Profile: Thomas Murphy, CISO, Northwestern University



View the Magazine

Thomas P. Murphy recently became the new CISO at Northwestern University, one of the premier universities in the nation. The university’s mission is to provide excellence in teaching, innovative research and the personal and intellectual growth for a diverse student population, all backed by a dedication to information security. Murphy says, “At all levels of the organization there is understanding that, in order to deliver on our mission, we must protect information in a distributed environment where technology is evolving and being embedded in all areas of the university.”

Northwestern’s considerable student base, and the open and collaborative environment typical of a large-scale research university, presents some unique challenges. Murphy comments, “I interact with my peers and senior leadership about information security concerns on a daily basis. Among the top concerns is whether we have the right resources to respond to an attack, not “if” but “when” it occurs. Another concern is that security awareness and training may be a lower priority in an environment where teaching, learning, research and other efforts take most of our time.”

Murphy is confident those challenges can be addressed successfully. He plans to roll out a major security awareness training initiative in the Fall, when the academic year resumes. In the near term, he addresses information security by getting out of the “back office”, walking the campus, introducing himself, and demonstrating that he and his team are interested in a true partnership with the leaders of the university.

Information security is constantly evolving at Northwestern, and the role of the CISO becomes a more prominent role in the community. Murphy continues, “I’m bringing a more public face to information security. Professors, department chairs, and administration are all accustomed to seeing policies listed on the website. Now, as I go out and talk to more of the community, they are asking great questions and are very engaged. I have been invited to present to a wide variety of groups and departments across the campus.”

Since Murphy’s arrival, after educating himself on goals, understanding the existing security program and making introductions across the university, he is eager to move forward with a number of programs and a security plan he is developing with the help of the CIO, to whom he reports.

Among Murphy’s first priorities is refining the university’s security policies. “Our current policy suite is very verbose,” explains Murphy. “A seven page policy is difficult for people to wade through to get the guidance they need, especially when they have other responsibilities and priorities. I need to pare down those policies to make them more easily read and actionable.”
“In speaking to other leaders here, I learned there was a perception that security was historically done in a closed environment. I’m working to change that. Our program will ensure business processes and needs are taken into account with all new security initiatives. Early feedback shows that our community is very responsive to this approach.”

Murphy has plans to involve the information security team in all aspects of the enterprise-wide response program. “Whether it is a physical security incident, or a cyber incident, our systems need to be ready for a coordinated response. I plan to work with the university police department to ensure our response and communication systems are in place, and Northwestern is prepared for any incident.”

His other plans for the security program include mitigating the university’s top threats with appropriate tools and user awareness training. “A big stress center for us is phishing and ransomware. Our community is constantly faced with these types of threats. They want to know how they can help protect Northwestern,” says Murphy.

While many Chief Privacy Officers come out of law school, and increasingly CISOs are pursuing MBAs, only a few CISOs are J.D.’s, like Murphy. “My law degree helps me understand regulatory compliance at a deeper level. It also helps with things like electronic discovery requests, which are increasing as data is stored online. I also have a Master of Science in Information Protection and Security, so I combined legal and technical knowledge, which is an advantage in creating security policies and programs.”

Murphy encourages anyone interested in growing in the field of information security to pursue an advanced degree. “Inevitably in information security, you will be in a position to act with regards to business administration or law so it makes sense to have knowledge and credentials in those areas.”

“Use of Cloud services is a major initiative at Northwestern,” says Murphy. “We are taking an aggressive, but careful approach to using cloud services where appropriate. For example, we have HIPAA requirements that dictate the type of commitments and agreements we need from cloud providers. We also want to make sure we are working with cloud service providers that offer high availability and failover, in addition to world-class security.”


    Stay up to date with cyber security trends and more