk's email logs and their answer was no and I got upset and I said you know I'd really like to collect the exchange email logs no I got hotter to the caller at this point and I was convinced that I'm the see-so they should let me do that and you know if I had gone to the CIO and made us think about it he would have told them to let me collect the exchange logs instead what I did is I stopped and I said why don't you want me to collect the exchange logs and we had this big long conversation about how something had happened in the deeps of time and they were still upset about it and nothing to do with me but they didn't want me to collect the exchange logs and so we had this very careful negotiation about can I collect a few of them and so we had so we worked this out and it's been a process of growing trust we collected a few logs and we gave the exchange administrators access to Splunk and their eyes lit up and they started giving us more logs and more logs and more logs and so now we have full exchange view in Splunk and we can tell when bad things are happening I could have gotten there by just going to the CIO like I said but now I also have goodwill so here's what's up next for us I've talked about asking for new staff working on identity and access management we also have a policy rework in front of us I was asked to draft new security policies for campus and I've been given permission and I assume that permission includes funds to conduct the first outside comprehensive assessment of security across the entire campus we'll get to FISMA and Sans Top 20 when I get past those but hopefully those will start this year as well so lessons learned from my side of this everyone knows the quote never give in in nothing greater small larger petty never give in except to convictions of honor and good sense never yield a force never yield to the apparently overwhelming might of the enemy that would certainly apply to us in our role as defenders against the attacking hordes it also applies to us because we need to be stubborn when I first brought up identity management four years ago I was told that'll never happen find another way to do the thing you need to do and so I dutifully found another way to do the thing I need to do and it didn't work and then I looked for another way and that didn't work either and we kept trying to do that thing that had caused me to bring up the topic of identity management but throughout all of that I kept bringing up identity management as a topic and what its benefits were why we need it and where all the problems were Scott and I had this game where we tried to go a week without saying identity management I have still not gone a week without saying identity management legitimately and that stubbornness has served me well because now when I go out to campus the people across campus are saying to me gee, I wish we could have some identity management well, there we go it's time to do it Phineas and Ferb are going to do it all not us, not me I can't, I don't have time for it I can't do everything that everyone wants I can't even do the things I'm supposed to be doing right now so I'm not even going to try the lesson I would give to each of you here is learn to let go when you need to if you let go of something let go and let somebody else feel the weight that you've been carrying of whatever this thing is that is a burden and go ahead and let go now I'm not saying just drop things on the floor, use common sense but if you have a significant problem maintaining all the ducks in your row let one fall off the end do it in a constructive way so that other people see that you have capacity problems that you don't have the team that you don't have the resources that you need to do everything do it in a way that makes people aware that the duck is going to fall off before it ever does maybe that will get you the additional support that you're looking for I'm not saying be mean spirited don't be passive aggressive about this be clear about your intentions but don't think that you have to say yes to every request that comes down the pipe if you do that you're going to be overworked, sick and never in the office in the first place and I can speak to that from personal experience the best time to make friends either inside your organization or outside your organization is before these guys come knocking at your door now we know they're always knocking at your door but there's a difference when it's quiet learn who your friends are here learn who your friends are on campus let them give them the opportunity to trust you that's a large part of what I was talking about earlier if I build the trust of organizations across campus then when something happens they're more likely to come to me and say hey Don, there was this odd thing that happened to me this actually happened to my general counsel he called me the other day no he didn't call me I was in a meeting and he was present as well and at the end of the meeting he said so this weird thing popped up on my screen the other day while I was at home and we talked about it for a moment and I was going to get resolved I think it's going to turn out to be nothing in his case but he actually asked me the question that's pretty good I think that's a big win here at EDUCAUSE is another great place to meet your new friends to meet people that you can call on for help I'm going to take a couple of minutes and plug Ren Isaac I'm not wearing my badge but I'm a Ren Isaac member if you are not I would encourage you to investigate that organization and see if it's right for you and your school there's a lot of good information that comes through the Ren Isaac channels one of the best parts of being in Ren Isaac is when I notice something that looks odd I can reach out into that network of people and I can ask a question I can say hey has anyone else seen this strange thing going on on my printer or has anyone else heard of the Free Syrian Army or has anyone else heard of this and I get those questions too and so the ability to have people you trust that you can pick up the phone and call somebody and say hey I know you're at a different campus than me but I need your help and they're going to help you I can't I cannot overstate the benefits of having that kind of organization they're not the only ones the FBI sponsors Infregard there are other ISACs out there that will work for you network in the best sense of the word it's always good to have something free to give out to your customers I'm not a Breaking Bad fan but when I did the Google image search looking for a good image to put up here I typed in the words free candy into the Google image search and I didn't get something I wanted to put up here I'll leave that as a challenge to each of you if you'll search Google images for free candy you'll have a good time I guarantee but you have to have a reason for people to want to come and talk to you I wish I could give out some blue sky I don't think I could do that but I can give you Splunk I can give you a certificate that's pretty good and that keeps people coming back and remember the first taste is always free this is something that one of my one of the guys on my team said and I thought it was so good I stole it if you can't see the slide here this is a man eating alone called never eat alone and I think that speaks perfectly to the problem we find ourselves in I'm the worst at this I will sit at my desk and eat the meal I brought from home while I'm reading email and catching up on things that's okay we have to do that but find a reason to go to lunch with somebody at least once a week and don't spend the time talking about InfoSec and security and firewalls and this let them talk about what's going on in their world because your job at this point is to learn about what matters to them learn how you can help them do a better job with their things but do it in a secure manner that's what we did with Nanotech and that's what we try to do with other organizations around the campus as well you're there to listen and that acknowledgement to listen is so important it bears repeating the worst thing you can do is to walk into a meeting thinking you know the answer if you don't listen to what's going on in that meeting you will get it wrong I guarantee you have lots of great tools I have lots of great tools the trick is finding out how to put them together in the right way for the problem at hand and you're not going to know which of those tools work until you really sit down and dig in and we talked to Nanotech we went through four or five very lengthy meetings trying to understand what their problem was specifically and then we came back and we tried out two or three different designs using an open source toolkit we tried a Windows toolkit we tried SharePoint I can't remember all the things we thought through and brainstormed as a possible solution for what Nanotech wanted to do with their file mover but it would have been very easy for us to just come into Nanotech and say okay here's the solution and I think if we had done that I'm pretty sure we would have gotten it wrong so I'm the first CISO at the University of Arkansas and I'm going to ask for a show of hands how many people here are the first CISO at their institution that's about half that looks about right how many people have been in the CISO role new or not for less than two years that's fewer maybe a third when you started as the first CISO your university didn't know what security strategy was that was your job to build when you if you were new in that job chances are you didn't know how to work inside of your university's infrastructure even if they already had a security program there's learning on both sides here you have to build something that works within the confines of what your university administrative system does you also have to build something that is actually secure and actually does what you are supposed to be doing you're trying to navigate both of those problems at the same time your boss whether you're reporting to a CIO or someone outside of IT may not have a clue about what information security is and it's your job to educate them in my case and in other cases where that role was created in there you may find that you have peers who are not used to having security at the same table as them and that's going to create some suspicion maybe they might be even hostile to that I would suggest that returning hostility for hostility is probably not the right thing to do but you do have to do something about whatever negative feelings you encounter when you are working with your new peers because you're going to have to get along with them I don't think you can change them or I should say you can't exchange them for new peers you can try to bring them around to your way of thinking one of the hardest things for me to figure out initially was where do I go to approve someone's time sheet I've been a manager before but not the U of A so I had to figure that out I had to figure out leave schedules how to do the new fund that's coming up is my staff's annual reviews and I have to get them done because they don't get their raises if I don't get their annual reviews done so I have to figure out how that whole process works and I have to figure out how approving travel works and I have to figure out how to do kids request for proposals things of that nature whether you've done them before or not in other organizations if you're in a new role as management at your university at your school you know you have you have a a pool of red tape to wade through and sort out and so lean heavily on the people who already know those things and ask questions get outside of your organization don't just sit in your office and wander around campus come to presentations like this find your peers there is a new chief security officer in Missouri I can't remember off the top of my head which school but I got this email where she is trying to build a conference of chief security officers that are all members of SEC schools for some reason what conference your football team plays in seems to have something to do with how you secure your infrastructure and I make light of that but it's as good a way to do it as any find opportunities to connect with people who are near you, who are like you and who aren't like you learn from them and let them learn from you so when I say be a connector here what I'm talking about is your ability to know people I used to have this joke when I was in college you better watch out because I know people who know people who know Bob and Bob was always this very scary figure in the back you know more people than you realize and I've discovered that for myself over the last year I've had conversations with people where they've said something and I've said you know I should hook you up with my friend James or I should hook you up with my friend Laura and by putting these people together they're able to do things that they wouldn't otherwise be able to do I don't think I need to say anything here maybe I should because the slide says talk come and give presentations I'm not the best at it I'm still learning but I'm better at it than I was two years ago and I'm going to get better speak at conferences talk about the things that get you excited have fun if you're talking about a topic that doesn't inspire you you're not going to inspire your audience hopefully I'm inspired by this topic because I'd like you guys to be inspired write articles I meant to put a little smiley face by publishing a blog because I don't have time for that either but I should be writing more what I will say about writing is write down your ideas a very wise man a good friend of mine who ran our state optical network for the last five years said this to me recently he said you have really really good ideas Don but you're not writing them down and if you don't write them down they're never going to happen and so I from that day forward whenever I have an idea I pull out my phone or I pull out my laptop whenever I have an idea I pull something out and I write down what that idea is and then I take the time to go and improve on those ideas and I won't say that that's really had a lot of payback yet but it has had some I've been able to turn some of those ideas into that other people are now talking about if I hadn't written them down I know that would never have happened so this is pretty much my last slide and I I want this to be some sort of the overview of what I'm trying to tell you I guess in management you're supposed to make life cycle diagrams and that's what I tried to do here the one thing in here that I didn't really talk about in a separate slide is that bottom box is dreaming big whenever I meet with teams across campus or with anybody else if we're talking informally one of the things that I will do is I will start dreaming and I will tell them about the future and how I want things to be in the future and that usually gets them very excited can I deliver on those promises today not a single one that's not what I'm trying to do I'm trying to show them where I see things in the future if I'm talking formally if I'm talking about a project that they want to do I also try to be very careful not to dream because then they'll think I can do that at that point what I want to do is keep it very real talk about what we can do today and make plans and we can brainstorm about the future later but you've got to have both you've got to be able to see the path in front of you and then you have to be and then you have to put your you have to be able to see the path in front of you and you also have to be able to pick your foot up and put it down and those are two different tasks make your friends where you find them and do not be afraid to fail because you're going to fail I failed plenty in the last year and I'm going to fail some more the response and this is why I tell my kids are you going to fix the problem are you going to get better and when you do, don't give up dust yourself off try again we're all human and we're going to get through this so this is me in a Thor helmet with a big hammer and this is my name and my contact information so that's the end of my presentation but if there are any questions in the room or from the web I'd be happy to answer them so right so for the benefit of the web audience the question was when my predecessor left and I became CISO how did I become CISO did I have to apply for a position was I appointed was the position thrown at me in a desperate move to hold me there what happened I didn't have to apply I was directly promoted into that position they created the CISO position out of thin air and put me in it I don't know if it was done as the hook to keep me there I think at least in part it was but I was just appointed CISO and on January 1 my title and my pay grade and everything else just changed so how was that appointment affect my relationships with the rest of Central IT I think at the beginning that was a real problem as I said they were not used to having security at the same table as them and there was some there was some concern over that a couple of other people who are now my peers had asked to have me moved under them when when Scott left I had a couple of different people say well he should come and work for me or he should come and work for this other person over here and I think there was this concern of why does he need to be at the table if there's just one of him now and again that was that lack of strategic thinking on their part how much of that was a worry over what I would do I really don't know but I think I was the unknown being new to the environment only there for five years they really didn't know what I was going to do and they were pretty nervous about how I was going to handle myself if I suddenly became a direct report to the CIO it's also interesting to note that I'm the only direct report to the CIO who doesn't have a director level operating title I'm still a project program manager which is like a step down level from everybody else even though I'm also the only person besides the CIO that actually has a C in their working title nope oh I misunderstood your question so the question was did I have staff when I started and the answer is I had no bodies but I had slots so when before Scott left he had talked them into creating an additional slot so there was me, he had an open slot he left and they moved me into the CIO role now we have two open slots so I was able to fill those I immediately pushed for an additional position and got it it took me a year to get from getting that position approved actually getting the position request posted but now that position is out there as well and I've since asked for additional positions on top of that there was another was this something else hiring good people I think is the biggest concern I have as far as the team is concerned I think everyone here has the same challenge of not being able to pay the median salary point for the positions you have we certainly can't I did a study of what our salaries are compared to the median for those positions and we're paying something in the 10th percentile nowhere near the 50th it's pretty sad now I've been told by the CIO if you find the right person I will go to bat and get them more money and that's good, I don't have a problem with that but he shouldn't have to do that we should be paying a competitive wage so that we can hire decent people the so what I have to do is I have to really go through those applicants and find the diamond in the rough who is there who wouldn't otherwise show up it's not like I have to choose from 50 perfectly qualified applicants it's 50 applicants two of which might be worth looking at would you advise getting projects done where you need help from CIS admin and DVAs and tech support and training folks who already have their own set of priorities and your security projects don't factor into a review how do you get those projects done without quickly burning out your goodwill and asking for favors so the question is if you're a team of one how do you get anything done especially considering you're going to be asking everyone else to do work for you and they don't report to you burning out your goodwill is the biggest concern that I agree we developed and we still have this network of people across campus who are kind of our eyes and ears in areas where we can't be or don't have the resources to be when it was just me and when it was just me and Scott we use that network extensively again that network was mostly and is still mostly outside of IT services inside of IT services the best thing I can offer there is learn to be a project manager learn how to coordinate what you need and get the resources you need from other teams at some point you have to make a decision not just you but your institution has to make a decision that a particular project is worth doing or not worth doing it once they decide that spam protection or comprehensive antivirus or anything of that nature is worth doing that's when you get the resources for it anything else okay well thank you very much for listening and for the very good questions appreciate your time