Meet the New CISO, David Sherry, and Your ISG
David Sherry joined CIS's team of senior directors this summer as Brown's Chief Information Security Officer (CISO). As the CISO, David will have university-wide responsibility and authority regarding matters of information security. He will head a four member security team, charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks.
David comes to Brown with over 20 years of experience in information technology. He most recently worked at Citizens Bank where he was Vice President for Enterprise Identity and Access Management, providing leadership for compliance and security governance. He had also served as Citizens' Vice President for Enterprise Information Security, overseeing the company's security operations and controls. David has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at security conferences. He holds undergraduate and graduate degrees in business management, and is a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
Q. What drew you to Brown University and this position?
A. I have always found the atmosphere on a college campus to be both highly stimulating and deeply passionate. As a result, the goal of working in higher education has been a career goal of mine for quite some time. I've witnessed a convergence of this goal with my chosen field of information security in the past 18-24 months, as numerous institutions have created the role of CISO. While I pursued other university openings, and was strongly considered, I'm thrilled that ultimately I was chosen by Brown. As a lifelong resident of the area, I've always respected the reputation of Brown, and recognize the importance of the university to both the city and the state. In addition, I'm excited to be part of a university that looks proudly back on its history, while also being bold enough to allow its students to shape their own academic program through the open curriculum. In many ways, a security professional needs to think the same way. I'm excited to be part of this thinking.
Q. You've called yourself the "new kid on the block", having been at Brown for only a couple of months. In that time, how have you sized up the computing environment, and specifically, the level of security, here at Brown? Where are we on the right track, and what has struck you as needed the most attention right now?
A. While preparing to begin at Brown, I had assumed that the computing environment and the CIS staff were going to be of very high quality in terms of both knowledge and commitment. It did not take long for me to realize that this was absolutely true. While there is always room for improvement, especially when competing for resources and funding, the CIS group has created a stable and easy to use technology infrastructure, and continually looks for opportunities to improve while never sacrificing great service. Specifically from a security perspective, there is a great foundation that has been created at Brown. With the creation of ISG and our mission, the university is definitively on the right track. I've been impressed with the level of security awareness, and how the Brown community has embraced me and the role I've been chosen for. For immediate tasks, ISG will be reviewing and taking action on several keys areas of securing the Brown infrastructure. Of course, as a CISSP, I won't be able to share any details.
Q. Information security must touch every department, segment, business function and individual here at Brown. How will you as CISO reach out and work with the University community to enhance the current level of security of Brown's informational resources?
A. For a security team to be successful, they can't be confined to their office or cube. Relationship building and relationship management are key to creating a security conscious campus. I've already met individually with over 50 colleagues throughout the university, as well as having had the pleasure to attend the sessions of the campus DCC's and Sys Admins. I look forward to keeping this momentum going, and ensuring that I and my staff are supporting the entire Brown community for their information security needs.
Q. One of your responsibilities will be to oversee the newly formed Information Security Group*. What is the ISG and its goals for the coming year?
A. I'm very pleased to join Brown and be part of the newly formed ISG. The staff members are all veterans of CIS, which provides solid continuity while creating our security identity. While small in number and big in responsibility, we have the talent and diverse skill sets to cover all aspects of securing Brown's information. Our mission can be described in three key areas: providing proactive security expertise, engineering robust security architecture, and enhancing a culture of security awareness. We'll be addressing some infrastructure tasks initially, we'll also be establishing key relationships throughout the university, supporting numerous CIS and departmental projects, and holding several security awareness events.
Q. How will you know when those goals have been met?
A. The establishment of a new team is an exciting opportunity, and our growth curve will be steep. We'll evaluate our success through attendance at security training, requests to consult on projects earlier in the lifecycle, finishing off security tasks in the agreed upon time frame, and driving home internal security projects to completion. Informal feedback from our university colleagues will also be valuable in assessing our performance. As a team, we've already seen great results, which inspires us to do even better.
Q. Your extensive background includes working at a major financial institution, at a small, cutting edge private firm providing managed-services security solutions, and at a large governmental agency. How do you see that experience informing your plans for information security at Brown?
A. Brown is a diverse institution, and the technology infrastructure is similarly diverse. When I look back at the types of environments I've worked in, it appears that I could be called diverse as well! The environments that I have been fortunate enough to be a part of have provided me the wisdom to see that each organization has its own unique pace and rhythm, which will allow me to ease into a higher education position with ease and respect. In addition, having managed technology in three other distinct organizations will translate well to the university. Brown has regulatory compliance to follow, Institutes that fast-track technology projects, and university-wide initiatives that need to be thoroughly vetted. I'll use my career experience to ensure that the proper security participation is included at the proper time and with the proper level.
Q. What keeps a CISO awake at night? Or conversely, what ensures a good night's sleep?
A. After being in the security profession for close to a decade, one thing that I have learned is that preparation is key to being able to sleep at night. While we may attempt to prepare for any and all situations, the security landscape is constantly evolving and the stakes continue to rise. I will be championing the Brown Computer Incident Response Program (CIRT), which is currently in place. Ensuring that the preparations are well documented, deeply understood, periodically tested, and continually reviewed to align with best practices, will make not only my night's sleep be sound, but also many others throughout the university.
Q. What motivates David Sherry? And what relaxes him after a long day?
A. First and foremost, my faith is the most important part of who I am, and how I go about both my professional and personal life. My biggest motivator is the strength of my family, and ensuring that our home life is stable and memorable while also preparing my children for the future. With this in mind, my relaxation revolves around our home and activities. I am also an avid reader, and enjoy both baseball and hockey.
Q. What would be the most important piece of computing advice that you'd like to pass along?
A. In a networked world, passwords are oftentimes a very weak link. Not only should you make your password strong, but you should also treat it like your toothbrush: don't let anyone borrow it, and change it every 30 days.
Q. Is there anything else you'd like to add?
A. Brown is just large enough to have a global population and reputation, while also being just small enough to get to know everyone. Security cannot succeed without a security-aware Brown community, so I look forward to meeting as much of the university that I can, and partnering with all of Brown for continuing mutual success.
* The team includes Steve Hasson, Lead IT Security Engineer, Bob Fletcher, IT Security Engineer, and Pat Falcon, Coordinator of IT Policy 
and Communication.
Steve Hasson joined CIS in March as its Lead IT Security Engineer. He came to Brown after working at a variety of businesses and institutions: Plymouth Rock Assurance Corporation, One Beacon, Citizens Bank, GTECH Corporation, Bryant University (taught), and New England Technology (taught). Steve started out as a helpdesk technician, quickly moved to a network engineer from Cisco, and was then promoted to a senior network engineer focusing on security. I obtained my CISSP then moved into a senior security engineer position. (See the profile from the last edition of Secure IT! for more about Steve.)
Bob Fletcher has been a member of CIS for over two decades. Initially working for the Computer Store when it was part of CIS, he later became a technician in Service & Repair. In 2001 he moved to the Network Technology Group where he took on ever growing responsibilities, eventually becoming a Security Engineer in September of 2007. As part of the CIS reorganization in May of 2008 he became a member of the new ISG. Bob's work focuses primarily on the operational side of the ISG which includes firewall changes, vulnerability scans, and maintaining ISG systems.
Pat Falcon has been with CIS for over a dozen years, working with various groups -- Applications Development, Computing Accounts, the Help Desk, Communication -- until becoming responsible for information security policy and safe computing awareness four years ago. During that time Pat has been instrumental in the planning and execution of the campus's celebration of National Cyber Security Awareness month in October. She also launched and serves as the editor of ISG's Secure IT! newsletter. In addition to her training and awareness responsibilities, Pat supports the risk assessment survey process and development of computing policies.