How a Policy and Security Office Is Reimagining IT Culture
by Laura Geringer
UTO Humble Heroes: Tom Castellano, Richard Chappell, Donelle Culley, Carolee Deuel, Stephen Garcia, Alyssa Goldstein, Fred Hernandez, Michelle Hernandez, Rebecca Hirschfeld, Martin Idaszak, Robert Kamilli, Ahmed Khalil, David Lee, Darnell Loggins, Giovanna Lopez, Jeff Lords, Kevin Lough, Jason Pratt, Sean Reichert, Frank Rodriguez, Karen Tamayo, Tina Thorstenson, Jennifer Tweedy, Barnaby Wasson, Jeni White, TJ Witucky, Brett Woods and Melody Young
Partnership, Leadership and Stakeholder Empowerment is at the heart of the ASU UTO Governance, Policy and Information Security Team’s unique approach. These domain experts and cultural ambassadors cultivate effective information technology (IT) practices, drive security and enable innovation across the university.
“How can we do things better together?”
This question, posed by Tina Thorstenson, Chief Information Security Officer (CISO), reflects the culture of collaboration that drives her team’s work. Information technology touches every facet of ASU life and every member of the university community. In this complex and ever changing environment, the Governance, Policy and Information Security Team’s are challenged to bolster technology alignment, information security, policy and compliance -- and to do so in a way that enables innovation.
“We have a responsibility to our ASU community -- our ASU family -- to keep them safe,” said Rebecca Hirschfeld, a System Architect with the Information Security Team, “and being part of the security office involves everything globally as well as within our campus community.”
These partnerships enable both proactive innovation and responsive adaptation. For example, in collaboration with EdPlus around ASU Open Scale -- a learning pathway designed to expand access to higher education -- this team helped provide the technical foundation for a new ASU initiative.
In response to COVID-19, ASU launched ASU for You, a collection of digital education resources available to all. With this project, the number of learners who needed a new digital identity to access ASU systems and resources skyrocketed. In partnership with EdPlus, this unit of the UTO developed a way to quickly create these identities and provide access to learners. Using an automated process, GPIS team members are able to keep up with demand, bringing on 50 to 100 new accounts per day. Since March 1, a total of 2,407 new identities have been created for EdPlus, including Open Scale and ASU for You.
The UTO Governance, Policy and Security teams were also integral to the partnership between ASU and Air University, the U.S. Air Force’s eSchool for graduate professional military information. “In order to get the partnership with Air University, we had to get certified by the Air Force to connect our systems to theirs, and we had to get a security certification,” Tom Castellano, Lead Architect & Senior Director Of Cybersecurity Strategy and Assurance, shared. “I'm most proud of getting that accomplished. It was really a team effort.”
According to Air University Public Affairs, the partnership between ASU and Air University will “transform the distance learning experience for Air Force officers and civilians worldwide,” and is already serving 1,650 Air Force students. As with ASU Open Scale and ASU for You, GPIS was integral to developing the online identities for these students.
Strategic partnerships with vendors and industry leaders are also a key part of ASU’s efforts to proactively safeguard our community and seek out opportunities for innovation. For example, to bolster protections for the ASU community in this new remote modality, the Information Security Officewe collaborated with CrowdStrike to provide antivirus software for home use. This UTO team and the broader ASU are also partnering with vendors around free training resources.
UTO Story Arcs: Connected by Culture
“Leadership is a critical part of GPIS”
Carolee Deuel, Director of Policy and Compliance, explained. This team enables information security and effective technology practices for all 34 decentralized units at ASU. “We’re not about mandating,” Thorstenson explained. “We develop partnerships and encourage everyone to be at their best.”
For example, the Information Security Office informs and collaborates with the Information Security Task Force, a team of senior leaders from across the university, to lead information security at ASU. This task force provides feedback and recommends new policies and standards. The decision to roll out two-factor authentication to all ASU staff, for example, was made through conversation with this task force.
“We're advisors,” Deuel explained, “but the only way that we can be successful is if we're really good listeners, because people need to feel that we are there to help them not to dictate something that just makes their life harder.”
Thorstenson’s unique approach to governance, policy and information security centers around a holistic understanding of and commitment to ASU’s mission and culture. “We align the university mission and goals with the technology needed to support those goals, and anticipate university needs,” Thorstenson said. “We strive to be stewards for better IT culture and communications across the university.”
“Tina is an inspiration as a leader both within ASU, and across a male-dominated field like cybersecurity,” shared UTO’s Executive Director of Creative + Communications, Samantha Becker. “I aspire to achieve the same level of expertise, agility and insight as Tina in my own field. Though there is an instant gravity that comes along with prioritizing safety and security, her positive and appreciative attitude adds to the cultural wellbeing of the UTO and ASU.”
As the Deputy CIO for IT Governance, Policy and Information Security, Thorstenson leads with Positive Core culture, a deep respect for collaborators and a grounded optimism. Thorstenson guides her team in providing leadership beyond matters of technology or information security. “We work to ensure that ASU’s enterprise IT team (UTO) is a strategic partner with all ASU units,” Thorstenson explained, “advancing 1) technology leadership across the ASU enterprise through strong connections... 2) ASU's innovation through collaboration and cross-unit partnerships, and 3) safety and protection by bringing visibility to potential IT risk.”
This focus on culture and alignment enables the GPIS team to rapidly pivot in the face of new threats or changing environments, including adapting to the complexities surrounding the COVID-19 virus. For example, when Brett Woods’ National Guard unit was activated to support the Arizona community, his colleagues on the Information Security Team took on additional responsibilities and enabled Woods to support Arizona’s coronavirus response. (Read the full story).
The Governance, Policy and Information Security team provides resources and tools at getprotected.asu.edu.
A core way in which the Governance, Policy and Information Security team demonstrates leadership and collaborative partnership is by educating and empowering the ASU community. “Stakeholder empowerment,” Castellano says, “is through focused engagements with a common growth-mindset approach to increase impact, drive success, and develop teams.”
The GetProtected website offers curated security information and resources for the ASU community. Additionally, refreshed information security training is provided every year. “We release a new version of that training every July, and the process is in the works right now to rewrite scripts and get that started,” explained TJ Witucky, Director of the Security Operations Center.
By providing resources and tools, this team enables staff, faculty, students and other stakeholders to better protect themselves and ASU. For example, the annual IT Risk Assessment enables stakeholders to better understand and mitigate the risks to their platforms and tools. GPIS provides a survey to units across ASU which illuminates the strengths and potential vulnerabilities in their systems. “Stakeholder empowerment is crucial to the mission of the ASU Information Security Office,” Witucky shared, “All ASU students, faculty, staff, and affiliates must be empowered to secure any ASU information and assets under their control as ultimately, the security of the university is everyone’s responsibility.”
Another tool, the Executive IT Risk Review Dashboard, provides leaders across ASU with both high-level and detailed views of their unit’s systems, strengths and vulnerabilities. “We're here to be your partner,” said Hirschfeld, “to help you resolve things by providing guidance to show you what needs to be fixed and how potentially you can fix it.”
For this incredible team, partnership, leadership and stakeholder empowerment goes hand-in-hand with technology and security. “Governance, Policy and Information Security teams provide us with the most basic of human needs -- safety and security,” Christine Whitney Sanchez, UTO’s Chief Culture Officer, shared. “This team’s values-led approach and dedication to customer delight positions them as culture leaders within and beyond UTO, and enables them to better safeguard the community and enable innovation across ASU.”
UTO is full of unsung heroes -- Problem-Solvers, Jumper-Inners, Quiet Leaders, Cheerleaders and Champions, Agile and Flexible Doers and Attitude Winners. These team members embody the best of UTO in their everyday work. UTO Humble Heroes is a series featuring the people who make UTO run -- their stories, in their own words. These exceptional team members solve problems, provide support, and help students, staff, and faculty at ASU. While everyone is connected digitally, the idea is to share the journey of what our teams and colleagues accomplish.