<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Ep13 | Guarding the Ivory Tower: The Complex Landscape of Data Security in Research Universities - A Discussion about Penn State

Air Date: September 21, 2023

 

In this latest Hash It Out, Virtru's CMO Matt Howard and Sales Director, Nikita Shenoy delve into the high-stakes world of data security compliance in research universities. Prompted by a recent federal lawsuit against Penn State University for alleged non-compliance with data protection regulations, the two explore the real challenges faced by universities struggling to balance stringent security requirements with tight budgets. The conversation sheds light on the practical difficulties in implementing comprehensive security measures and ponders the future of cyber compliance and its implications for taxpayers. From the role of whistleblowers to the emergence of new compliance authorities, this discussion offers a quick view of the complexities of cybersecurity in academia. 

Transcript

Good afternoon. My name is Matt Howard. I'm the chief marketing officer at Virtru. I am joined by my colleague Nikita Shenoy here today. Nikita. Thanks for being here.

Yeah. Glad to be here.

So wanted to have a quick catch up with you. I know you spend a lot of time talking to a lot of you know, major universities doing research on behalf of the federal government and, you know, having to find ways to kinda deal with, like, tight budgets and still comply with, you know, pretty significant security requirements as it relates to, like, classified data. Last week, there was an article I saw it I think you saw it as well, where the federal government is suing Penn State University, with respect to the, you know, their apparent lack of compliance with the government regulations, but not just lack of compliance, they allegedly claim that they were complying only to be, sort of disclosed that they weren't. Curious to get your thoughts.

Yeah. It's, you know, surprising and not surprising. Right? I think it's surprising that, you know, you're hearing about this happening with a public institution.

You know, one that is, you know, pretty famous for the research data it does, you know, with R1 universities having a lot of the most strict data requirements related to the federal government.

But also not surprising in that, you know, I think talking with universities on a daily basis, I understand how strapped they are for resources and and, you know, a lot of the times needing to cut corners in in the way that they, you know, handle sensitive data, and handle their limited budgets and limited resources in in terms of staffing and faculty. And, I think this is just one of those instances in which, I think, faculty staff probably thought they were doing the right things, but, unfortunately, they had to cut some corners and, ultimately, are now being sued because of it.

Interesting. So, I think it's an important point. I mean, you know, clearly, R1 universities in this country doing research on behalf of the federal government, you know, they don't get there overnight. They've done an amazing amount of work over decades, sometimes hundred years or more, just as leading research organizations but so much of what they do is really sensitive stuff. And the government takes pretty seriously the requirements as it pertains to things like CMMC, and, you know, how do you put policies around CUI to govern sensitive data that's moving in and out of the research University, ultimately, you know, on behalf of the customer, the federal government, and the policies and the process and the governance that the universities put into place, I guess it has to be good enough to meet the government's requirement, but it also has to be affordable enough affordable enough to sort of fit within the government rather the school's budget.

Is that kind of the way you see it?

Definitely. Yeah. I think a lot of these universities tend to have this reliance on the tools that they're just using on a day to day basis. I think in this case, it was Microsoft. Right? Penn State moved off of box because just using inherent Microsoft tools were cheaper for them.

And they sort of trusted that they were getting, you know, the right security in place to be able to do the day to day jobs.

But that obviously wasn't the case. And I think you know, it comes down to overly trusting single source providers.

It comes down to trying to make the dollar stretch the furthest, and then sometimes it just comes down to, you know, other people that are just trying to learn things on the fly, right, trying to understand How do we now protect CUI? How do we protect sensitive data related to the government, kind of on the fly?

Yeah. And I certainly am sympathetic and empathetic. I know you are as well as to how hard it is to do cybersecurity well in any organization, especially maybe a university that has these particularly constrained IT budgets.

But then again, the more I read about this, the more I learn about this particular situation, you know, my understanding, it wasn't sort of just, like, a simple, like, we thought we were covered, Mea Culpa, apology.

Apparently, after some internal risk assessments were done, you know, in order to kind of make it look like they were complying you know, at least, the former CIO who's, you know, you know, the suit is being brought on behalf of, you know, alleges that some people in the school were basically uploading files to kind of, like, effectively fake files to make it look that they look like they were compliant, which just seems like I don't know. That just seems kind of like a stretch of, that's a that's that's trying to check a compliance box the wrong way is, I guess, the best way to put it.

Yeah. No. I agree. And I wonder, you know, I think in these large institutions, you have so many layers of IT people. Right?

It's like, does one hand know what the other hand is doing type of situation? I think, you know, especially since the whistleblower in this case was the CIO. I almost wonder, who signed off on this, right, who was the one who was sort of assigned this project and and Hey, we need to, you know, get CUI protected and sort of decided this was the right decision for them and why was it not uncovered sooner?

Yeah. And, you know, so shifting gears, like, as a taxpayer in this country and looking at the world that we all live in, you know, the cyber risk landscape is kind of a scary place. And the type of research that these R1 universities are doing are really important to, you know, you know, our country's present and our country's future.

And it's, you know, these nist standards, you know, exist for a reason. I'm specifically talking about eight hundred dash one seventy one. And these compliance regimes, you know, that the federal government has with respect to these research universities doing work on behalf of the federal government, they exist for a reason. It's, you know, I always imagine that if someone wasn't quite doing right by the compliance regime that they might somehow get maybe maybe a slap on the wrist or something like that.

But again, as a taxpayer, when I saw this news, I was a little surprised to see that the federal government's bringing a lawsuit. I mean, this is indicative of the fact that they take this really seriously. Would you agree?

Absolutely.

Yeah. As they should. Right? But my mind sort of went to because, you know, I think, CUI for me as a salesperson at Virtru is a little less you know, something that I touch on a daily basis other than the fact that I work with many, many institutions that have to deal with it.

But, you know, from my perspective as you know, someone who goes to or was, you know, at Maryland where, you know, a lot of my Social Security records might be or, you know, health records may have been in the past, I wonder if this is happening with some of the most regulated data, that's related to our federal government. I wonder, you know, is this happening with HIPAA data? Is it happening with, ferpa data with PCI, you know, what other information?

How many times are other organizations struggling to comply with strict data regimes kind of faking it, so to speak.

Exactly.

Yeah. I don't know. But, a couple thoughts on that front. Here's one.

If they are, it's likely that they will be held accountable, in the future if they're caught. I mean, this, I believe, is the first time that the federal government is actually suing an organization for this type of behavior. But it won't be the last because they've apparently stood up a a new, compliance authority and are intending to kinda take take compliance to the next level just to make sure that the people that are doing research on behalf of the federal government and all of these R1 universities are in fact taking those data security requirements seriously and not quote unquote faking it until they make it so to speak.

Yep.

Yeah. I'm curious. Do you think that more whistleblowers will come out in the future? You know, for not only universities, but other organizations that need to meet CMMCI Tar?

It's hard to say. I mean, one thing I do know is, the cyber game is hard. And it's hard for the best organizations in the world that have the biggest budgets with the most talent. And, you know, all the resources in the world, you know, can still leave you in a situation where you're making mistakes with respect to cybersecurity and data security governance. I mean, case in point, Microsoft recently with the state department.

So no one is pretending this is easy.

You know, to answer your question specifically, I sure hope not. I mean, my view is actually that most the vast majority of the defense industrial base in this country is doing does their absolute best to to do the right thing and and sort of implement cybersecurity hygiene and compliance with the government regulations I I suppose in this case, it's a little surprising to see, you know, an organization like Penn State kinda do the opposite or at least that's what's been alleged.

You know, it will be fascinating to see where this case goes and see what comes out. You know, we don't have all the details yet, but it'll be fascinating to see what we learn from here And the last thing I would say, and curious to get your thoughts, I imagine this definitely shines a light on R1 universities trying to up their game with respect to, data security and compliance based on these, based on this latest development.

Absolutely. Yeah. I think, I mean, just speaking to my customers, you know, I've seen a huge push in the last six months. Trying to get solutions in place that enable them to comply, but also communicate the sensitive data in the way that it needs to be shared. You know, I just hope that they have the resources to be able to do those types of things. But, yeah, I mean, I can definitely see if people weren't placing importance on it before that, especially after this, they definitely will.

And on that point, you know, this, obviously, this is just me and you chatting about a recent news event, which is sort of relevant, I think, to the broader industry. But as someone who spends a lot of time with universities, you know, working with them to kind of implement Virtru's data centric security products, you've mentioned a couple times this concept of budget constraints and resources, you know, how would you view Virtru in your role? And are you able to generally find sounds like you are? But what's it like to kinda go in there, find a sponsor for your product and then have the budget conversation? I mean, know, you can't be the most expensive tool in the world because they don't have all the dollars in the world. So how does that work?

Yeah. No. It's a good question. And I think that the main thing I try to tell my customers is Virtru is not a silver bullet. You know, we're not gonna meet every control that's required by NIST. Right? We're a small but a very important piece of the puzzle, and one that can be deployed very easily and seamlessly within existing workflows. One of the things I often hear is how difficult it is to get researchers trained up on a certain tool or They have to work in this certain secure enclave, which is very hard to implement new tools into, you know, the way that you know, use our tool every day. It's just built into existing workflow, so it's a lot easier to do that for a lot of these universities. So not only just from a cost perspective, it's from a resource perspective, like, needing to train up these people who have other things to do.

It's much more simple. But again, it's not the entire piece of the puzzle. It's just one small important part of it.

Yeah. Unstructured data is hard, especially as it's flowing, sensitive unstructured data flowing in and out of a big university and putting governance and policy control around, it's really hard. Yep. It has to be affordable to your point and fit within the budget. The other thing it has to do is be easy enough for people to actually use. So the policy and the government gets applied.

And then compliance is something that ultimately flows from there. But it's, you know, a good story. I know that you've been able to tell successfully as you have done really great work with a number of large R1 universities across the country. And seeing this in the news last week, it just made me wanna reach out, connect and compare notes with you for a few minutes because I hadn't seen anything like this before, and, I really, thought it was interesting. And, certainly, we'll be curious to see how this plays out in the public eye in the coming weeks and months.

But thanks very much for taking the time to be here. I really appreciate it.

I appreciate being on, and definitely we'll keep you in the loop as we hear more.

Yeah. Let's circle back and maybe do this again in a couple of months once we have a fuller picture.

Thanks.

Enjoy a coffee on Virtru!

Fill the form below to claim your gift.