Kim Cary, Pepperdine Universityâs CISO, is on the front lines of the increasingly heterogenous enterprise technology ecosystem. Get ready: What heâs seeing on campus today will make its way into your corporation tomorrow.
cio insight: How significant is the faculty and administration impact on the network, with respect to mobile devices?
Cary: I can tell you that they're sometimes more avant-garde with the devices than the students are. The first place where an iPhone showed up on our network was in the executive offices. Same with the iPad. The very first day these products were available on the market, they were on our administrative networks.
For faculty, we also provision their access from our identity infrastructure. Professors can be as "on the move" as their students. Their morning might take them to different locations very rapidly. From lab to having lunch with a student or a colleague to teaching in the classroom, often using their laptop or mobile [device] in each location. Moving from place to place, they don't want to waste time logging in to access the network repeatedly. Once a faculty member's device is registered, they can get back on the network without signing in again. We use the iOS profiles within Exchange 2007 Webmail to permit remote wipe of registered devices.
cio insight: Given that students and teachers -- just like professionals in private companies these days -- are so busy and need information so quickly, is it difficult to educate them about the need to keep security in mind? How do you counter the mindset of, "I just want the best apps I can get online as quickly as possible. Security is no big deal"?
Cary: To change that perception, you need to speak to them about these issues in a clear, jargon-free way. And you need peer-case studies to show the impact [that] poor security can have on their lives. In one of our training [sessions], for example, we show how a campus computer was taken over by a Trojan, due to simple neglect, and we let them see some of the information it sent to criminals in another country. We mask sensitive details, but we tell a true story. Then we talk about simple steps or behaviors they can use to help ensure that this doesn't happen to them.
I agree with CIO leaders who say that to get buy-in on security, it's important to break open the wall of secrecy that surrounds information security breaches. In an appropriate way, you need to share examples of security failures for computers on the network. Then users can understand their role and the impact those failures have had on productivity and trust in the organization.