Inside IT Security at Brown: A conversation with Connie Sadler
Connie Sadler has been Brown's Director of IT Security since 2003. She arrived with a variety of experiences, having worked at a governmental agency (Brookhaven National Laboratory), in private industry (Lockheed Martin), and in higher education (Stanford University). In addition, her technical background includes work as a system and network administrator, and has managed a deskside support organization. Besides her specific IT security duties, she is also a member of the Computing Advisory Board, Brown's Rights and Responsibilities Committee, the Administrative Leadership group, eCommerce initiative, the Risk Management Network team, and is Brown's designated agent under the Digital Millennium Copyright Act.
Q: You arrived on campus in early 2003. While less than THREE years by the calendar, for information technology, that's a long time. What changes have you noted in security "hot topics"?
A: Fraud is big now – the internet is increasingly dangerous. Spyware, phishing and identity theft have all taken over as the biggest threats to all of us who use technology.
Q: What's appeared on the 'scope and what's dropped off?
A: We have a pretty good handle on spam and viruses. People can protect themselves through technical means, i.e., personal firewalls, encryption and good anti-virus and anti-spyware software. Social engineering is the main change. Users need to use their judgment more to protect themselves, by never opening attachments that are unexpected, or by never clicking on internet links in response to an ad for some cute new utility, product, graphic or game.
Q: What keeps an IT Security Director going all day? Describe a "typical day", if there is such a thing.
A: I believe that information security professionals on the front line are very interrupt-driven. It's a challenge to manage a day's work. Like someone working in law enforcement, it's difficult to predict what might come up.
But I generally start my day by checking alerts from various sources, media outlets that track new vulnerabilities, and security mailing lists – to see what actions we might need to take – or what news we might need to get out to our IT professionals or to our users.
I get a lot of phone calls regarding requests for information – or assistance on various security-related matters. I probably get more calls and messages than I'd like, but believe that this sort of “approachability” – my word – is important in a community like the one we nurture here at Brown. I also work on projects like risk assessment – and with various departments that are struggling with one issue or another. There are also a lot of meetings to discuss policy, incidents, processes or challenges that are always on the radar.
Q: What keeps an IT Security Director awake at night?
A: I can't be specific in my answer, but there are areas where I know there are risks and I just haven't been able to get to them. Those are the things that generally keep me awake at night. And the challenge in communication – how do I get information to the right people in a timely manner?
Q: Since arriving at Brown, what goal(s) have you achieved that make(s) you the happiest (or, are most satisfying)?
A: Establishing people in all of the departments that I can partner with has been very satisfying. When you work in a small group with a big mission, it's very important that people are willing to help you. No one can accomplish these goals alone. And the people at Brown have been very cooperative. If you need their help, they are there. I get very little resistance, because people want to do the right thing.
Q: What still looms large in your sights for the next year or two?
A: The primary goal right now is to identify every nook and cranny in the university that holds sensitive information of one kind or another. And once we know where all of it sits, we need to ensure that a willing and properly trained individual is looking after that information. Sounds simple, but it won't be easy. But again, people are willing – they just need to know how they can help and where they can go when they need support.
Q: What one piece of advice would you give to the general computer user that would save them the most time and grief? (Or to phrase it another way, what one piece of advice would you give to the general computer user that would make your life easier?)
A: Set aside ten minutes a week for care and feeding of your computer. It will love you for it. Initially, it takes more time, but if you regularly check your anti-virus, scan for spyware, remove cookies, and look for new processes running on your system, the investment in time becomes smaller and smaller. Individual users just need to become a bit more familiar with the standard tools that are really easy to use. It's empowering!