Don Welch – Penn State University

Over a 25-year career in the Army, Colonel Don Welch confronted his share of challenges. Only, back then, the enemy was much better defined.

Now, as the chief information security officer for Penn State University, a position that spearheads cybersecurity for 80 IT departments, Welch is confronting a threat of a different kind in the form of 8-12 million online events each day.

In an environment where a single miss or slip can cause untold damage, diligence and attention to detail are as important as knowing what you’re looking at.

“We use systems that try and triage and surface the most important alerts, so our analysts can sort out which seem the most dangerous,” Welch says. “Part of that is having the skills and experience to understand what the actual threat is.”

High stakes

The first step is to determine whether the event in question is simply a garden-variety virus, most of which can be addressed with a rudimentary patch or system purge, or a more targeted strike designed to gain a foothold.

According to Welch, these latter attacks begin with malware or phishing, both of which have grown considerably more sophisticated in recent years.

As CISO, Welch is responsible for detecting these attacks. The IT department, with whom Welch and his team work in “independent collaboration,” will then handle any necessary network patches or recovery protocols.

With six event analysts, nine security liaisons assigned to various university units and another 100 staff members who do at least part-time security work, it’s a team whose sheer size and scope underscores the enormity of the task.

“I was meeting with the CEO of a security vendor a few years ago, and he said, ‘I think you have one of the hardest security jobs in the country.’ It can certainly feel that way,” Welch says.

Prioritizing security

Part of that has to do with the structure of large public universities, which Welch likens to a microcosm of the wider society. From residential to food service, retail to healthcare, transportation to energy, there’s hardly a sector in which Penn State doesn’t isn’t involved. There’s a whole lot of data and assets to protect, everything from passwords and social security numbers to research and intellectual property.

Yet when it came to privileged accounts and credentials—used by administrators and applications to log in to servers, switches, firewalls, systems, databases and the like—Penn State’s protections were limited when Welch joined the university early in 2017.

Knowing that these accounts are often sought in cyberattacks, Welch made prevention and protection a priority.

After an extensive vendor vetting process, he and others at Penn State sought help from CyberArk and Cylance. CyberArk specializes in safeguarding privileged accounts for more than half of the Fortune 100 companies (on-premises, in hybrid cloud environments and across DevOps workflows), and Cylance combines artificial intelligence, algorithmic science and machine learning to prevent advanced threats for more than 3,800 organizations.

Much like the nature of security threats, these partnerships will evolve to address risk management and compliance requirements.

Other solutions are a matter of training and awareness for some 8,400 faculty.

Last semester, the school launched a self-phishing program to create awareness of the latest scams. Additionally, Welch’s team is working with the College of Communications on training videos designed to educate students about threats.

“We all share in this mission, whether we realize it or not,” Welch says. “So it’s important that we encourage broader engagement with students and faculty, to make them part of the process.”

National security

Today, whenever Welch travels for work, his days invariably end in a hotel room, where he can read comfortably and adjust the temperature however he likes. Even running water can sometimes feel like a luxury.

As with many veterans, the memory of sacrifice is always close to mind. But so too, Welch insists, is the pride of having protected a nation’s freedom.

In 1998, six years before retiring from active duty, Welch took the position of CIO at West Point, his alma mater. Together with Dan Ragsdale, a fellow professor who shared his interest in the subject, Welch built the school’s cybersecurity curriculum.

“As we surveyed the landscape in the late ‘90s, we realized there’s a real need in the military for people to learn cybersecurity,” Welch recalls. “We have a live adversary who’s constantly thinking of ways to outwit you. This is their full-time job.”

Welch and Ragsdale instituted a computer defense exercise, whereby students from the country’s various military schools would be pitted against a “red team” consisting of volunteer hackers from the National Security Agency (NSA). Each year, a trophy was given to the team with the highest score.

The initiative resulted in a full-fledged philosophy paper, wherein Welch and colleagues spelled out the ethical case for making “hacking how-to” a cornerstone of the school’s computer science program.

While attending a conference at the Naval Academy last spring, Welch was approached by a number of former students who credited the program with sparking their career paths.

“There’s a reason you find a lot of ex-military in the world of cybersecurity,” Welch explains. “The thinking is similar and the stakes are high.”

Since joining Penn State in 2016 (he’s since become an affiliate professor in two different departments), Welch has continued to make student engagement central to his approach. Not only does the school tout a robust IT internship program; Welch’s department consists primarily of Penn State graduates.

Welch harbors no illusions that wider cybersecurity threats can somehow be stopped. Rather, it’s about giving the next generation the tools it needs to continue the fight.

“Our education is our future, and our job is to protect that future,” Welch says. “To do that, you can’t take what you have for granted.”