October is designated as national Cybersecurity Awareness Month, which allows an annual occasion to delve into a topic that affects everyone year-round.
Christopher Spencer, MBA, CCSP, CISSP joined the School of Medicine and Public Health in August, 2019 as Director of Cybersecurity. Spencer’s background includes multiple roles over nearly a decade in the campus Division of Information Technology (DoIT), including serving as Senior Cloud Security Engineer in the UW–Madison Office of Cybersecurity. Prior to this, he served in IT roles in the Department of Communication Disorders and the School of Pharmacy. Spencer’s early career included service in the U.S. Army, as well as working as a surgical instrument technician at hospitals in Green Bay and Janesville, and business development for a La Crosse-based custom fly fishing rod company.
Below, Spencer shares his views on cybersecurity and risk management in information technology (IT) infrastructure.
Could you briefly describe your role as Director of Cybersecurity at SMPH? What attracted you to this opportunity?
My role as the Director of Cybersecurity is to cultivate a culture of Cybersecurity. Cybersecurity is not solely about IT risk; it truly is organizational risk. A primary goal of SMPH Cybersecurity is to be a trusted advisor. It is all about managing organizational risk to the appropriate level to allow innovation and support the SMPH mission of advancing health, without compromise, through service, scholarship, science, and social responsibility. What attracted me to this role was the opportunity to work with and support an organization that provides such a positive impact to the state and global community.
What professional path led you to this role?
I started my IT career on campus with the School of Pharmacy and I really enjoyed the mix of technology, research and healthcare. Later, I worked in the Office of Cybersecurity, building my cybersecurity skills. When I learned of this role [in SMPH], I thought it would be a great opportunity to leverage my experience and skills in an environment with a diverse mix of technology, research, healthcare, and cybersecurity.
Given that October is Cybersecurity Awareness month, what topics do you think should be top-of-mind for faculty? Staff? Students/learners? Those involved in our research enterprise?
Your identity or credential is the new security perimeter. Good credential management is critical to reduce and prevent cyber-incidents. Also, there have been several recent reports from law enforcement agencies that attempts to steal intellectual property are on the rise, so be aware of suspicious activity and be mindful of controlling access to your research.
What takes most people by surprise when it comes to cybersecurity?
Everyone is a potential target. Bad actors cast a wide net to ensnare as many credentials as possible to then use the insider accounts for their attacks.
The national theme for this awareness month is taking personal accountability to be “cybersmart.” What are 3 things that you wish every SMPH member would do to keep their identity, data, and other online assets from becoming compromised?
- Use strong and truly unique login passphrases.
- Be aware and skeptical about phishing and social engineering attacks.
- Patch all software and have a good backup.
Do you have any examples of outdated cybersecurity advice—actions that used to be important, but are no longer necessary?
Changing your password or passphrase often or arbitrarily without a valid reason to do so. Instead, the best advice now is to use unique and strong passphrases of 16 characters or more for all accounts and change them when you have evidence or suspicion that your passphrase is no longer secure. An encrypted password wallet such as LastPass is a great solution for managing passphrases securely. Finally, do use Multi-Factor Authentication (MFA) when available.
Do you ever encounter fatigue about cybersecurity awareness due to people not wanting to be in a fearful mindset, or not wanting to think about things that could go wrong if their data were compromised? If so, are there positive aspects of cybersecurity that you’d like to highlight?
I would say that I have experienced more often that people feel overwhelmed and do not know where to begin. I would offer that most cybersecurity professionals are here to help by providing advice and guidance to help you manage the challenges that may feel overwhelming. In addition, if cybersecurity awareness and training is engaging, relevant and updated, the positive outcome of the cybersecurity awareness efforts will enable and educate people—making them better-equipped to spot suspicious activity.
Favorite quote or saying about cybersecurity?
“Cybersecurity culture can achieve more than prohibition posture.” – Stéphane Nappo, who is based in Paris and was recognized as Global Chief Information Security Officer in 2018.