Cal State CISO discusses protecting sensitive data for half a million people

During this week’s “Privacy Please” podcast, Cameron Ivey and Gabe Gumbs chatted with Ed Hudson, the Chief Information and Security Officer from Cal State University. They talked about a wide range of topics – his life before security, his stint working at the White House, the unique challenges (and benefits) of working in higher education, and practical ways he balances the fine line of data access and privacy security at CSU.

Here are just a few of thing things you will learn about when you listen to Episode 18 of “Privacy Please”:

Using the Marine Rule of Three to improve data privacy at Cal State

During his years as a Marine, Hudson learned the Rule of Three, which he applies to many aspects of his life today – even his role as Chief Information Security Officer at Cal State. He shares that everything in the Marines boils down to three things because it’s the highest number you can be effective with. A corporal has three people on a fire team, a sergeant has three fire teams on a squad, and a platoon contains three squads. Hudson has oriented his life around three things: his family, taking care of himself, and his job. While at work, Hudson only has three major projects on his plate at one time so he can give each his best work, which is very important with the level of detail required for data and privacy projects.

More than half a million people to protect

“The Cal State system’s the largest four-year public university in the country, we have half a million students, 23 campuses, and almost 50,000 employees. Protecting the data of half a million people keeps me pretty busy with different challenges every day.”

Ed Hudson, Chief Information and Security Officer at Cal State University

Why colleges allow (even encourage) websites blocked on corporate servers

Hudson initially assumed that servers were servers were servers, whether at a college or business. He quickly realized that while a lot of the technical aspects of data privacy and security are similar, colleges need a wide-open environment to allow for education innovation. While businesses focus on creating products and meeting revenue targets, academic institutions are developing educated people, which often means encouraging students to go to websites that corporate America would block.

Hudson also shared how the need for an open environment often conflicts directly with the regulations governing the university, both education/government specific and the California Consumer Privacy Act (CCPA). During the podcast, Hudson shares in-depth how Cal State balances following regulations while providing the IT environment needed for researching and exploring new ideas.

You can’t improve what you don’t measure

Because of the focus in higher ed around academic freedom, protection of intellectual property, Cal State worked with various groups to explain the purpose of using Spirion as well as setting up rules and regulations. After running the endpoints, Hudson found many surprising pieces of data in large numbers and unexpected places. In addition to moving data stored inappropriately on the endpoint, Hudson also faced protecting data that belonged on the endpoint. Cal State improved their endpoint protection by using Spirion on a regular basis for automated sensitive data searches. Spirion’s ability to search for different types of sensitive data allows Cal State to change their strategy in response to different data privacy and regulatory requests.

9 million SSNs found on one employee laptop

“When we first rolled Spirion out, I expected to find sensitive data in typical locations, such as finance and HR. I will never forget when I came in the morning after our first overnight automated scan and at the very top of the portal was an endpoint for one of our research department employees who had 9 million Social Security numbers. By following the path statement, I could see exactly where the data was on the endpoint.”

Ed Hudson, Chief Information and Security Officer at Cal State University

The “trick” to balancing privacy and data sharing

In 2020 – even more than other years – with COVID-19 and the census, educational institutions such as Cal State must balance the need to report data with the need to protect the privacy of students and staff. Over the past two years, data privacy for higher education has risen in priority, making security and privacy even more intrinsically linked to the student experience. Hudson says that these conflicting needs make the role of the CISO critical to creating both a secure and innovative culture. During the podcast, he talks in detail about what this role means and how he approaches the challenges of the job.

Because CSU prepares people for the workforce of California, the universities in the system must share data with many parties – other institutions, research institutions, and state and federal governments. However, this poses many issues, including how to share, what to share, and how to safeguard the privacy of the individuals. Hudson and Gumbs talk during the podcast about how Hudson balances these needs and the specific actions he takes with the data to meet both often-conflicting requirements.

But don’t think you know everything we talked about – or even the highlights. We just wanted to share a few topics to get you to listen to the entire podcast. The next time you’re in your car, exercising, or even doing household tasks, listen to this episode of “Privacy Please.” Or, even better, listen when you have downtime at work – we promise it will be time well spent. Click here to listen to this week’s podcast.

Spirion finds data in unexpected places – again and again

“Another surprising find was 20 million credit card numbers on an endpoint for an employee in charge of auditing and reviewing different campuses. We realized we needed to change our business process, aside from just protections, but deciding how long we needed to retain the information. In addition to Spirion being unbelievably valuable, the tool has found data in unexpected places – again and again.”

Ed Hudson, Chief Information and Security Officer at Cal State University

Related Blog Posts

Blog Post
Podcast Episode 25: Privacy for Remote Students and Europe’s View of Privacy
Blog Post
Podcast Episode 24: James McQuiggan: Security Awareness Advocate at KnowBe4 Educator
Blog Post
Privacy Please Podcast with Lourdes Turrecha, Founder and CEO of PIX LLC
Blog Post
Privacy Please Podcast with Chris Leach–CISO advisor at CISCO
Blog Post
Podcast Episode: Coronavirus and Work-from-home Privacy concerns with K Royal – Associate General Counsel
Blog Post
Privacy Please Podcast with Michael Santarcangelo of Security Catalyst