Enhancing Cybersecurity & Privacy at UIC: An Interview with CISO Shefali Mookencherry

Interview with UIC CISO

Joining us in January 2023, UIC Chief Information Security Officer Shefali Mookencherry is responsible for information security and privacy for the university; developing the information security and privacy strategy; refining university policy to reflect the changing landscape of information security; and ensuring that information assets are adequately protected.

In this spotlight interview with UIC Technology Solutions' Marketing & Communications Strategist Anthe Mitrakos, Mookencherry shares insights on her role’s various responsibilities, and her plan on working with the UIC community to progress in improving our cybersecurity and privacy efforts’ maturity and posture.

My experience in leading and managing the cybersecurity and privacy programs at UIC entails collaboration with everyone from cross-campus levels to the System level to ensure that IT Security and Privacy are everyday concerns for everyone professionally and personally.

Shefali Mookencherry  |  UIC Chief Information Security Officer

Spotlight Interview with UIC CISO Shefali Mookencherry Heading link

security

Anthe Mitrakos: How would you describe a day in the life of a university CISO?

Shefali Mookencherry: The assumption here is that the University CISO is working in a hybrid mode with various days onsite and remote. As the University CISO starts every day, the first thing on their mind is how safe their organization is and what new attacks the hackers will come up with today.

First thing in the morning, is for the University CISO to review their emails, upcoming meetings/calls, text messages, scroll through cyber community news, social media, and listservs to ensure that nothing urgent has cropped up through the night into the morning. The morning starts with the hope that everything related to security is going well and that critical systems, applications, and processes are operating as expected.

Next thing to do is to check in with IT Security and privacy leaders and staff to obtain a list of immediate concerns, incidents, events, issues, comments, and ideas. While this is going on, the University CISO looks to prepare for upcoming meetings/calls and develops deliverables.

The University CISO will work with all members of their community as needed to provide a safe and secure environment. Their work timeframe entails 24 hours, 7 days a week, and 365 days in a calendar year. Each day has similarities, but some days are very different, especially if there is a cybersecurity event.

Shefali Mookencherry  |  UIC Chief Information Security Officer
Security

A.M.: What are the most significant cybersecurity threats and risks facing universities today, and how would you prioritize addressing them? 

S.M.: Some of the most significant cybersecurity threats a university could face involve the impact of international tensions, internal user behavior, and external malicious actors. Priority would be given to threats based on safety, risk, likelihood, and impact.

A.M.: Is there a project or effort in particular that you are working on right now at UIC that you would like our audience to know about?

S.M.: I am working on implementing the IT Security and Privacy Strategic Roadmap and Plan for this fiscal year. We will be working on developing new policies and revising existing policies. We have chosen the NIST Cybersecurity Framework and Privacy Framework to bring awareness to why we do what we do, how we do it, when we do it, where we do it, and who is involved. Many activities are being planned to engage the UIC community on various security and privacy topics.

A.M.: How do you stay updated with the latest trends and advancements in cybersecurity, and how would you ensure that the university’s security practices are up to date and in line with industry best practices? 

S.M.: I stay updated through cyber and privacy community news, established relationships, social media, thought leadership, speaking engagements, benchmarks, best practices, cyber reports, cyber associations, privacy reports, privacy associations, and listservs. Through all of these approaches and more, I am able to provide guidance and leadership to the University and propel its cybersecurity and privacy programs maturity.

A.M.: Universities often deal with sensitive data, including personal information of students, faculty, and staff. How would you ensure the protection and privacy of this data while maintaining an open and collaborative environment?

S.M.: I would encourage and influence our UIC community by:

  • Establishing privacy and security policies, standards, and secure data collection processes that account for culture and appetite of the University, while aligning with our vision, mission, and goals;
  • Ensuring the University complies with applicable privacy and security laws and regulations at the state, federal, and international level;
  • Developing data privacy and security awareness training for students, staff, and faculty;
  • Staying abreast of the latest data privacy and security best practices and new technology;
  • Responding immediately to any privacy and/or security breaches or incidents, and always stay prepared;
  • Knowing who has access to student and employee’s data;
  • Being transparent about the data we gather;
  • Analyzing current data privacy and security procedures and build an action plan to improve them;
  • Keeping University leadership aware of the cybersecurity landscape, threats, risks and remediations;
  • Understanding student, staff, and faculty satisfaction.

A.M.: Collaboration and communication across various departments and stakeholders are crucial for a successful cybersecurity program. How would you foster effective partnerships with IT, academic units, administration, and external organizations to enhance the university’s cybersecurity posture? 

S.M.: I would establish relationships with as many people within our UIC community to foster a collaborative environment as security and privacy should be everyone’s concerns. Setting a clear foundation for business relationships and nurturing them is key.

Emphasizing accountability within and across the UIC community is essential. Using metrics to gauge success is meaningful. Being willing to change things up if needed. Meeting with leadership, students, faculty, employees, and vendors can help bring an awareness of the university’s culture and acceptance of risk. Meetings could occur on a daily, weekly, quarterly, semi-annually and annual basis. These meetings can be onsite face-to-face or remote via teleconferencing tools. Lastly, providing education and training to the UIC community.

Development of a comprehensive strategy involves understanding current cybersecurity maturity, hygiene, posture, stakeholders, threats, risks, needs of the institution, culture, safety, inclusiveness, fairness, accessibility, and appetite for change.

Shefali Mookencherry  |  UIC Chief Information Security Officer