University of Kentucky’s Michael Sheron on Navigating Data Management Challenges at Universities

In this episode of The Future of Data Security podcast, Michael Sheron, Director of Privacy and GRC at the University of Kentucky, shares his journey into data privacy and the challenges faced in managing sensitive information within a large academic institution. 

He emphasizes the importance of establishing solid privacy policies and fostering a culture of cybersecurity awareness among staff. Michael also discusses the unique data management challenges posed by high student turnover and the need for collaboration across departments to ensure effective data stewardship. Here are the top 3 key takeaways from the interview.

#1: Classify Data To Protect What Matters Most

“Understanding where your data is is important, and then you have to be able to classify that data, because if you don’t classify it, then either you have to treat everything as classified or sensitive, or you treat nothing. And both of those are very expensive options. When you look at the cost of an average data breach in higher education, that’s millions of dollars plus the reputational loss. So you can’t really have a blase attitude about classifying that data because it’s going to be too expensive to protect everything on campus with the same parameters as you should classify as you should for protected or sensitive data. 

“And then, of course, encryption and anonymization of the data is important. Those are magic words in our field. And then you’ve got to look at what you’re using to manage identities. Obviously, single sign on, multi-factor authentication are all big for helping manage it. Using RBAC to get into the devices and everything. So you can monitor who has access, what they have access to and what they have done. 

“Now, of course, from a more technical aspect your next-gen firewalls, your intrusion detection and prevention systems, secure web gateways, they’re all still important to the process. Endpoint detection and response, the securing your IOT, because that’s a big one. When you think about the number of students that are coming in, moving into dorms and the smart devices that they’re bringing onto campus and what that can do. And it’s not just students, you know, you’ll have faculty who are bringing in and they’re wanting to hook up their AI assistant or whatever in their office and they’re wanting to connect it to your secure environment without necessarily securing that device. And, you know, so you’ve got to look at your IOT and what you’re doing to protect that, your cloud access security. 

“So, because obviously we’re a hybrid environment, so we still have a lot of things, we still have things on prem, but we also have a lot in the cloud, just like everybody else. Web application, firewalls, your SIEM, your SOAR (the security orchestration and automation response), and then of course, your backup and your recovery tools. 

“And then you’re never going to have enough technology, right? Everybody will say it’s the end user is the weakest link in your security chain. And so you’ve got to look at how you can reach those. And that awareness and training is an important component. And that’s one of the things that when we were setting up our policy program, we included a cybersecurity awareness and training component.”

Actionable Takeaway: Failing to classify data appropriately can lead to significant financial and reputational losses, especially in higher education. Protecting all data equally is costly and impractical, so identifying sensitive and critical data is essential for efficient protection, using encryption, identity management, and awareness training for maximum impact.

#2: Privacy Advocacy on Higher Education

“Three years ago, we started an event called Cybercon, which we started trying to do outreach. We wanted it to be sort of fun, informative, and make it easy for people to come up and ask questions. And looking at the growth of that over the three years, the number of people that are coming into the events who are wanting to participate and wanting to learn more about cybersecurity and privacy. 

“We also tell people that we’re willing to come and talk to any organization that they want to talk about privacy, to talk about what we do and how to make them more secure. And the number of presentations that I have done in the last six years has grown exponentially, so that we’re reaching more and more people. As far as hard and fast metrics, privacy can be a little bit difficult in that regard. You can measure the number of new records created versus the number of records mothballed, or deleted, or something like that, put into cold storage or whatever, but that’s only telling part of the story. 

“And to me, one of the interesting things about privacy is you’re not just responsible to the organization that’s paying you. You’re also responsible to the people that are providing that information. And so I look at it as I am a steward, and I’m responsible to our students, our employees, our partners in the community, etc., anybody who’s sending that information, as well as to the university, to make sure the data is handled securely. And so the number of people that are asking for steps on what to do and how to protect it is another one of those sort of metrics that I look at personally to help see whether or not we’re doing a good job of communicating and evangelizing privacy to the university community as a whole.”

Actionable Takeaway:: As stewards of personal data, privacy professionals must focus on both their organizational responsibilities and their duty to protect the individuals who trust them with sensitive information. Metrics like outreach and engagement with privacy issues, not just records managed, reflect how well privacy principles are being communicated and upheld. 

#3: Lifelong Learning Is Key to Cybersecurity Success

“Always keep learning. I mean, that’s the big thing, is read and learn. The environment evolves, and it’s constantly changing. I spend probably the majority of my day reading, whether that’s contracts for people who we’re going to be sharing data with or new regulations, new laws, what other people are doing. 

And always have that attitude that there’s somebody out there who knows more and being willing to talk and listen to them. There’s a lot of ways to get information and get resources, and don’t be afraid to ask questions. I have a great working relationship with our legal counsel. I work with probably four or five of them on a regular basis, and I will ask them questions constantly about things because they’re working in that environment. 

“My background, like I said, I was studying theater, and I moved into IT. I don’t have a legal background, but I spent a lot of time reading legal documents. And so I’m very lucky in that regard to have that help. But always be willing to read, learn, and ask questions.”

Actionable Takeaway: Staying updated in cybersecurity requires constant learning, including reading regulations, understanding new laws, and leveraging legal counsel for expert advice. Asking questions and collaborating with other experts is crucial for growing knowledge and staying effective in the ever-changing digital landscape.

Listen on Apple 
Listen on Spotify 
Watch on YouTube