Patricia Ciuffo –Touro College

It can be as simple as clicking on the wrong email to spark a cyberattack, Patricia Ciuffo of Touro College warns.

That’s all it took in a recent hack in Lake City, Florida, that shut the local government down for days and resulted in a $460,000 paid ransom.

Yet forewarned is forearmed to Ciuffo, Touro’s chief information security officer, who is continually heading and reinventing cybersecurity initiatives to protect the New York City college, founded under Jewish auspices in 1970, from cyberattacks. Central to her effort is the launch of a new phishing simulation training program, in addition to the implementation of a more robust system-wide antivirus program to protect the information of 19,000 students across 30 schools.

“Security awareness is our big focus, as is training,” Ciuffo says. “We want to address all of the pieces of our enterprise protection strategy to make sure that our vulnerability management programs are solid.”

An ounce of prevention

As Ciuffo tells it, Touro is close to completing a rollout of a more robust antivirus program throughout the campuses.

“We have a strong project management team, and support from the local campus and technology specialists throughout the institution,” she says.

That’s half of the latest project.

To help those within Touro’s educational community better identify potential cybersecurity threats, Ciuffo has deployed the other half—an online security awareness training program for the staff.

As Ciuffo explains, security training for new users starts with an orientation program, with refresher training offered every two years. Faculty in specialty areas of clinical health care—such as the dental program—get formal training annually, which includes specialized training in HIPAA requirements.

“It is a relatively new program, the phishing piece of this,” Ciuffo notes. “The program has evolved over the years and alerts people to be wary of certain emails by sending periodic alerts and notifications on security awareness.”

Ciuffo and her assistant pepper inboxes periodically, casting the bait of phishing emails throughout the year to make sure the community is vigilant and compliant. A vulnerability management program is kept running behind the scenes, with sophisticated software and scans, to ensure that nothing nefarious slips through undetected.

“It’s a concerted effort,” Ciuffo says, though she’s careful not to tip her hand as to other measures she’s considering for the sake of security.

Ciuffo, now in her eleventh year at the college, is always on high alert, scanning multiple sources for the latest information to incorporate into security initiatives. The inspiration for new projects, she says, can come from anywhere. An idea might pop up from a coworker. A news article might catch her eye, or she may receive an alert from one of the organizations she belongs to. Even a vendor may share an interesting update that piques her interest.

“It’s a very important job and not one that can be done alone. There is cooperation between everyone across the organization from IT technical and managerial staff, the local campus staff, faculty and administrators, to the end users themselves,” she says. “Teamwork is big in this organization.”

End-of-life strife

Phishing may be a predominant cybersecurity focus for educational institutions, Ciuffo says, but it is by no means the only concern. Nor is education the only sector feeling the pain.

“Every industry is not exempt from the threat,” Ciuffo says, explaining it was top-of-mind at a recent health care summit she attended.

As she explains, security problems are compounded by applications and operating systems for organizations hitting the end of their lifecycles. Not every company can keep pace with the cost of new technology and afford to update or replace what it has running. So they do the best they can.

As an example, Ciuffo says, a member at the health care summit mentioned that a radiology machine working off of a Windows XP operating system hit its end-of-life and the small institution couldn’t swap it out because the move would have been cost prohibitive. Therefore, other precautions had to be put in place to prevent the technology from being compromised.

With Touro being an educational nonprofit, they have to make every investment count.

“We have to keep our environments as up-to-date as possible—that’s the challenge,” she says. “You stick to the highest standards and work with the funds that you have.”

Content with constant change

Ciuffo says the best career advice she can offer is for people to discover the work they are most passionate about and then seek out organizations that love to do those things as well.

That’s what she did.

She earned her bachelor’s degree in accounting from Queens College, later earning an MBA, QA in computers and information systems for managers from St. John’s University in 1994.

Working in several positions as an analyst, audit project manager, IT auditor and head of IT over the years in the greater New York area, Ciuffo built layers of experience and started to assemble the building blocks for her future CISO role.

Her start in security came in 1997 as a data security manager for CALYON (Crédit Agricole Indosuez), a position she held for seven years. That set her up nicely for the position as CISO at Touro in 2008.

“My entire career in IT audit and IT security go hand-in-hand and morphed into each other,” she says.

As for her favorite aspect about her job?

“It’s the constant change and challenge,” Ciuffo says. “You think you have your head wrapped around something when you realize you need to look at it from a totally different angle. It’s an intellectual process that engages and encourages me with all the different technologies coming forward … every piece of information security I have a hand on, I get excited about to this day.”