By Apryl Motley - Communications & Technical Writing Consultant, Internet2
Estimated reading time: 5 minutes
Editor’s Note: This conversation continues our series of interviews spotlighting the wonderful contributions that research and higher ed community members make to the NET+ Program.
Be on the lookout for additional interviews throughout the year, and email Apryl Motley if there’s a Cloud Superhero you would like us to spotlight in the future. We’re grateful for all our volunteers and appreciate all they do to move our work forward.
— Sean O’Brien – Associate Vice President, NET+, Internet2
If you ask Charlie Escue about one of the key components of his job, he’ll tell you it’s “exerting positive information security influence at the appropriate levels within our organization.”
In Charlie’s current role as information security consulting manager for the University Information Security Office (UISO) at Indiana University (IU), he leads an expert team of information security analysts. His team consults with IU constituents on all things information security related from third-party risk assessments and system security plans to unit risk and security assessments and external collaborations and partnerships.
“Many of our responsibilities span across on premises systems and of course, the cloud,” he explained. “Whether it’s consulting with enterprise administrators of our IaaS assets, system integrators of our PaaS assets, or adopters of SaaSs, my team is responsible for the security and risk assessment of our most critical assets to ensure our university’s leadership can make well-informed decisions when leveraging partnered services.”
During a career at IU that spans almost two decades, Charlie has also served as a lead network engineer and an IT strategy business analyst. Ten years ago, he joined the UISO as a lead security analyst, performing third-party risk assessments, information security reviews, and contributing to the Higher Education Information Security Council (HEISC) Security Assessments Working Group. His contributions to the HEISC working group served as a starting point for launching the first iteration of the Higher Education Community Vendor Assessment Toolkit (HECVAT).
Fun Facts About Charlie
Best Advice About the Cloud He Ever Received:Assessing vendor security posture is necessary. What good are our defenses from malicious actors if we allow our staff to proverbially “wheel file cabinets out the front door” (meaning uploading to the cloud) unprotected.
What He Likes Most About His Job:What I like most about my job is the variety of information security activities that we engage in and that there is always something new around the corner. The adaptive nature of information security consulting work leads to an ever-changing flow of new technologies and challenges for my team to address. We strive to meet our leadership and IT professionals where they are, exerting positive information security influence at the appropriate levels within our organization.
“I view cybersecurity as an art,” Charlie said of his motivation for joining the HECVAT core team. “Creative solutions must be explored to ensure that information security supplements, not impedes, academic or business progress.”
Read on to learn more about Charlie and his contributions to the R&E cloud community.
What are the greatest challenges and opportunities for research and education when it comes to implementing cloud services? How does HECVAT help address them? CE: Coordination between organizational stakeholders is the greatest challenge and opportunity for many higher ed institutions. The way cloud services are being requested and used at our institutions is oftentimes disruptive to existing business processes (i.e., IT procurement) and creates challenges for various stakeholders (e.g., purchasing, security, IT accessibility, privacy, etc.). The opportunity comes from the appropriate support of these stakeholder functions in a strategically coordinated fashion, allowing the needs of all stakeholders to be met, with minimal burden, to meet the needs of the business and academic processes. Easier said than done.
HECVAT was not designed to solve these challenges, nor will it ever be, but it is part of the solution. By speaking a common information security assessment language across higher education, we can better assess the information security/risk posture of products in our space at-large, and when leveraging the toolkit, we, as a community, can exert influence en masse with our vendor partners.
How have Internet2 and NET+ helped you in your current role? CE: I can speak best to people within Internet2 that have helped in my current role. I want to give a huge shoutout to Bob Flynn (program manager, Cloud Infrastructure & Platform Services) and Nick Lewis (program manager, Security and Identity).
I worked for Bob at IU before he moved to his Internet2 role. His astute leadership at IU continues to benefit us greatly, years after his departure. If you know Bob, you know what I mean, and I’m sure he continues to lead higher education and exert influence at the highest level of our profession – many thanks to him!
During the past nine years, I’ve had the pleasure of working with Nick on a regular basis. What he does to maintain broad situational awareness, exert far reaching influence, and contribute to the higher education security profession cannot be measured. I cannot thank him enough for what he does.
Why is it important to have an active and vibrant cloud community in R&E? By focusing our collective lenses, the community can inclusively build solutions and support mechanisms that allow our members to thrive, not just “keep the lights on.” There is an abundance of important cybersecurity work to be done, and no one, no one, can do it alone. Crowdsourcing our talent for the collective good strengthens our community and advances the professional development of its members.