Jason Pufahl 00:33
So our experiences, all things experiences NERCOMP? You know, for me, it’s always a good event for me, I had the chance of sitting on their account board for a while while I was at UConn. You know, I know a lot of people there, it’s always really, for me, personally, enjoyable just to catch up with everybody. NERCOMP is the NorthEast Regional Computing Program. Really, it’s a, I’ll call it a smaller version of EDUCAUSE, right, it’s more localized, Pennsylvania up through Maine, kind of collaboration of higher education, you know, really for learning and probably support within the IT environment, those are kind of the two big missions, you know, training and learning. So, you know, I’m curious, I always have to separate myself a bit, because really there is that, there’s that big personal aspect for me, I, it is so much fun to catch up with everybody. Curious what your perspectives, just to the conference in general, were? You know, it’s pretty quick, you’re in and out.
Steven Maresca 00:51
So Jason, what is NERCOMP? I mean, I struggle the same way, there’s a lot of former colleagues there. It was nice to see people, talk to them, just catch up. I think it’s been multiple years of not very active engagement with peers in the public sphere. So everyone was really quite cordial and happy to be together in the same place.
Krystal Racine 01:52
Absolutely, and with no masks. So that’s a big change.
Jason Pufahl 01:55
And with no masks, yeah, the previous ones had masks. And I think they, I don’t know if they quite hit their pre-pandemic number, but I know they were really close to it, which was nice. So they, I think they’re starting to see a return to normal, normal attendance numbers. I felt like the the vendor, which is where we spent a lot of our time, right, the vendor area, really well attended. I think it’s nice that we’ve been able to go for multiple years now because I think the reception to us was pretty warm, I think there’s a lot of familiarity. We’re working with a lot of those schools now, which is really nice. I think the conversations were were pretty authentic. I didn’t feel like, you know, sitting on that side of the booth that you know, that we had to be the sales people as much as we just had, we were sort of security ambassadors.
Krystal Racine 02:40
I agree, yeah. Big difference from my second year where people are going, Vancord? To, it’s Vancord! So that, that nice recognition changes.
Jason Pufahl 02:50
Well, we were lime green, then too. So we stood out, maybe we were more bold, but I’m not sure as refined perhaps. So, you know, I know, we had grand plans of trying to really do a large podcast recording session while we were there, and I think we we scaled back and got a little bit more modest. And Krystal, you took the reins, grabbed the mics and walked around and interviewed a few people?
Krystal Racine 03:16
Yeah, yeah, that was really cool. Because I got to meet with people firsthand, just kind of walking up and asking them, you know, what did they think as far as cybersecurity trends, and getting insight, and the honesty that we got was was really cool, versus it kind of being like a sit down and scripted session.
Jason Pufahl 03:33
Yeah. And, you know, the little mics, they weren’t, they probably didn’t quite feel as formidable as the standard behind these, maybe, so I think people are at ease?
Krystal Racine 03:41
Yeah, for sure. For sure.
Jason Pufahl 03:42
So I think, we kind of pulled out three clips that we felt, I think that we thematically we probably heard, you know, a couple of people speak to as we were talking with folks, so we wanted to play those.
Krystal Racine 03:55
What would you say the biggest focus should be when it comes to cybersecurity for higher education institutes?
I think it would be talking to the end users and getting them more aware of the issues that we have to kind of keep them protected from.
Krystal Racine 04:09
Outstanding, and the million dollar question of the day, what keeps you up at night when it comes to cybersecurity?
It would also be the same thing with keeping the training and what they’re, what they’re doing, and getting them the information that they need and making sure that they’re as secure as possible.
Krystal Racine 04:24
Fantastic. Thank you. What would you say keeps you up at night when it comes to cybersecurity?
Ransomware and threat networks.
Krystal Racine 04:33
Fantastic, thank you so much. Where should higher education focus when it comes to cybersecurity?
We really need someone to contact when things start to go wrong. So if there’s a cybersecurity incident, and we need to know who to call, right, we need a big red button to push when everything’s going wrong. You need to pick up the red phone and call somebody. And that should be a partner that really knows our environment, and that we can trust on our network.
Krystal Racine 05:05
Fantastic. Thank you so much and have a great show.
Jason Pufahl 05:08
So, I think we ordered those the way we did on purpose because I think everybody should start with security awareness, maybe that helps reduce the risk of, you know, some of the ransomware and other pieces. But, you know, security, I would say, security awareness seemed to be a big topic, in general. Everybody was concerned about that.
Krystal Racine 05:26
Yeah, for sure. It was the million dollar question. I’m grateful we didn’t actually have to hand out million dollar answer checks, because it was a repeat offender, for sure.
Jason Pufahl 05:35
And we do a bunch of it, and I think, honestly, coming from higher ed, we probably have more respect for how important an educated workforce or educated community is.
Steven Maresca 05:47
I mean, ultimately, in higher ed, trust is the currency, whether it’s for academic purposes or security alike, so having everyone be operating at the same level of awareness is kind of integral to any sort of security program.
Jason Pufahl 06:02
And I think there’s a recognition now that the, it has to be a core part of whatever training occurs institutionally.
Steven Maresca 06:08
Right. And, you know, mandated training is a big deal in higher ed. So anything that really makes it part of that fabric is important.
Jason Pufahl 06:16
Krystal Racine 06:17
Jason Pufahl 06:18
So the, you know, though, if your training fails, and then people, you know, click on those phishing emails, you know, there’s obviously the concern around ransomware, was it ransomware and threat networks, right?
Krystal Racine 06:30
Threat networks, yeah.
Jason Pufahl 06:32
I mean, there’s no doubt everybody’s worried about ransomware still. It, maybe we’ve seen a slight downturn in over the last roughly 12 months, right, we’ve spoken about that on previous podcasts. But it’s still a huge concern for everybody, you know, it looms larger than, you know, the regulatory requirements, regulatory compliance requirements that they’ve got, I mean, that I think that’s the thing that keeps everybody up.
Steven Maresca 06:57
Yeah, I mean, it’s the the lens through which, you know, lots of risk and compliance is interpreted, certainly. Insurance premiums have gone way up because of ransomware, tabletops are focused on ransomware. It’s it’s the main specter and fear without any question, and, you know, on the education side of things and the actual awareness side, it doesn’t matter if someone clicks. I mean, we want, we don’t want them to, but we want them to know that when they click that, they’re equipped to actually back away and report it or, you know, give early warning. And that’s the linkage between the two. Perfection is not attainable, and that sort of thing. But as long as everyone’s vigilant, you better transit positive outcome.
Jason Pufahl 07:44
I like that you brought up tabletops because I think it’s an it’s the it’s the tool that a lot of security professionals are using now to bring the community together and talk about these things. I don’t think it, I don’t think it was as commonplace, really even what, three years ago, for non IT people to sit down and talk about the risks of some of the potential incidents, ransomware obviously being one. So we’ve seen now a lot more, we’ve gotten a lot more requests to do tabletops. I think there’s generally a lot of interest and I think people are now approaching it from convening the right community, right, their discussions are, I’ll make sure I have HR, I’ll make sure I have legal, I’ll make sure I have communications, like they know the people that they need to bring into a room, which I think is really positive.
Steven Maresca 08:32
And some of that requires conversation before an actual crisis hits. So you know, it helps that everyone’s at least aware of their role and the sequence of operations, what things to say, what things not to say. Pretty, pretty essential, in my opinion.
Jason Pufahl 08:45
Krystal Racine 08:46
Yeah. I like to say it’s the the adult fire drill. We all had to go out to the recess yard for kindergarten when we knew where to go. A tabletop is just like that, it really helps you to understand where you’re going to break down. And I think that’s really, really important to companies.
Steven Maresca 09:02
Might as well find the flaws in your plan before it’s an actual necessity.
Krystal Racine 09:03
Yeah, a simulation prior to the tragedy.
Jason Pufahl 09:07
So you know, a couple of the things maybe that just jumped out to me, from a vendor standpoint. There weren’t, there weren’t tons of security vendors there, which frankly, the last few conferences I feel like I’ve been at has been predominantly or maybe security heavy, security vendor heavy. You know, there’s definitely a handful of online curriculum, you know, your Canvas’s, and etc. That’s obviously, there’s a huge move there, obviously. A lot of, I’ll call high tech classroom stuff, which I think we probably would have expected.
Krystal Racine 09:44
Jason Pufahl 09:46
We, we just had an opportunity to talk with Maurice Simpkins from the application fraud detection company. So, some interesting, I’ll call them, slightly tangentially related, you know, security practices. So, you know, that was really enjoyable. But, but I was I was kind of gratified to see that it wasn’t just, you know, 25 firewall and identity management and security consulting because, not that their conferences have been so heavily that way, but I’ve seen a trend in conferences and generally be very security specific.
Steven Maresca 10:23
I mean, heavy, heavy emphasis on learning management systems and other educational technology without a doubt. It’s a continuum, ultimately. I mean, kind of echoing the awareness aspect, you can’t really deliver that stuff without those capabilities in place to begin with. So, might as well.
Jason Pufahl 10:44
Yeah. I mean, I think if, you know, for, for people who are listening who don’t attend, I think it’s a good, it’s a good conference, it’s not so big, that you get lost. You, it’s localized, that New England area’s reasonably small. So you have a really high likelihood of running into peers, there’s good opportunities to collaborate in small groups, which I think is great. So that networking piece is really solid. And they always have good food. I mean, honestly, they always, they always have good food and drink during the vendor sessions.
Steven Maresca 11:18
And actually, on the vendor session aspect, this may sound strange coming out of our mouths, but the vendors at NERCOMP are, you know, somewhat off to the side. They’re not front and center, like they might be in some conferences. I think it’s a nice balance that they achieve there. And I know that other attendees certainly appreciate that.
Jason Pufahl 11:36
Krystal Racine 11:37
Yeah, I agree. It’s nice and easy for people just to kind of walk up and down the aisles without people jumping out or you know, just trying to shove a product or a solution in front of your face. It’s a very calm, welcoming conference. Everybody is just really sharing information and kind of chit chatting, it doesn’t make a difference. You know, what school you’re from, what vendor you’re with. It’s just a really nice way to kind of understand what your peers are doing and understand what’s going on in the industry as far as trends.
Jason Pufahl 12:06
That’s the beauty of higher ed. I mean, that’s one great thing about higher ed is they are, they are collaborative for sure. So yeah, I’d be I don’t know if there’s any other major points, I think, you know, our reception was good. The conference lived up to its expectations. Providence is always fun to go to, I mean, it’s got good restaurants.
Krystal Racine 12:24
It’s a great city.
Jason Pufahl 12:24
So, you know, if people haven’t gone, there’s a number of good reasons to attend NERCOMP.
Steven Maresca 12:28
I mean, I think there were some other common threads worth mentioning. Everybody’s interested and worried about, Gramm-Leach-Bliley Act concerns, some other compliance aspects. People are definitely talking regularly about staffing issues and difficulties in filling positions. It’s, it’s become more problematic for a lot of institutions of higher ed. And I mean, I think we had some productive conversations with other schools and some of our former colleagues on those, those topics beyond what we shared a moment ago. We’re in an interesting time where everyone needs to be creative in addressing problems of this nature. You know, NERCOMP is a good venue for people to brainstorm together and share what works and share what doesn’t.
Jason Pufahl 13:17
So, we’re, I mean, we’re intentionally putting together a kind of organic podcast for this one in particular. I know we did a podcast on GLBA. It’s possible somebody didn’t hear that, it’s, you know, I think it’s important enough for maybe you to spend half a minute on, why are people talking about it?
Steven Maresca 13:36
Sure. So GLBA in particular, it’s a regulation that governs financial institutions. And the Department of Education considers institutions of higher education to be financial institutions as it pertains to financial aid, it’s part of their title for accreditation tied before funding. Basically, if you’re a parent or student applying your FAFSA form, that makes a school or university a financial institution, therefore, from the perspective of the Federal Trade Commission, schools are absolutely required to protect financial data of consumers and customers. That means that schools need to put in proper safeguards, self assess, make sure they’re doing risk assessments, coming up with Incident Response plans, doing cyber security awareness, training, reporting on an annual basis, and a variety of other things that basically help to safeguard data. The rules are changing. There are some deadlines, upcoming, you know, June 9, for making improvements with respect to data safeguards, and it’s a landscape that’s shifting. It’s been something that’s been forecast for the better part of five or six years, but, you know, the Federal Student Aid office is changing the way that they evaluate and enforce. So that’s the main message ultimately, for anyone in a school or university, you’re obligated, even if you’re not quite aware of that fact. And it’s worth asking your peers in other departments whether they’re aware of that so that you can work together to make improvements. Right. But, I mean, I absolutely saw you having sort of conversation after conversation about this. It’s top of mind for a lot of schools. Absolutely. And it’s, it’s tough, because there’s a lot of uncertainty about how to go about making improvements and what expectations there are.
Jason Pufahl 15:25
And that’s the challenge with not having a sort of a ratified, you know, due date and explicit security standard. I mean, I know they’re talking 800-171. But, you know, there’s obviously been push back on that. So, I don’t think schools are burying their heads in the sand necessarily, but I think, you know, some of them are definitely waiting for the dust to settle before they make any substantive changes. I feel like there’s a decent overview of the conference as a whole. I don’t have any parting thoughts. I don’t know if either of you do?
Krystal Racine 15:58
No, it was a all around great time, and already looking forward to next year.
Jason Pufahl 16:02
I think that’s a fair way to end. You know, if any, of course, as always, if anybody has any questions, maybe, you know, maybe not questions about NERCOMP per se, but you know, tabletops, incident response, GLBA. Feel free to reach out. We’re happy to do another podcast on a topic that’s specific or just answer individual questions if anybody has them. So, as always, we appreciate everybody listening and hope you got value out of today.
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.