7 Questions with REN-ISAC's Anthony Newman

We asked the Research and Education Networks Information Sharing and Analysis Center's recently appointed executive director about today's biggest cybersecurity challenges and his goals for REN-ISAC moving forward.

This year marks the 20th anniversary of the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), the Indiana University-based cybersecurity organization dedicated to safeguarding the research and education data of more than 750 member institutions around the world. To find out what REN-ISAC has in store for the next 20 years, we sat down with Anthony Newman, who was recently appointed as the organization's new executive director.

The following conversation has been edited for length and clarity.

Campus Technology: You have an extensive background in IT — what brought you over to cybersecurity?

Anthony Newman: I came kicking and screaming to security.

My first professional job out of college was as a sysadmin at a small manufacturing plant. And I did everything: I was also the network admin, the mail server admin, the data center admin. So I naturally had to handle security, and back then, I just did a lot of reviewing logs. For years, I did a lot of log analysis and review and firewall management, things like that — things that I didn't really consider security, but were part of the security stack. Even later in leadership roles, I had a hand on that.

I never really had that dedicated security role until I was approached at Purdue for the CISO role, and I initially turned it down. I said, "No, I hate security. It's so much work. You don't get any benefits of it. It's all work, no play. It's running uphill." Knowing my strengths and weaknesses, the CIO at the time said, "Well, why don't you just jump in and see what you can do to make them more efficient and get more done?" I did that for several months, and then kind of walked away said, "That work's done. I'm gonna go back to my job." And again, the CIO said, "Why don't you consider the CISO role?" So I said, "I'll do the interim role." In that role, I kind of fell in love with it and realized what I had been missing for the past 17 years. And now, I don't know that I'll ever work outside this space again.

What keeps me in cybersecurity is the fast pace. I love that it's constantly changing: If you look back five years ago, that's a vastly different world compared to where we are today. Our threats are different, how we handle threat mitigation is different, and a year from now we'll do everything slightly differently as well.

CT: Coming to REN-ISAC, what are your first priorities as executive director?

Newman: We've had great leaders in the past and they set us up for success. The few things I'm doing right now are really around trying to continue that success. For instance, we're looking at our service offerings. We have a core service offering which is really the information sharing piece. Every day of the week, most of our members count on our daily watch report and any type of alerts that we might send. We also do CSIRT activities: We are the CSIRT for higher ed for the U.S. and Canada. And then there are all these other services that have been added over the years, or where members have said, "Hey, we don't have a way to do this. Can REN-ISAC do it?" Those are the things that we're evaluating right now. We have our core mission, but nothing precludes us from doing other things that also help those same members, be it security assessments, penetration tests, or general assessments. Those are all things that we're primed and ready to do.

We also offer some services that I think we can automate more. As a former CISO, I know that CISOs don't have time to buy something, learn everything they can about it, implement it, and then use it in an operational manner. They really need turnkey solutions. For example, we have lots of customers that use our threat intel platform, but it's not turnkey today — and we need it to be turnkey.

And finally, just being financially strong and making sure that we stay up with what's expected. We're 20 years old. We're not a government mandate, even though many people think we are. Some ISACs are funded kind of as an expectation; we're not. We have over 750 member institutions, and every year, we essentially have to justify our existence with them. And thankfully, we've increased our members every year and there hasn't been a challenge. But just from a business sense, every year — because of the price point, and because of the budgets in higher ed — we have to justify our service. You don't see that in a lot of other industries, where being part of an ISAC is actually something they report to their board or to their public filings. So that's just kind of a unique aspect with higher ed.

CT: Drawing from your experience as a CISO, what would you say are the biggest challenges for higher ed CISOs right now?

Newman: Without a doubt, it's doing more with less. Every institution, regardless of its current financial state, is expecting the entire IT and security suite to operate more with less. And that could be through grants and other funding, or it could be, "You're going to cut your budget by 3% this year."

The biggest challenge from a threat perspective is protecting massive amounts of data. Higher ed has lots of sensitive data: individual student data, their parents' social security numbers and tax records, things like that. In many schools, all of that data will end up on a server somewhere. That's not going away. And now you have students who also expect to live, work, play, and have access to everything all at once — so you have to have a strategy to protect all of that data, while also doing it with less central funding. That's a big challenge.

CT: When you think about efforts to break down data silos and utilize data across the institution, does that complicate the security aspect?

Newman: It does. What we're seeing now, and I can only speak from my experience, is the expectation that data from one part of the institution will be able to be utilized for other business analysis. And I use the term "business" loosely: It might be, how do we get students to graduate on time? Or how do we get more students graduating? That is the "business" of higher ed. There's an expectation that the business needs that data, so there is a tendency to try to break those silos down. And if it's done in the right way, it's great. But that also presents new challenges.

If you want to move quickly and do things quickly, sometimes those different arms of the business don't talk. You might have a president or a provost say, "We need this data to do this," or, "I expect us to have more students next year graduate at the four-year mark." And that message isn't always shared with the IT group that has access and protects all of that data or manages the data centers and databases. If there's strong communication, it works just fine. But it's a big challenge if the organizational structure does not support that communication.

CT: How would you say the cybersecurity risk landscape has changed in the face of emerging technologies like AI?  

Newman: I don't think it's necessarily presenting as significantly more risk. While some are doing nefarious activities with AI to try to simplify attack vectors, researchers are using AI to combat that.

Yes, various large language models can produce really convincing e-mails that could be used to target schools or individuals, especially universities that do significant research and DoD. But today, most phishing works by quantity. It's really a numbers game.

Prior to being hired, I joked with my REN-ISAC team that we're using ChatGPT to do all sorts of things. Who knows whether I used it to write my application for the position? And then when I actually turned in my resignation from Purdue, just as an "I wonder what this does," I anonymized the information and threw it into ChatGPT to see what it would come up with. And it's really good, right? That's why people use it — it's really good. But it will not replace humans in anytime in the future.

Take that phishing example. You know this because you probably receive hundreds of e-mails a day. If you get an e-mail that says it's from Anthony Newman, and it looks and feels fine, but it's asking for something that I shouldn't be asking for — you're going to catch that. That's not based off of a technology; that's based off of cyber awareness, that's based off of your knowledge of cybersecurity and your knowledge of best practices. And that's what many forget: Even the most well-crafted e-mail will be picked up because at some point the attacker will have to ask you to do something. There's going to be levels of protection and layered defense — you're going to have some link protection and you're going to have maybe some boundary protection — but ultimately what it will come down to is when the attacker asks for something, does the recipient know they shouldn't do it? Maybe they clicked on the link, but now it's asking for a username and password. Why would this person send me to a site that requires me to log in? That's where, thankfully, we have humans to make that judgment.

But that assumes the person they're asking has some cybersecurity knowledge. That's where a lot of institutions are weak. In your total budget of "protect things," now you're saying, hey, in addition to this, we either have to staff a position that does cyber awareness training, or we have to go buy an off-the-shelf solution that does cyber awareness, which also isn't inexpensive. And the only way you typically get those approved is by having the executive leadership that understands cyber.

CT: Speaking of having to spend more money on cyber awareness, what else do you think institutions should be thinking about as they evolve their security strategies?

Newman: It goes back to the budget. Leaders need to stop focusing on things that don't matter. There are lots of controls you could look at, but the CIS Top 18 is a great one. Making sure you're doing all 18 controls really well will get you 99% of the way down the road. And then from there, it's a lot of checks and balances. Have someone from the outside conduct a third-party assessment. If you can't afford that, you could probably afford doing internal tabletop exercises. It's always best to have outside parties assist with that because they will ask questions you don't think about. But whether it's internal or through a third party, build an audit function on the cyber side to say, "Hey, you said you did 18 controls, but our assessment shows that this area actually isn't done, and we talked to internal staff and they confirmed our findings." If you do all of those things, you will be really successful — no matter how fast the pace of change is. CIS Controls have been around for years and years and years, and there have been adjustments, but they're not night-and-day different from what they were 20 years ago. They're still very similar. If you focus on those, that's going to help you no matter what you encounter. There's a reason that government uses a lot of similar controls in the Department of Defense space — it's because they work. When we say they don't work, it's typically because we miss something, or we didn't fund it properly, or something like that.

CT: REN-ISAC has tons of resources available, both to the public and for members. Where's the best place to start, to engage with the organization?

Newman: One of the things we're looking at doing is ramping up our social footprint. That's something I came in with a vision to do. And so you'll probably be seeing me and others on various platforms like LinkedIn, where we can provide free content for people to consume.

Ren-isac.net is a great place where you can read about news, events, our service offerings, our governance model, and how we operate. There's also a Contact Us page on there, and you can always e-mail us at [email protected]. Find me on LinkedIn, send me a message, and I'm happy to answer any questions.  

Featured