In February 2023, Paul Rivers came to UNC-Chapel Hill to oversee information security and identity and access management as Chief Information Security Officer and Assistant Vice Chancellor for Information Security. His two units are the Information Security Office (ISO) and Identity & Access Management (IAM). During Rivers’ first two years, his teams have made remarkable strides in boosting the University’s information security program. Upon his work anniversary last month, Rivers made time to share what he and his teams have accomplished and what’s next.
When CIO J. Michael Barker hired you two years ago, he said you would “advance our strategic vision of making information security compliance routine rather than extraordinary.” What strides have you made toward that?
Security starts with roles and responsibilities. We have clarified policies and standards associated with who is responsible for what when it comes to security. Do all security requirements come from some compliance mandate, or does the University require a baseline of security controls? Is a principal investigator (PI) responsible for the security of the technology used in their research? Is an IT director responsible for technology within their unit if they have no direct operational control of the technology? If an associated entity of Chapel Hill utilizes the UNC-Chapel Hill network, what security requirements must they follow? What application security software standards must be met for in-house development? How do we differentiate the security requirements of health-related data that is and is not subject to HIPAA? And what exactly is the UNC-Chapel Hill implementation of the HIPAA Security Rule? All the above questions, and more, now have written answers.
We are now turning our attention to how we operationalize this understanding. We began this operationalization in 2024 as we made substantive changes in approach to the chancellor’s annual security key controls attestation. We are building on that foundation this year, establishing a set of individuals appointed by the dean or vice chancellor of the unit as the coordination point with security. Those individuals will work with information security to build out a consistent set of four processes that coordinate security within those units with the overall security program. The buildout of this coordination of security is being done systematically, adding additional capabilities each year until fully complete in 2029.
About Paul Rivers
Paul Rivers came to Carolina two years ago with strong qualifications from previous leadership roles in cybersecurity, including as CISO and HIPAA Security Officer at both Yale University and the University of California, Berkeley and as cybersecurity adviser to the audit committee of the Brookhaven National Laboratory.
Rivers also held significant positions outside of higher education, including as Director of Security and Compliance at Amazon Web Services. Prior to his time at Yale, he was a cybersecurity executive consultant to Fortune 500 clients.
I am very excited about this initiative. I believe the coordination this approach brings is a game-changer for security for Chapel Hill. There are many other things we have accomplished in the last two years. Some of these are less visible, such as the fantastic advances of incident response rigor and maturity. The move of 20,000+ endpoints from Trellix to CrowdStrike has made a marked difference in our ability to detect and respond to events at a faster pace. We’ve expanded to 25% more endpoints during the move and have added new identity and vulnerability detection capabilities as well. We’ve expanded detections in the network, coordinated and strengthened our HIPAA compliance, and much more besides. The teamwork has been fantastic.
What are your goals for the next several years?
Our organizational context is one in which control of technology is broadly distributed. From this context, we have three strategic pillars: Measured Accountability, Detect More & Respond Faster; Expanded Common Controls. I’ve touched on coordination of security above. This coordination also includes 27 key performance indicators for the functioning of the security program overall, plus unit-level security performance data. We are moving towards not only clear roles and responsibilities, but closing the loop by assessing and adjusting based on measured performance against those responsibilities.
While control of technology is distributed, visibility into this technology need not be. Our second security objective is to expand the visibility across all UNC-Chapel Hill technology, expand the types of security events we can detect, and increase the speed at which we respond to these detections. The increased speed includes automation, increased use of threat intelligence, and partnerships with third parties to augment our in-house monitoring.
The final pillar of our strategy is to identify common controls which may alleviate some of the local burden of securing technology, increase organizational assurance that controls are in place, and make the overall operations for UNC-Chapel Hill more cost-efficient. The security of digital credentials is our most important security control, period. We are starting with identity. We have some immediate outcomes we will deliver in 2025 to improve credential security. We are simultaneously undertaking a more comprehensive analysis of identity policy and practice to address eight areas we have identified. We will complete this plan by January 2026 and begin executing a more substantial transformation of digital credentials in 2026 and beyond.
You have made some organizational changes, including creating some new positions. What have you changed and why?
We made internal changes to clarify objectives and ownership, so that teams are more focused on delivering specific outcomes. For example, vulnerability management is part of Detection and Response, rather than Risk and Compliance. Our top priority in vulnerability management is to identify known exploitable internet accessible vulnerabilities and treat such cases with the urgency and playbooks of our incident response function.
We have also added new positions to support the above strategy. We’ve added a senior security program business analyst to work with me on delivering the coordination of security. We have added an IAM business analyst and IAM architect to support the transformative work in identity. We have added a research security analyst to remove friction for researchers in meeting their security compliance obligations.
What has surprised you during your first two years of leading security and identity?
I want to take this opportunity to say I do not make a distinction between security and identity. The sole reason an identity team and function exist at any organization is for security. Identity is without question the most important security control Chapel Hill (and arguably any organization) has. While not surprising, it has been very gratifying to get to know so many excellent people, within ISO, within ITS, and across all of the University. Without all of these people, none of the security objectives discussed here could happen.
How have the security landscape and challenges changed in the last few years?
Candidly, I do not have a new or surprising perspective here. Yes, the threats are getting worse. Yes, the legal, regulatory, and compliance obligations are growing. Yes, we are seeing federal agencies increase the security demands on our researchers. What has not changed is the reality that security is a byproduct of operational practices. Doing the fundamentals well is the best antidote to the above.
Broadly speaking, what do you want to ask campus members to do to protect their own and the University’s data and privacy?
Focus on ownership, in the sense of responsibility. If no one owns the technology or the vendor relationship providing the technology, then without question the right operational practices are not happening. If that owner is you and you do not feel you have the requisite time or expertise to maintain the necessary operational practices, please talk to your local IT teams. They can help you.