Five questions for William E. Walker IV, assistant vice president and chief information security officer for the University of Colorado system administration
As chief information security officer (CISO), William E. Walker IV oversees the university's information security program, working closely with campus security principals to protect private data pertaining to students, patients, faculty and staff. He combines best practices from private industry and the National Security Agency (NSA) to educate the CU community about electronic data security, and how to avoid costly, embarrassing and potentially intrusive computer breaches. When he's not educating university constituencies about computer security, he can be found under the hood of his vintage 1979 Trans Am, or exploring his new home state of Colorado with his wife and new son.
You are the University of Colorado's chief architect for information security and the principle liaison between CU and the state when it comes to data security issues. Describe how security breaches affect CU anytime someone is careless with people's private information or other sensitive data. What process is set in motion to secure the data and inform the public?
When a data breach occurs, especially with personal information it affects a multitude of people, departments and organizations, starting with the person whose data is exposed and who runs the risk of having their identity stolen and personal finances affected. The school or college and the campus take a financial hit from the costs to remediate and recover, and a reputation hit from media coverage. The negative publicity affects CU as an institution, too.
If we experience a breach of other information such as credit card data, we run the risk of losing our ability to accept and process credit card transactions. For government grants, we run the risk of losing that funding if we cannot prove that we take the necessary precautions to protect the sensitive information involved.
The process that begins when a data breach occurs requires the collaboration and coordination of many individuals to identify, contain, remediate, recover and notify in order to minimize the risk to all parties. A data breach requires many staff hours, not to mention budgetary dollars, to deal with. Breaches are not something you can plan for and they negatively affect budgets.
You earned a bachelor's degree in computer science from State University of New York and a master's degree in computer science with an emphasis in information security from James Madison University. What drew you into the fields of computer science and information security in the first place, and what did your experience at the NSA teach you?
I got my start by accident - sort of. During my undergraduate work, I was partnered with a friend and we had to choose a topic for a class project (UNIX System Administration). Due to my friend's procrastination, we ended up getting the topic of "security." It was the early '90s: What was security anyway? After building and implementing a type of single sign-on service and doing a presentation on classes of vulnerabilities, the idea that this could go somewhere in the future became really intriguing. It then took me a couple of years and false starts with graduate programs to find a specialization in the area that really intrigued me.
As for the NSA: It's one of those places you only hear about, but never know how to become a member of. Besides being what I consider the best place to learn about systems and security of all types, it taught me a lot about people, teamwork, our critical national infrastructure, the threats that exist on a daily basis and how normal people (if you consider the types who work there normal) make a difference for our country and all those who live or operate here. Beyond that, it provided proof and validation that information security truly is a risk-management process, it is impossible to build anything bullet proof, even if you really think it is.
How can employees balance their need for mobility - using laptops and PDAs - with the responsibility of safeguarding others' private information?
Balance is the key word in this question, without a doubt. Protecting information is easy and people do it every day without thinking about it: their personal banking information, tax returns, health care records, children's online activities with friends, etc. Those same concepts need to be applied in our work environment. The good news is that there are people here to help.
There are inexpensive ways to enable user-friendly capabilities to protect sensitive information for mobile use. The challenging part is having all parties keep an open mind about the "how-tos" while recognizing that offering one solution for an enterprise this large is impossible.
What is the greatest security issue facing CU and other U.S. universities right now?
Taking a step back and looking at the big picture, it would be the online and service-oriented direction that's expected by our population. As the technology evolves, we must ensure that we are not exposing our students, administration, faculty and staff to information theft.
Tell us something about yourself that few people know.
I own a late-'70s mullet machine. Sorry, I mean a good old American muscle car that has been in a permanent restoration process and probably will be for the duration of my life. It's a 1979 Trans Am (inspired by Burt Reynolds) that my wife refers to as my girlfriend.
