Letter from the CISO, Vol 5 Issue 1
WashU Community:
Riffing through a Crisis…
In a recent episode of Boss Class from The Economist, “Handling a crisis: Keep calm and clarion,” (which I recommend highly), journalist Andrew Palmer interviews Columbia University Professors Chris Washburne and Paul Ingram about the course they’ve been teaching for the past 18 years on how jazz provides a useful way of looking at crisis management. He also talks with other experts and business leaders about challenging business crises that benefited from a management approach with parallels to jazz. While none of the situations are specifically about information security, several lessons apply.
Improvisation requires great expertise
The foundational prerequisite of improvisation is expertise. Jazz musicians can riff and improvise because they are excellent at the foundational ability to make music. If I tried to play the saxophone I haven’t practiced since ninth grade, the best I could hope for is to make unpleasant noises. The thought of improvising is ridiculous if you can’t even play a basic melody. And even at the height of my playing ability, I had to concentrate fully on playing the music as it was written. There was no way I could have deviated from the score in any useful way.
Fortunately, when it comes to Information Security, WashU has an experienced and expert team that is so good at dealing with all the regular attacks that come at us all day, every day. While we try to automate as much as we can in anticipation of threats, we also practice our skills and tactics to keep them sharp and strong.
The honed edge and strength are critically important when something new comes along and we must respond quickly, figuring out what’s happening and improvising new responses. Usually the differences are relatively small, and we can adapt existing responses. But sometimes a larger leap is needed.
But what does this mean for you?
The truth is, we need your help.
While we devote considerable resources to creating songs and rhythms that are regular and protect us from all the usual threats, malicious actors are constantly improvising and improving their attacks, looking for novel approaches. Successfully defending against these new attacks requires your help.
Sometimes that means making sure your personal devices are set to automatically get updates and allowing them to do so. This is a vitally important defense against attackers who use software vulnerabilities that could have been patched but were not.
Other times it means using the Phish Alert Button (sometimes labeled ‘Phish Report’) in Outlook to report suspicious messages. I often hear of people who forward a message to their boss or colleagues to warn them of a dangerously deceptive phishing message instead of reporting it via the Phish Alert Button. Forwarding it to other people increases the likelihood that someone will click on it by accident or just to see what happens. If you report it with the Phish Alert Button, the InfoSec team can safely analyze it (to make sure it’s truly a threat), remove it from everyone’s mailbox in WashU’s email system, and follow up with everyone who clicked on it to make sure nothing bad happened.
Jazz performers still need leaders
While jazz performers need both excellent skills and creativity to improvise, they also need a leader who fosters independent thinking and action, while organizing the team effort and ensuring harmonious results.
Similarly, the university needs all of us, employees of the Office of Information Security, as well as all of you – faculty members, students, staff, alumni, and other users – all members of my InfoSec team, to play your part in the Information Security jazz ensemble.
Thank you for being part of the band.
Stay vigilant, skeptical, and a little bit paranoid.
If you need help with any of these ideas, please contact your colleagues in the Office of Information Security.
Good luck and be careful out there!
-Chris Shull, CISO