Tune in as Jason and Steve sit down with Krystal Racine, Account Executive at Vancord, to playback a few interview clips from NERCOMP of attendees’ cybersecurity experiences.
![](https://www.vancord.com/wp-content/uploads/2024/07/ep-107-square-1-768x768.png)
Tune in as Jason and Steve sit down with Krystal Racine, Account Executive at Vancord, to playback a few interview clips from NERCOMP of attendees’ cybersecurity experiences.
Jason Pufahl 01:55
And with no masks, yeah, the previous ones had masks. And I think they, I don’t know if they quite hit their pre-pandemic number, but I know they were really close to it, which was nice. So they, I think they’re starting to see a return to normal, normal attendance numbers. I felt like the the vendor, which is where we spent a lot of our time, right, the vendor area, really well attended. I think it’s nice that we’ve been able to go for multiple years now because I think the reception to us was pretty warm, I think there’s a lot of familiarity. We’re working with a lot of those schools now, which is really nice. I think the conversations were were pretty authentic. I didn’t feel like, you know, sitting on that side of the booth that you know, that we had to be the sales people as much as we just had, we were sort of security ambassadors.
Krystal Racine 02:40
I agree, yeah. Big difference from my second year where people are going, Vancord? To, it’s Vancord! So that, that nice recognition changes.
Jason Pufahl 02:50
Well, we were lime green, then too. So we stood out, maybe we were more bold, but I’m not sure as refined perhaps. So, you know, I know, we had grand plans of trying to really do a large podcast recording session while we were there, and I think we we scaled back and got a little bit more modest. And Krystal, you took the reins, grabbed the mics and walked around and interviewed a few people?
Krystal Racine 03:16
Yeah, yeah, that was really cool. Because I got to meet with people firsthand, just kind of walking up and asking them, you know, what did they think as far as cybersecurity trends, and getting insight, and the honesty that we got was was really cool, versus it kind of being like a sit down and scripted session.
Jason Pufahl 03:33
Yeah. And, you know, the little mics, they weren’t, they probably didn’t quite feel as formidable as the standard behind these, maybe, so I think people are at ease?
Krystal Racine 03:41
Yeah, for sure. For sure.
Jason Pufahl 03:42
So I think, we kind of pulled out three clips that we felt, I think that we thematically we probably heard, you know, a couple of people speak to as we were talking with folks, so we wanted to play those.
Krystal Racine 03:55
What would you say the biggest focus should be when it comes to cybersecurity for higher education institutes?
04:01
I think it would be talking to the end users and getting them more aware of the issues that we have to kind of keep them protected from.
Krystal Racine 04:09
Outstanding, and the million dollar question of the day, what keeps you up at night when it comes to cybersecurity?
04:14
It would also be the same thing with keeping the training and what they’re, what they’re doing, and getting them the information that they need and making sure that they’re as secure as possible.
Krystal Racine 04:24
Fantastic. Thank you. What would you say keeps you up at night when it comes to cybersecurity?
04:30
Ransomware and threat networks.
Krystal Racine 04:33
Fantastic, thank you so much. Where should higher education focus when it comes to cybersecurity?
04:40
We really need someone to contact when things start to go wrong. So if there’s a cybersecurity incident, and we need to know who to call, right, we need a big red button to push when everything’s going wrong. You need to pick up the red phone and call somebody. And that should be a partner that really knows our environment, and that we can trust on our network.
Krystal Racine 05:05
Fantastic. Thank you so much and have a great show.
05:07
Thank you.
Jason Pufahl 05:08
So, I think we ordered those the way we did on purpose because I think everybody should start with security awareness, maybe that helps reduce the risk of, you know, some of the ransomware and other pieces. But, you know, security, I would say, security awareness seemed to be a big topic, in general. Everybody was concerned about that.
Krystal Racine 05:26
Yeah, for sure. It was the million dollar question. I’m grateful we didn’t actually have to hand out million dollar answer checks, because it was a repeat offender, for sure.
Jason Pufahl 05:35
And we do a bunch of it, and I think, honestly, coming from higher ed, we probably have more respect for how important an educated workforce or educated community is.
Steven Maresca 05:47
I mean, ultimately, in higher ed, trust is the currency, whether it’s for academic purposes or security alike, so having everyone be operating at the same level of awareness is kind of integral to any sort of security program.
Jason Pufahl 06:02
And I think there’s a recognition now that the, it has to be a core part of whatever training occurs institutionally.
Steven Maresca 06:08
Right. And, you know, mandated training is a big deal in higher ed. So anything that really makes it part of that fabric is important.
Jason Pufahl 06:16
Right.
Krystal Racine 06:17
Absolutely.
Jason Pufahl 06:18
So the, you know, though, if your training fails, and then people, you know, click on those phishing emails, you know, there’s obviously the concern around ransomware, was it ransomware and threat networks, right?
Krystal Racine 06:30
Threat networks, yeah.
Jason Pufahl 06:32
I mean, there’s no doubt everybody’s worried about ransomware still. It, maybe we’ve seen a slight downturn in over the last roughly 12 months, right, we’ve spoken about that on previous podcasts. But it’s still a huge concern for everybody, you know, it looms larger than, you know, the regulatory requirements, regulatory compliance requirements that they’ve got, I mean, that I think that’s the thing that keeps everybody up.
Steven Maresca 06:57
Yeah, I mean, it’s the the lens through which, you know, lots of risk and compliance is interpreted, certainly. Insurance premiums have gone way up because of ransomware, tabletops are focused on ransomware. It’s it’s the main specter and fear without any question, and, you know, on the education side of things and the actual awareness side, it doesn’t matter if someone clicks. I mean, we want, we don’t want them to, but we want them to know that when they click that, they’re equipped to actually back away and report it or, you know, give early warning. And that’s the linkage between the two. Perfection is not attainable, and that sort of thing. But as long as everyone’s vigilant, you better transit positive outcome.
Jason Pufahl 07:44
I like that you brought up tabletops because I think it’s an it’s the it’s the tool that a lot of security professionals are using now to bring the community together and talk about these things. I don’t think it, I don’t think it was as commonplace, really even what, three years ago, for non IT people to sit down and talk about the risks of some of the potential incidents, ransomware obviously being one. So we’ve seen now a lot more, we’ve gotten a lot more requests to do tabletops. I think there’s generally a lot of interest and I think people are now approaching it from convening the right community, right, their discussions are, I’ll make sure I have HR, I’ll make sure I have legal, I’ll make sure I have communications, like they know the people that they need to bring into a room, which I think is really positive.
Steven Maresca 08:32
And some of that requires conversation before an actual crisis hits. So you know, it helps that everyone’s at least aware of their role and the sequence of operations, what things to say, what things not to say. Pretty, pretty essential, in my opinion.
Jason Pufahl 08:45
Yeah.
Krystal Racine 08:46
Yeah. I like to say it’s the the adult fire drill. We all had to go out to the recess yard for kindergarten when we knew where to go. A tabletop is just like that, it really helps you to understand where you’re going to break down. And I think that’s really, really important to companies.
Steven Maresca 09:02
Might as well find the flaws in your plan before it’s an actual necessity.
Krystal Racine 09:03
Yeah, a simulation prior to the tragedy.
Jason Pufahl 09:07
So you know, a couple of the things maybe that just jumped out to me, from a vendor standpoint. There weren’t, there weren’t tons of security vendors there, which frankly, the last few conferences I feel like I’ve been at has been predominantly or maybe security heavy, security vendor heavy. You know, there’s definitely a handful of online curriculum, you know, your Canvas’s, and etc. That’s obviously, there’s a huge move there, obviously. A lot of, I’ll call high tech classroom stuff, which I think we probably would have expected.
Krystal Racine 09:44
Yeah, absolutely.
Jason Pufahl 09:46
We, we just had an opportunity to talk with Maurice Simpkins from the application fraud detection company. So, some interesting, I’ll call them, slightly tangentially related, you know, security practices. So, you know, that was really enjoyable. But, but I was I was kind of gratified to see that it wasn’t just, you know, 25 firewall and identity management and security consulting because, not that their conferences have been so heavily that way, but I’ve seen a trend in conferences and generally be very security specific.
Steven Maresca 10:23
I mean, heavy, heavy emphasis on learning management systems and other educational technology without a doubt. It’s a continuum, ultimately. I mean, kind of echoing the awareness aspect, you can’t really deliver that stuff without those capabilities in place to begin with. So, might as well.
Jason Pufahl 10:44
Yeah. I mean, I think if, you know, for, for people who are listening who don’t attend, I think it’s a good, it’s a good conference, it’s not so big, that you get lost. You, it’s localized, that New England area’s reasonably small. So you have a really high likelihood of running into peers, there’s good opportunities to collaborate in small groups, which I think is great. So that networking piece is really solid. And they always have good food. I mean, honestly, they always, they always have good food and drink during the vendor sessions.
Steven Maresca 11:18
And actually, on the vendor session aspect, this may sound strange coming out of our mouths, but the vendors at NERCOMP are, you know, somewhat off to the side. They’re not front and center, like they might be in some conferences. I think it’s a nice balance that they achieve there. And I know that other attendees certainly appreciate that.
Jason Pufahl 11:36
Yeah.
Krystal Racine 11:37
Yeah, I agree. It’s nice and easy for people just to kind of walk up and down the aisles without people jumping out or you know, just trying to shove a product or a solution in front of your face. It’s a very calm, welcoming conference. Everybody is just really sharing information and kind of chit chatting, it doesn’t make a difference. You know, what school you’re from, what vendor you’re with. It’s just a really nice way to kind of understand what your peers are doing and understand what’s going on in the industry as far as trends.
Jason Pufahl 12:06
That’s the beauty of higher ed. I mean, that’s one great thing about higher ed is they are, they are collaborative for sure. So yeah, I’d be I don’t know if there’s any other major points, I think, you know, our reception was good. The conference lived up to its expectations. Providence is always fun to go to, I mean, it’s got good restaurants.
Krystal Racine 12:24
It’s a great city.
Jason Pufahl 12:24
So, you know, if people haven’t gone, there’s a number of good reasons to attend NERCOMP.
Steven Maresca 12:28
I mean, I think there were some other common threads worth mentioning. Everybody’s interested and worried about, Gramm-Leach-Bliley Act concerns, some other compliance aspects. People are definitely talking regularly about staffing issues and difficulties in filling positions. It’s, it’s become more problematic for a lot of institutions of higher ed. And I mean, I think we had some productive conversations with other schools and some of our former colleagues on those, those topics beyond what we shared a moment ago. We’re in an interesting time where everyone needs to be creative in addressing problems of this nature. You know, NERCOMP is a good venue for people to brainstorm together and share what works and share what doesn’t.
Jason Pufahl 13:17
So, we’re, I mean, we’re intentionally putting together a kind of organic podcast for this one in particular. I know we did a podcast on GLBA. It’s possible somebody didn’t hear that, it’s, you know, I think it’s important enough for maybe you to spend half a minute on, why are people talking about it?
Steven Maresca 13:36
Sure. So GLBA in particular, it’s a regulation that governs financial institutions. And the Department of Education considers institutions of higher education to be financial institutions as it pertains to financial aid, it’s part of their title for accreditation tied before funding. Basically, if you’re a parent or student applying your FAFSA form, that makes a school or university a financial institution, therefore, from the perspective of the Federal Trade Commission, schools are absolutely required to protect financial data of consumers and customers. That means that schools need to put in proper safeguards, self assess, make sure they’re doing risk assessments, coming up with Incident Response plans, doing cyber security awareness, training, reporting on an annual basis, and a variety of other things that basically help to safeguard data. The rules are changing. There are some deadlines, upcoming, you know, June 9, for making improvements with respect to data safeguards, and it’s a landscape that’s shifting. It’s been something that’s been forecast for the better part of five or six years, but, you know, the Federal Student Aid office is changing the way that they evaluate and enforce. So that’s the main message ultimately, for anyone in a school or university, you’re obligated, even if you’re not quite aware of that fact. And it’s worth asking your peers in other departments whether they’re aware of that so that you can work together to make improvements. Right. But, I mean, I absolutely saw you having sort of conversation after conversation about this. It’s top of mind for a lot of schools. Absolutely. And it’s, it’s tough, because there’s a lot of uncertainty about how to go about making improvements and what expectations there are.
Jason Pufahl 15:25
And that’s the challenge with not having a sort of a ratified, you know, due date and explicit security standard. I mean, I know they’re talking 800-171. But, you know, there’s obviously been push back on that. So, I don’t think schools are burying their heads in the sand necessarily, but I think, you know, some of them are definitely waiting for the dust to settle before they make any substantive changes. I feel like there’s a decent overview of the conference as a whole. I don’t have any parting thoughts. I don’t know if either of you do?
Krystal Racine 15:58
No, it was a all around great time, and already looking forward to next year.
Jason Pufahl 16:02
I think that’s a fair way to end. You know, if any, of course, as always, if anybody has any questions, maybe, you know, maybe not questions about NERCOMP per se, but you know, tabletops, incident response, GLBA. Feel free to reach out. We’re happy to do another podcast on a topic that’s specific or just answer individual questions if anybody has them. So, as always, we appreciate everybody listening and hope you got value out of today.
16:27
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.
500 Boston Post Rd
Milford, CT 06460
Cookie | Duration | Description |
---|---|---|
__hssrc | session | This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__hssc | 30 minutes | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. |
bcookie | 2 years | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
bscookie | 2 years | LinkedIn sets this cookie to store performed actions on the website. |
lang | session | LinkedIn sets this cookie to remember a user's language setting. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
sp_landing | 1 day | The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
sp_t | 1 year | The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
UserMatchHistory | 1 month | LinkedIn sets this cookie for LinkedIn Ads ID syncing. |
Cookie | Duration | Description |
---|---|---|
_gat | 1 minute | This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites. |
Cookie | Duration | Description |
---|---|---|
__hstc | 5 months 27 days | This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
hubspotutk | 5 months 27 days | HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
AnalyticsSyncHistory | 1 month | No description |
drift_campaign_refresh | 30 minutes | No description available. |
li_gc | 2 years | No description |
loglevel | never | No description available. |