Ep 1: Protecting Higher Education with Princeton University CISO David Sherry

 Evan Reiser: Hi there, and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, Fortune 500 CISOs share how the threat landscape has changed due to the cloud, real world examples of modern attacks, and the role AI can play in the future of cybersecurity. I’m Evan Reiser, the CEO and founder of Abnormal Security.

‍Mike Britton: And I’m Mike Britton, the CISO of Abnormal Security.

‍Evan Reiser: Today on the show, we’re bringing you a conversation with David Sherry, chief information security officer at Princeton University. Princeton is one of the oldest institutions of higher education in the country, and has over 8,000 students and 7,000 employees. Princeton is more than just a university; it’s also a premier research center and in many ways, a small city, so keeping their environment secure is a complex undertaking.

‍Mike Britton: In this conversation, David shares his perspective on the unique challenges in protecting Princeton, security in the modern cloud era, and the exciting, yet frightening potential of Chat GPT.

‍Evan Reiser: Maybe to kick us off, will you tell us a little bit about your role at Princeton? 

David Sherry: Yeah, sure. And, uh, once again, thanks for having me. My role at Princeton. Yeah. As the CISO at Princeton, I've been there about seven and a half years now, and I have university-wide responsibility for the entire, if you wanna say stack of the security mission.

I have security architecture. I have a security operations risk assessment, training and awareness, and also play a key role in disaster recovery, business continuity, as well as compliance and regulatory areas as well. The mission statement of my group is kind of unique. People when they first heard it, were kind of quizzical about it. We don't mention firewalls or endpoint security or anything like that. 

We say that the mission of our group is “to make security programmatic and cultural at Princeton University in order for the university to succeed in its missioning of teaching and research and learning.” The programmatic piece, meaning we should be plugged into every decision from hiring someone to installing a new multifunction network, copier, to letting someone go in.

Place in between. We need to have some step as early as possible, and then culturally that people understand security is part of the success of the university, but also something that they should take personally as well. We think that if there, we can teach them about security from 5:00 PM to 8:00 AM, they're gonna be thinking securely from 8:00 AM to 5:00 PM as well.

Makes our job a little bit easier, so programmatic and cultural. We say that a lot. Our president quoted it once, so that was really cool too. 

Mike Britton: I'm always interested in how people got into cybersecurity. Can you kinda share your origin story of what led you into cybersecurity? 

David Sherry: Yeah, so it starts with being the right person, with the right skills, with the right attitude at the right time, and maybe silly enough to raise my hand and say, "I'll do that."

I was working for the US Postal Service in the late nineties when computing was exploding and they were creating a new IT group and needed someone to help out and I said, “wow, I can do that.” I was in grad school from ‘93 to ‘96, so I was kind of on the cutting edge of computing at that time. And, uh, getting that on my resume helped.

I stayed with the postal service through Y2K, told my boss I was leaving after I finished those responsibilities for bigger pastures and, signed on with a security startup. They weren't necessarily looking for a security person. They were looking for someone who could take the reins of building up what they considered to be the best security operations center in the world and put a great team together.

We were third out of the gate, I think, in the year 2000 to do managed security for small businesses, medium sized businesses, and that was, that was awesome. We got bought nine months later and everybody got handed a cardboard box. But it got security on my resume, Mike. And because of that, every job that I put in for afterwards, had security in the title.

I went to financial services next, as the Vice President of security for the number eight bank in the country, and then made the switch to the wild, wild west of higher education and never looked back. 

Evan Reiser: So, David, one of the things that I remember from one of our first meetings many years ago is I think you said Princeton's a little bit more complex of an organization than you might think, right? It's not just about protecting students, which is our ephemeral population, which has its own complexities. We have alumni, we have our research facilities. We're doing high technology research. And Princeton's not just a university, right? It's a city. And we gotta think about “how do we protect the police department, all the other things.” Can you share maybe some of the unique cybersecurity use cases or challenges that might be unique to you that maybe other security leaders might not fully appreciate? 

David Sherry: Yeah, that's a good question, Evan.

And it is a unique place. I mentioned I worked in financial services and there I had the authority to say, “thou shall do this and thou shall not do that.” Because we were protecting 250 billion dollars of other people's money. Can't do that in higher ed. We've had requests to have [unintelligible] put on our network that wouldn't have happened at the bank.

We don't say BYOD. We say BYODs because students can show up with 15 to 20 devices that they want to hit on the network. We also laugh that Princeton's been doing BYOD for 277 years except back in the day, they brought a musket and a shovel with them. Now the devices are a little bit more complex from that.

But it's a really smart community. The students are really smart. We just let in another 1600. Yesterday was decision day. The faculty are just amazingly brilliant, and I would dare say that the staff is right up there with them. They have to be in order to be able to support them. So it's a really complex environment in that regard.

We get outside influences. We got the freedom and the collaboration. And the intellectual property aspects we have to worry about. We have research on really cool life-changing and uh, world-changing decisions that could be made that makes it a really complex environment. But the thing that differentiates it, especially from my background at Financial Services, is the collaboration amongst higher ed.

My Ivy Plus peers, we talk daily on a Listserv. We have every other week a Zoom meeting, and we meet in person twice a year, and if something is gonna hit somebody else, it's gonna hit Princeton and vice versa. So there's a lot of talk, and wouldn't have happened at the bank. I wouldn't be able to call up another bank and say, “yeah, I'm seeing this. What are you seeing? They would say, yeah.” So is it a stressful environment and a challenging and complex, yeah. But is it exhilarating and exciting? Oh yeah. Yeah. It's really just a good, good, great place to work. 

Mike Britton: Can you kind of tell us how. Threat landscape has changed with the broad adoption of SaaS and cloud platforms?

David Sherry: Yeah, I've been speaking about the cloud for almost 20 years. I did one in 2004, about moving to the cloud, and said “You should treat the cloud no different than you treat your data center”, and I still believe in that. I’ve never not trusted the cloud. But it's all about trust. It's about contracts. It's about visibility and making sure that if you move offsite, you still have some control, oversight, command response, everything that goes along with it. Why should I be paying the power and electricity when someone else can?

And having the flexibility and the redundancy, it’s just the way to go. So I believe in it. 

Evan Reiser: Dave, you've been in this business for a while, right? I have to imagine that 10 years ago when you made a list of like, “here's my top three issues I gotta think about,” you know, in the pre-cloud world versus a day where everything's kinda interconnected.

It's probably changed like, well, yeah. What are some of things that fell off the list and then are now kinda the top of the list? 

David Sherry: One that has continually stayed on the list is phishing. We don't think that will ever go away, but the techniques and the sophistication has changed, but the phishing is still there but, I was thinking back 10 years, 2013, advanced persistent threat was a big buzzword that we were trying to defeat.

Internal threat was always big. Social engineering was just coming on the scene, so it was more things that I think we had under our control, and now phishing is still there, but some of the things that might be out of our control. Third party, supply chain, the weaponization of legitimate software tools. Makes it a little bit more dangerous and a little more complex.

The phishing's still there as well, which can lead to ransomware, which we weren't talking about in 2013, but it seems like we used to be able to control it, and now we sometimes have to respond. 

Mike Britton: So what are some examples of emerging threats or even new security use cases that CISOs didn't have to worry about five years ago?

David Sherry: The rise of cybercrime in crime syndicates instead of just the random person trying to, you know, get a little bit of money or get some fast pipes to another place. That’s certainly big. I think the hyper-connectedness, you know, having people sleeping with their watch and being connected, their car driving down the road.

It's just amazing how that has changed. Artificial intelligence, machine learning ChatGPT, certainly that's been a game changer. And it's good to work in a university that's on the cutting edge of that stuff that can reach out to the faculty and say, “Hey, what are you thinking about this?” 

Evan Reiser: David, one of the unique things about you is you've worked in some really large organizations, right? And large organizations have way more sophisticated attacks than maybe the average person might really fully appreciate. Do you have examples you can share of some attack either you've seen or you kind of heard about from your peers that you felt was particularly sophisticated or innovative or unexpected in some way?

David Sherry: Yeah, I was having a conversation with some peers just yesterday in Philadelphia, and we were marveling at the really rapid decline of network-based attacks. We all have really good endpoints. We all have good port of firewalls, intrusion detection, automatic DDoS failover, and the criminals know that.

So they move away from that and they go right after the ultimate endpoint being the human. So the one I think that comes to mind that we have witnessed and others have witnessed is the weaponization of taking over token codes for multifactor. It's like a man in the middle attack and then cloning the token and bringing it back into a personal browser or a burner phone and imitating the person, which bypasses all of the security that we have.

That's an area that AI and ML has to help us in because there's almost no defeat from that until after the fact that it's over. So that was probably the most unique one I've seen in the last six or eight months. I saw it one time during a red team attack with the good guys doing it, but it was the first time I saw an attacker use it.

Mike Britton: So what are some of the new areas of investment that will be disproportionately valuable to protect organizations in this cloud-first world? 

David Sherry: So I keep saying that AI and ML, and a lot of times marketers use that as a buzzword to scare us or you know, we lived through the year of PKI for 10 years and all these other things that have gone on in the past, but this is not gonna go away.

So looking at that investments into security tools certainly are going to be something disproportionately valuable, I believe, and I think that will help us. Also, the supply chain attacks and third party attacks, and we're hoping that the cloud's not gonna go away. There's some positives and negatives to it from our staffing and boots on the ground.

I think that's really the area that I'm focusing on is, how can that brave, new world of artificial intelligence make us smarter in order for our spend and our resources and our response to be better?

Evan Reiser: That's a theme I hear all the time from our customers. I think part of the frustration that a lot of securities leaders have is there's a big difference between the claim about the impact artificial intelligence is actually gonna have versus the actual results.What are there areas where you've seen AI actually have an impact on cybersecurity? 

David Sherry: I don't think the general population realizes how much AI they use in their daily lives and in their personal lives. Every time they do some shopping online or order from GrubHub or search out a movie or buy concert tickets, how much AI is running behind there to predict what their next purchase will be or the next place that they'll visit.

From a professional note, it's just something that has to be considered with every security decision we make now. Whether it's a new vendor or whether it's making tweaks to our current infrastructure or just anything that we need the solution providers that we deal with to be able to help us anticipate or predict or really quickly address the threats that are coming in.

We can't keep up with the threats. I tell the boss all the time, if an attacker has the right time, motivation and resources, they will hit us. They will get through to us. We just can't keep up from that regard. So that's, I think, where the AI and the ML can certainly help us stay, not one step ahead with the attackers, but perhaps in lockstep with them.

Mike Britton: So conversely, you know, you mentioned the overhyping from a marketing standpoint on the capabilities of AI. Where are areas that AI is unlikely to, to actually deliver real results now or in the future? 

David Sherry: My answer might have been a little different about four months ago before ChatGPT showed up. I don't think it's gonna replace people.

I do think it's gonna be a sea change. Not unlike the internet was. Not unlike the iPhone was. It's just gonna change the way I think business acts and even how people can react to it as well. 

Evan Reiser: What do you think is gonna be true about the future of AI's impact on the world that maybe other people might think are science fiction today?

David Sherry: So once again, positives and negatives, I think it's gonna help us. We can't be every place at every time, and be thinking about every device and every bit and byte that's going through our network. So in that regard, it's gonna help us. When we first heard about ChatGPT and we were all playing around with it, the buzz on the university was "Wow, what's this gonna do to admissions essays and what is this gonna do to writing thesis?" That's where the focus was, and I'm the crazy guy sitting at the end of the table saying, what if somebody uses ChatGPT to unleash a worm that can't be detected? I'm a little bit concerned about the negative uses of it.

I know places like ChatGPT and maybe some of their other competitors. So they have built-in algorithms to stop someone from doing something nefarious. But if it's as smart as it says it is and they want it to be, it will get smart enough to outfox their filters as well. So using ChatGPT to take down Princeton is something that I think I'm gonna have to be worrying about for the rest of my career.

Evan Reiser: Maybe switching gears a little bit, right? And I appreciate your thoughts on AI and I would love to talk to you more about this. There's someone out there that maybe just stepped into their first CISO job. Any kind of advice to them about what they might overestimate or underestimate? Any blind spots, a new security they might have that you could help give them some coaching on?

David Sherry: So don't underestimate that you're an island. As you said, this is a team sport. Don't overestimate that you need every tool under the sun. Having good people, I think, that think really well. I look for good thinkers, better than great technologists. I can teach somebody the technology, but not thinking that a tool is going to save you.

And also, when speaking to your boss, your peers, your cabinet, whatever, get rid of the old fear, uncertainty, and doubt. It's just all about protection, value, and speaking with data. That's usually what I tell people that are new CISOs, the people that are coming into the profession. I say, learn whatever you can. Build a network in your basement.

Just keep learning, learning, learning. There's so many paths and so many avenues, but the people who step up in the CISO role, especially from someone with a technology background, they gotta learn the business acumen too. 

Mike Britton: So what's a good book that really has had an impact on you? 

David Sherry: Wow. There's so many good ones.

The one that has recently impacted me and I think has helped me in my role is "This Is How They Tell Me The World Ends" by Nicole Perlroth. Her insight into the malware marketplace and the zero day threat and zero day vulnerability marketplace is just absolutely fascinating. I read it and it validated my existence. Other people read it and started freaking out and buying life insurance and all so, but it's just been, it's just been a tremendous influence recently. 

Evan Reiser: Anything else you can share about kinda what's unique or what would be surprising for your peer CISOs to learn about what's required to protect Princeton? 

David Sherry: I think really the only unique thing that separates higher education and Princeton from a more corporate environment is the openness and the academic freedom. If there's research going on and they have money in their grant, they can hire an IT administrator and buy their own hardware and put it on our network.

We have our administrative network, we have the research network, which is really highly controlled and secured, but still has a lot of flexibility and a lot of freedom to it. And I need to support that. I can be the compelling alternative to be the security model, but if they choose to go another way, we just make sure that on the last three of the cybersecurity framework, detect, respond, recover is a lot easier here or a lot more important than the identify and protect, unfortunately.

Evan Reiser: Awesome. David, anything else you'd see out there to help inspire the next generation of security leaders? 

David Sherry: I just tell everybody I can go into security. There is such a wide swath of jobs from highly technical to risk-based, to administrative to compliance, regulatory, legal people. Just think about security as a career. There's so many avenues to pursue and I think it's gonna be here for a long, long time. 

Evan Reiser: David, thank you so much for taking time to chat with us and looking forward to seeing you again soon. 

David Sherry: Thanks for having me. 

Evan Reiser: That was David Sherry, chief information security officer at Princeton University.

Thanks for listening to the Enterprise Software Defenders podcast. I'm Evan Reiser, the CEO and founder of Abnormal Security.

Mike Britton: And I'm Mike Britton, the CISO of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprise software.blog.

Evan Reiser: This show is produced by Josh Meer. See you next time.