This month, for Cybersecurity Awareness Month, we introduce you to the IT Security Architecture team within the Information Security Office (ISO). It is one of four teams within the ISO along with the Network Security team, the Operations and Incident Handling team and the Risk Management andVulnerability Assessment team. The teams are led by the Chief Information Security Officer.
The IT Security Architecture team is made up of three information security professionals: Alex Everett, Dave Eiselman and Jared Perdue. Everett has led the team for two years, which is about the same length of time that Eiselman and Perdue have each served on the team. In this Q&A, here are each of the three, in their own words.
What does the IT Security Architecture team do? Dave Eiselman: In short, we work to keep the University safe from cyber threats and to maintain our critical systems attributes of confidentiality, integrity and availability. We do this though a unified security design that can include, but is not limited to hardware, operating systems, software, policies, and an overall design framework to reduce risk. This process is never complete, and risk can never be totally eliminated. We must continually review and revise our strategy to enable the University to continue to serve as a center for research, scholarship and creativity.
Alex Everett: To elaborate, our team works to understand the needs of faculty, staff and students while identifying potential IT-related opportunities along with potential IT-related risks to the organization. A prime example of this are the services from public cloud providers such as Microsoft Azure, Amazon Web Services and Google Cloud Platform. These providers offer more than 100 state-of-the-art IT services that present an opportunity for rapid deployment of IT or rapid prototyping, pay-by-the-minute computing, and always-on reliable services. However, the ability for any faculty member, staff member or student to quickly provision IT services also presents a risk to the University.
For that example of cloud services, how does your team address those potential risks? Alex Everett: The team has worked with the Director of ITS Systems Administration and Cloud Architecture and his teams to provide guidance, support and oversight for all three cloud environments. We have endeavored to make this environment similar to what one can get signing up directly with the provider, but with many of the benefits of having it reviewed and supported by the University.
Talk a bit more about the role of collaboration in your work with campus units.Jared Perdue: Our partners within ITS and the various schools enable us to better secure the University through close collaboration. Within ITS, we protect core technologies used by the UNC community. We monitor for new vulnerabilities that threaten the confidentiality, integrity and availability of those assets and advise on risk. We provide technical guidance on new technologies such as cloud mentioned above and help the teams using them to accomplish their goals. Working alongside the ITS Cloud Architecture team and the Information Security Office’s Risk and Vulnerability Management team, we enable our partners at other schools to secure their faculty and staff members’ research efforts and students’ academic pursuits. Through these close partnerships, the IT Security Architecture team is well-equipped to guide UNC through the increasing information security challenges facing higher education today and in the future.
What do you enjoy about working in security architecture?Alex Everett: I think one of the rewarding aspects of the work is being involved with technologies that can improve experiences for everyone at Carolina. Usually, we work with other teams to be able to help deliver on something such as a safer online experience. To give an example, right now we are testing three technologies from Microsoft that are designed to reduce the impact of email threats. One of these is called “First Contact Safety Tip” and is a notification from Outlook when you are communicating with someone new.
Dave Eiselman: I enjoy that the job is challenging and there is always a new problem to solve. What I love about the job is helping the University and people accomplish their jobs — whether it’s a geneticist researching cancer, or working on the COVID testing program, or helping Athletics with their baseball radar tracking system.
Jared Perdue: Understanding the latest vulnerabilities and how threat groups are exploiting them is my favorite part of the job. “Thinking like the bad guy” is the most intriguing aspect of my work. As time allows, I enjoy reading the latest industry reports on advanced threat groups. My position is a little bit of everything. I provide security consulting to outside groups and technical guidance to teams with primarily non-technical security work. I also support incident handling, network security, security operations, and I’m one of the few members of the office who performs penetration testing.