The new director of information security at Information Technology Services (ITS) is Rich Tener.
Tener, an alumnus of Iowa State, starting serving this role June 3. Prior to joining ITS, Tener had at one point worked in “offensive security.”
“So in [that] role, I was testing security controls — trying to actively exploit vulnerabilities,” Tener said. “So it could be vulnerabilities in technology, vulnerabilities in people.”
He explained it went “beyond computers” to include physical security. Even if you do a great job securing your computer, it could still be compromised if the building isn’t locked, or if the lock to the building could be picked and information could be stolen through physically accessing it, Tener said.
Social engineering is a form of attack used to exploit trust and vulnerabilities in people, Tener explained.
“Social engineering is an attack that hackers use or attackers use to exploit trust,” Tener said. “It goes back to … it’s almost like a con artist … it goes back to confidence artists that would attempt to exploit trust to get financial gain. Phishing is very similar, and social engineering is very similar.”
Tener also worked with software companies to secure customer data, including Zynga — the firm that created FarmVille, among other games.
“I was there for four years and was a member of the senior leadership team for security and eventually took over as acting chief security officer there,” Tener said. “After that, I joined Evernote — I was an Evernote user and Evernote had a data breach in 2013, while I was a user, and they started looking for someone to start to build a security team for them.”
Tener said that his experience at Evernote was a unique opportunity “to build a program and a team from scratch.”
The interim vice president and CIO at Iowa State, Kristen Constant, said a national-level search was conducted to find a candidate to fill the director of information security role.
In evaluating the applicants for the role, Tener “bubbled to the top” quickly, Constant said.
“[Tener] has very strong experience in security. … He has been in a position where he’s had to build a security team from the ground-up, and that’s not the case here, but we do know that he is going to need to build the team,” Constant said.
On what she felt was important for people to bear in mind when securing their information online, Constant advised vigilance.
“[R]emain ever-aware, ever-vigilant, and if you see something, say something,” Constant said. “It’s like any other kind of security that the real hazard is if people don’t concern themselves with [handling it].”
For his part, Tener said his priority is making sure Iowa State is protected from attackers on the internet, and will add to the security team to help do so.
“So we’re looking at how well we’re patching our systems — how well we’re securing our websites,” Tener said. “[T]he highest priority for me right now is actually hiring a team — building the team. Currently we have a small team of myself plus three, and that is not enough to secure the entire university.”
Mike Lohrbach, ITS director of enterprise services and customer success, had served in Tener’s new role in an interim capacity.
Lohrbach said Tener brings “vast knowledge” and experience from his previous roles in building security teams.
“Being able to bring that to Iowa State, it was a tremendous opportunity for us,” Lohrbach said.
Tener will send “us on the right path” in following best practices and staying compliant with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Acountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA), among others, Lohrbach said.
On what people should be doing to protect their data, Tener said people should be updating their software and using unique passwords.
“My recommendation is use a different password on every site, if you don’t at least set up two-factor authentication,” Tener said.
Lohrbach said in the fall they will have a “heavy focus” on protecting individuals by encouraging people to enable multi-factor authentication, which can be done on the Okta dashboard found by logging in at login.iastate.edu.
“[Multi-factor] is a technology that takes you beyond just your username and password — it’s that something you know, and something you have,” Lohrbach said. “Think of when you’re logging into a bank and you type in your ID and your password, and a lot of times it will send you a text message where you can type in that code. That’s really multi-factor.”
Lohrbach said the director of information for ITS “is certainly a very involved role.”
“I strongly feel that [Tener] is the right candidate to [fill the position],” Lohrbach said. “He’s got the right mindset, the right attitude, great experience — and you know as a graduate of Iowa State — he really has a passion for the university as well.”