One year in – a sit down with the CISO

Posted on January 27, 2020 by

This month, Chief Information Security Officer (CISO) Isaac Straley is featured as a guest contributor for my blog. Our ITS communications team had a Q and A session with Isaac to get his perspective. Also of note is that Data Privacy Day is taking place tomorrow, Jan. 28. Please join us at our interactive pop-up booth in the Bahen Centre for Information Technology lobby, from 11 a.m. to 3 p.m., to chat with both Information Security and Freedom of Information and Protection Privacy staff.

— CIO Bo Wandschneider


U of T CISO, Isaac Straley, discusses information security and its role within the University

In December 2018, the University of Toronto (U of T) welcomed Isaac Straley as the University’s first-ever CISO. As an information security professional with 15 years of experience, he is working to bring positive change to U of T community. We sat down with Isaac to discuss his vision for the University’s information security future.

What makes U of T a unique institution to protect?

U of T is a large, distributed, world-class, research institution. Initially, it can seem like the higher education mission doesn’t fit with typical security models. The academy is a place of openness and freedom. These things seem at odds with the goal of protection, which can require locking down, implementing strong controls, and achieving consistency. So, we must find a different way of engaging the community. We have to empower people, educate them, and develop unique skills to protect this great institution. Maintaining openness and managing risk is not a zero-sum game. We can enable and empower openness while managing the risk.

How has information security changed in recent years?

The old information security model offers that there is a state of being “secure.” It assumes that if you just do enough: spend enough money, lock enough things down, say no enough, you will find the magical state of security. But this state doesn’t exist.

The new security model is one of managed risk. To live our daily lives or do business at the University we need to make trade-offs. In this new model, we consider what people need to do and then figure out how to empower people to do it safely. To me, security done right is empowerment.

What are your goals for the University’s information security future?

We want to use security to enable the mission of the University and help everyone make informed decisions. We will offer a robust outreach and education program and assessment services that divisions, units, and individuals can use to understand their risk and solutions without needing to be cyber security experts.

Would you say information security is a collective effort?

Yes; we’re all in this together. We share a network and resources, so we need to work together. When we find consistency in the way we approach things and we’re in agreement in how we treat certain types of information we’ll be safer. We are each empowered to do our part to make the security program effective.

What are your top security tips?

  1. Use multi-factor authentication.
  2. Keep your computer up-to-date.

Those two things are always important. Most breaches happen because of a stolen password or an infected system. If we take care of our passwords and if we take care of our devices, we can prevent most breaches.