On the 8th episode of Enterprise Software Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal Security, talk with John Hoyt, Chief Information Security Officer at Clemson University. As a college and premier research institution founded in 1889, Clemson has over 28,000 students, nearly 6,000 faculty and staff, and operates a small city - leading to complex security and technology challenges. In this conversation, John discusses unique security requirements at Clemson, the evolving role of AI in cybersecurity, and the transformative potential of AI in academia.
Academic institutions like Clemson encourage openness and freedom of research, though balancing academic freedom with the need for security can be a delicate task. Faculty and researchers often require flexibility in their work, which can conflict with strict security measures. Universities generate and manage vast amounts of data, including research assets, student records, and financial information. Protecting this data from breaches and ensuring data privacy is paramount. Clemson isn't just responsible for safeguarding data; it protects an entire ecosystem comprising students, faculty, and vital infrastructure. Clemson's faculty plays a significant role in the focus of the university's operations, making security measures distinct from corporate environments. According to John, "Faculty were the secret sauce. They couldn't be told 'no' easily, which made things challenging but also more interesting." In essence, the unique security challenges faced by higher education institutions like Clemson stem from their multifaceted nature, comprising academic freedom, complex infrastructures, and diverse user populations. Balancing security while maintaining an open and collaborative educational environment requires a nuanced and adaptable approach to cybersecurity.
As universities evolve to meet the challenges of the digital age, CISOs play a pivotal role in safeguarding their institutions' sensitive data and digital assets. In this rapidly changing landscape, adapting to AI trends in cybersecurity has become a necessity for those tasked with defending higher education. John shares his thoughts on these challenges unfolding: “Some universities are building their own private AI environment. We're not there, but mainly in the purchasing part of it. If you can be in that decision tree when folks are going out to purchase new technology, and not trying to be a roadblock, but being able to understand what data is going to be there, what data classification, and whether they are doing the appropriate security controls.” John emphasizes the importance of focusing on fundamental cybersecurity principles while embracing AI to enhance threat detection and response. “With AI, there are already practical uses. ‘Create me a script or interpret this script. Look at this error in this log message and help me decipher it.’ That is stuff we can use and do use today.” John acknowledges the challenges of trying to stay ahead of nefarious actors but ultimately believes that awareness of the potential disadvantages will drive the solutions that put those tasked with defense ahead of the pack. “We're always a little bit behind the adversaries, but just being aware of it, trying to keep tabs on the new trends, it's going to push us to move and adapt.”
John believes that universities that are leaning into the advantages that AI can offer to the students of their institutions are the ones who will reap the highest benefit from the effort. John discusses the vital opportunity to prepare the future of cybersecurity professionals. He emphasizes the effectiveness of hands-on experience, mentioning that universities should provide students with opportunities to work on real-world security projects and gain practical skills. Integrating AI into cybersecurity tools presents an exciting avenue for students and faculty to explore. “Universities are a slow behemoth. Change is not fast. Adding and updating the curriculum is not simple. But I do think the universities that are going to succeed are going to connect the two. The cool thing about a university is you have researchers doing next-level AI research, you have your students, and you have cybersecurity combining all three.” This experiential learning enhances student problem-solving skills, critical thinking, and decision-making abilities. Cybersecurity is not limited to computer science or information technology; it affects various sectors like business, law, and ethics. Involving students from different disciplines promotes interdisciplinary learning as they learn how cybersecurity is relevant to their respective fields. This allows them to address cybersecurity issues holistically. “AI is going to be another tool in the toolbox that you want to expose, so we work with students. We have a student-run SOC; they intern with us, work with us, and then we try to keep them if we can. If they're interning and working with us, they can get that experience while they're in school as much as possible.”
John also sheds light on the complex cybersecurity landscape of higher education institutions and the evolving role of AI in tackling these challenges. As universities like Clemson adapt to the changing technological landscape, integrating AI promises to be vital in enhancing security measures and protecting the academic community. Students benefit by preparing for in-demand careers, and universities thrive by fostering innovation, enhancing industry collaboration, and staying at the forefront of cybersecurity education and research. This mutually beneficial approach aligns with the ever-increasing importance of cybersecurity education in our interconnected world.