Keeping Information Security Simple – Who’s Responsible for Information Security?

Letter from the CISO, Vol 2 Issue 1

Washington University Community:

Who’s responsible for Information Security at WashU?

It seems like an odd question for me to ask since I’m the Chief Information Security Officer, but I ask it anyway.

I know information security is my responsibility. Or, at least, it’s usually the person in my position who gets fired if something really bad happens. Unfortunately, I have no superpowers that allow me to always be everywhere to ensure nothing bad ever happens. And my objective is not to prevent all bad things from happening but to reduce the risk of material harm to the University from a cyber incident.

Your help is essential to helping us avoid material harm every day!

I wish we could institute protections to make it easy, but with 90% or more of cybersecurity incidents globally attributable to phishing emails, the bad guys are constantly innovating to get past our protections. Recently we’ve seen them figure out how to phish us for WUSTLKey logins, including the DUO passcodes, which almost never happened just six months ago. They also use drive-by website malware downloads and phish via voice, text message, and social media. Facebook has long been a source of many problems, but now LinkedIn is used more and more by malicious actors.

I spend a lot of time working with IT professionals and university leaders, designing and implementing protective technologies and procedures. Usually, these protections are annoying and get in the way of people accomplishing their work, but they are essential to keep the bad guys from doing /their/ work. Sometimes we can improve protection while making things easier. An example is the DUO “push” method of 2-factor authentication we’ve recently been insisting people use rather than entering passcodes.

A year ago, I welcomed everyone at WashU as a member of the Information Security team. A couple of weeks ago, I was very pleased to receive an email from one of our nurses, embracing the idea, identifying a security problem she has observed, and proposing three possible solutions. I can’t tell you how impressed I was!

But the responsibility to help ensure the security of our information systems doesn’t always require such hard work.

The best thing everyone can do is simply remain alert and suspicious when reading emails and other messages.

We have excellent resources on what to look for on our Social Engineering Red Flags web page at

When in doubt, please select the message and click on the “Phish Alert” button (PAB) with the orange fishhook in Outlook. It looks like this in the Outlook toolbar on my Mac:

Our Information Security team will quickly analyze the message and get back to you on whether it was malicious.

Thank you for reading and being part of the University’s Information Security team!

Good luck, and please be careful out there!

-Chris Shull, CISO