Do you know if your cybersecurity education and awareness program is effective? What are you doing to make your employees more aware of the different threats and vulnerabilities in your higher education environment? This session will highlight the effective components of the Cybersecurity Education, Training, and Awareness program at the University of Wisconsin–Madison, teach you how to engage your staff, and help you obtain a better understanding of the challenges involved in reaching different campus units and populations. This is a topic specific/intermediate level session.Outcomes: Learn successful marketing and communications strategies to engage a local campus in a cybersecurity event * Learn about the challenges involved in engaging students * Learn about the successful components of a phishing-awareness campaign
[Read More]

What is still relevant? Things change over time. The higher education network looks different: between the cloud, BYOD, wireless, and an ever-changing landscape of new attacks and attackers, some of those common truths about protecting your organization’s assets no longer apply. We’ll take a look at a list of common myths surrounding authentication, the perimeter, antivirus, patching, and network architecture and break them down into a very interactive and entertaining format to help gain perspective on this new environment and how it applies to higher education. Outcomes:Learn how usable security is the most effective security in practice * Learn how to reduce the burden on faculty, staff, and students by removing older and unneeded barriers * Explore how to provide the open-ended networks higher education users want and still be safe
[Read More]

With 100,000 new infections per day, ransomware has gotten the attention of boardrooms, IT staff, faculty, and students. Although not typically considered an insider threat, ransomware behaves like an insider, using hijacked accounts to encrypt files on endpoints and file shares. In this session, learn how security pros in higher education are not only fighting ransomware but also using the challenge of mitigating the threat to identify and confront vulnerabilities that expose them to other insider threats, including rogue employees and abusive administrators. Outcomes:Understand that ransomware has the potential to reach beyond the endpoint and compromise data on your networked storage * Learn lessons from some of the most interesting and under-the-radar insider threats we’ve discovered in the field * Take home a well-defined, concrete action plan for defending against ransomware and insider threats
[Read More]

You may have heard that a CISO needs to be strategic (or more strategic). What does this mean? Higher education CISOs may have one of the most difficult jobs due to the university culture. In this session, I will give my perspective on the talents and skills that a strategic CISO needs. I will also give examples of the actions and behaviors that strategic CISOs exhibit as they do their job. This session will provide tips for key skills including communication, conflict management, coaching, and building trust. This is a topic specific/intermediate level session. Outcomes: Understand the difference between strategic and tactical leadership * Know how to build trust with others * Be familiar with a strategic communications model, the conflict resolution framework, and how to coach
[Read More]

It is critical to understand the technologies we use to protect data. When trying to convey the importance of digital encryption, questions may arise about how the technology works and why it is important. This presentation explains symmetric and asymmetric cryptography in a nontechnical way. Using hands-on fun aids, we run through an example of elliptic curve cryptography and talk about why this came about and what advantages it gives us. Using presentations of this type to spread security knowledge can ease the job of convincing people to use security technology. This talk will also have a refresher for Fun with Certificates, Part I: RSA. This is a topic specific/intermediate level session.Visit Fun with Certificates, Part I: A Deep Dive into Cryptography for All Ages for a recording and resources from the 2015 talk.Outcomes: Understand symmetric versus asymmetric cryptography * Understand how ECC works * Understand how certificates work
[Read More]

Law-enforcement experts will provide information and insights regarding cybersecurity information sharing between law enforcement and private entities.This is a general interest session.Outcomes: Understand how to share information with law-enforcement agencies * Learn how to foster productive relationships with law enforcement * Understand law-enforcement resources available in response to cyber threatsThis panel will include representatives from the following agencies:The Federal Bureau of InvestigationThe Department of Homeland SecurityThe Secret Service
[Read More]

After working with hundreds of institutions on their awareness program, we see that failure more often results not from what is communicated but how. In this presentation, we will share the three C’s for successful behavioral change and ultimately culture change: communication, collaboration, and culture. Learn how the most successful institutions are implementing these core concepts and how you can apply them at your own institution. This is a topic specific/intermediate level session.Outcomes: Understand the theory behind behavioral change and where awareness programs fail * Learn the definitions of the three C’s and their criticality * Learn different methods for implementing the three C’s
[Read More]

All security professionals know that passwords are no longer sufficient for protecting nonpublic information. The challenge is how to deploy multifactor authentication across a diverse population without having the increased assurance introduce an impediment to the our academic goals. Virginia Tech, Indiana University, University of Miami, and Baylor University will share their experiences deploying multifactor authentication. The session will concentrate of a discussion among the panel and audience to explore the attributes for a successful deployment. Outcomes: Understand the challenges of implementing multifactor authentication * Learn strategies for enrolling constituents * Under potential project risks
[Read More]

We cannot understand where we are going unless we know where we are and how we got here. This presentation will begin with a look back at some of the people and ideas that helped found the practice of information security—the proverbial shoulders on which we stand today. From the past to the present, focus will shift to a discussion of the current state of information (in)security and its implications for the practice of information security in today’s highly dynamic, highly connected world.
[Read More]

In the absence of a full NIST 800-171–compliant infrastructure, Portland State University embarked on a journey to develop a tailored solution for addressing NIST 800-171 compliance requirements for research projects. In this session, we will map out our solution for navigating these requirements and satisfying research project needs. We will outline our strategy for addressing the need, our relationship with the research arm of the university, and our security plan–based approach using our current IT infrastructure. This is a general interest session. Outcomes: Gain familiarity with NIST 800-171 guidelines for protecting CUI * Learn about our security strategy leveraging existing IT systems * Learn how we partnered with our research department for addressing NIST 800-171 requirements
[Read More]