On the 1st episode of Enterprise Software Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal Security, talk with David Sherry, CISO at Princeton University. Princeton is one of the oldest higher education institutions in the United States, with over 8,000 students and 7,000 employees. Princeton is more than just a university; it's also a premier research center and, in many ways, a small city, so keeping its environment secure is complex. In this conversation, David shares his perspective on the unique challenges in protecting Princeton, security in the modern cloud era, and the exciting yet frightening potential of ChatGPT.
Princeton requires a unique approach to cybersecurity because collaboration lives at the heart of what drives success for the students and faculty of the university. David describes overseeing security architecture, operations, risk assessment, training, awareness, disaster recovery, business continuity, and compliance. "Our Architecture and Security Review looks at new technologies coming into Princeton, assessing them for risk and security." By emphasizing programmatic and cultural approaches, David aims to ensure that security is a top priority in every aspect of Princeton's operations, from personnel decisions to technology implementations. "If we can teach them about security from 8 am-5 pm, they'll be thinking securely from 5 pm-8 am as well." The balance between security and accessibility highlights the contrasting considerations needed to provide the necessary protection for Princeton. "We get outside influences. We've got the freedom and the collaboration. And the intellectual property aspects we have to worry about. We have research on really cool life-changing and world-changing decisions that could be made that makes it a really complex environment." As CISO, David must balance security while allowing students and faculty to innovate and experiment.
While he's been in higher education since 2008, David also has extensive corporate security experience, serving in several senior security positions at Citizens Financial Group. David highlights the similarities between working in higher education and the parallels from his prior experience in corporate environments. "The one unique thing that separates higher education from a more corporate environment is the openness and the academic freedom. If there's research going on and they have money in their grant, they can hire an IT administrator, buy their own hardware, and put it on our network." However, there is no shortage of challenges to supporting an environment that is dependent on being able to share amongst so many different staff members and students. "We have our administrative network, we have the research network, which is highly controlled and secured, but still has a lot of flexibility and freedom to it. And I need to support that."
Throughout his career, the importance of collaboration and accessibility have driven David's approach to security. He reflects on the years of experience gained from being an advocate for cloud computing and how understanding protection allows you to embrace change: "You should treat the cloud no differently than you treat your data center." It's a message he's championed since 2004, before today's explosion in SaaS capabilities. Understanding the constraints of emerging technologies allows early adopters to operate successfully within their frameworks. Today, David is looking toward the current wave of AI technology and how to utilize it best to enhance Princeton's security protocols. "How can the brave new world of artificial intelligence make us smarter for our spend, resources, and responses to be better?"
One area where David thinks AI can provide critical defensive capabilities is the weaponization of multifactor tokens. He explains, "We've recently witnessed the weaponization of taking over token codes for multifactor. It's like a man-in-the-middle attack and then cloning the token and bringing it back into a personal browser or a burner phone and imitating the person, which bypasses all of our security. That's an area that AI and ML have to help us in because there's almost no defeat from that until after it's over." As attackers begin to utilize tools like AI to launch attacks, forward-thinking CISOs should plan how to harness the same technology to defend against them.
As AI capabilities increase, David cautions that with the recent wave of excitement also comes the need for vigilance, as the widespread adoption of such technologies introduces new risks, threats, and bad actors that security teams must manage. "When we first heard about ChatGPT, the buzz on the university was, 'Wow, what's this going to do to admissions essays and writing a thesis?' I'm the crazy guy saying, 'What if somebody uses ChatGPT to unleash a threat that can't be detected?' I'm a little bit concerned about the negative uses of it." Today's CISOs must expand their understanding of a constantly evolving landscape moving at a breakneck pace when planning defensive strategies.
In the face of these evolving challenges, David emphasizes the importance of continuous learning and adaptation within cybersecurity. He highlights the need for CISOs to stay updated on the latest trends, security tools, and mitigation strategies and foster a culture of security awareness among all stakeholders. "This is a team sport. Don't overestimate that you need every tool under the sun." By remaining committed to learning, CISOs can better navigate the dynamic landscape of cybersecurity and protect their institutions' environments.
Listen to David's episode here and read the transcript here.