How ASU's policy and security office is reimagining IT culture

Editor's note: UTO Humble Heroes is a series featuring the people who make UTO run — their stories, in their own words. These exceptional team members solve problems, provide support and help students, staff and faculty at Arizona State University. 

Partnership, leadership and stakeholder empowerment is at the heart of ASU's University Technology Office governance, policy and information security teams' unique approach. These domain experts and cultural ambassadors cultivate effective information technology (IT) practices, drive security and enable innovation across the university.

'How can we do things better together?'

This question, posed by Tina Thorstenson, chief information security officer, reflects the culture of collaboration that drives her teams' work. Information technology touches every facet of ASU life and every member of the university community. In this complex and ever-changing environment, the governance, policy and information security teams are challenged to bolster technology alignment, information security, policy and acompliance — and to do so in a way that enables innovation.

“We have a responsibility to our ASU community — our ASU family — to keep them safe,” said Rebecca Hirschfeld, a system architect with the information security team, “and being part of the security office involves everything globally as well as within our campus community.”

These partnerships enable both proactive innovation and responsive adaptation. For example, in collaboration with EdPlus around ASU Open Scale — a learning pathway designed to expand access to higher education — this team helped provide the technical foundation for a new ASU initiative.

In response to COVID-19, ASU launched ASU for You, a collection of digital education resources available to all. With this project, the number of learners who needed a new digital identity to access ASU systems and resources skyrocketed. In partnership with EdPlus, this unit of the UTO developed a way to quickly create these identities and provide access to learners. Using an automated process, governance, policy and information security team members are able to keep up with demand, bringing on 50 to 100 new accounts per day. Since March 1, a total of 2,407 new identities have been created for EdPlus, including Open Scale and ASU for You.

The UTO governance, policy and security teams were also integral to the partnership between ASU and Air University, the U.S. Air Force’s eSchool for graduate professional military education.

“In order to get the partnership with Air University, we had to get certified by the Air Force to connect our systems to theirs, and we had to get a security certification,” said Tom Castellano, lead architect and senior director of cybersecurity strategy and assurance. “I'm most proud of getting that accomplished. It was really a team effort.”

According to an Air University press release, the partnership between ASU and Air University will “transform the distance learning experience for Air Force officers and civilians worldwide,” and is already serving 1,650 Air Force students. As with ASU Open Scale and ASU for You, GPIS was integral to developing the online identities for these students.

Strategic partnerships with vendors and industry leaders are also a key part of ASU’s efforts to proactively safeguard our community and seek out opportunities for innovation. For example, to bolster protections for the ASU community in this new remote modality, the Information Security Office collaborated with CrowdStrike to provide antivirus software for home use. This UTO team and the broader ASU community are also partnering with vendors around free training resources.

'Leadership is a critical part of GPIS'

Carolee Deuel, director of policy and compliance says her team enables information security and effective technology practices for all 34 decentralized units at ASU.

“We’re not about mandating,” Thorstenson said. “We develop partnerships and encourage everyone to be at their best.”

For example, the Information Security Office informs and collaborates with the Information Security Task Force, a team of senior leaders from across the university, to lead information security at ASU. This task force provides feedback and recommends new policies and standards. The decision to roll out two-factor authentication to all ASU staff, for example, was made through conversation with this task force.

“We're advisers,” Deuel said, “but the only way that we can be successful is if we're really good listeners, because people need to feel that we are there to help them not to dictate something that just makes their life harder.”

Thorstenson’s unique approach to governance, policy and information security centers around a holistic understanding of and commitment to ASU’s mission and culture.

“We align the university mission and goals with the technology needed to support those goals, and anticipate university needs,” Thorstenson said. “We strive to be stewards for better IT culture and communications across the university.” 

“Tina is an inspiration as a leader both within ASU, and across a male-dominated field like cybersecurity,” said Samantha Becker, UTO’s executive director of creative and communications. “I aspire to achieve the same level of expertise, agility and insight as Tina in my own field. Though there is an instant gravity that comes along with prioritizing safety and security, her positive and appreciative attitude adds to the cultural well-being of the UTO and ASU.”

As the deputy CIO for IT governance, policy and information security, Thorstenson leads with Positive Core culture, a deep respect for collaborators and a grounded optimism. Thorstenson guides her team in providing leadership beyond matters of technology or information security. 

“We work to ensure that ASU’s enterprise IT team (UTO) is a strategic partner with all ASU units,” Thorstenson said, “advancing 1) technology leadership across the ASU enterprise through strong connections ... 2) ASU's innovation through collaboration and cross-unit partnerships and 3) safety and protection by bringing visibility to potential IT risk.” 

This focus on culture and alignment enables the governance, policy and information security teams to rapidly pivot in the face of new threats or changing environments, including adapting to the complexities surrounding the COVID-19 virus. For example, when Brett Woods’ National Guard unit was activated to support the Arizona community, his colleagues on the information security team took on additional responsibilities and enabled Woods to support Arizona’s coronavirus response.

Stakeholder empowerment

A core way in which the governance, policy and information security teams demonstrate leadership and collaborative partnership is by educating and empowering the ASU community. 

“Stakeholder empowerment,” Castellano said, “is through focused engagements with a common growth-mindset approach to increase impact, drive success and develop teams.”

The GetProtected website offers curated security information and resources for the ASU community. Additionally, refreshed information security training is provided every year.

“We release a new version of that training every July, and the process is in the works right now to rewrite scripts and get that started,” said TJ Witucky, director of the security operations center.

By providing resources and tools, this team enables staff, faculty students and other stakeholders to better protect themselves and ASU. For example, the annual IT risk assessment enables stakeholders to better understand and mitigate the risks to their platforms and tools. Governance, policy and information security teams provide a survey to units across ASU, which illuminates the strengths and potential vulnerabilities in their systems.

“Stakeholder empowerment is crucial to the mission of the ASU Information Security Office,” Witucky said, “All ASU students, faculty, staff and affiliates must be empowered to secure any ASU information and assets under their control as ultimately, the security of the university is everyone’s responsibility.”

Another tool, the Executive IT Risk Review Dashboard, provides leaders across ASU with both high-level and detailed views of their unit’s systems, strengths and vulnerabilities.

“We're here to be your partner,” Hirschfeld said, “to help you resolve things by providing guidance to show you what needs to be fixed and how potentially you can fix it.” 

“Governance, policy and information security teams provide us with the most basic of human needs — safety and security,” said Christine Whitney Sanchez, UTO’s chief culture officer. “(Their) values-led approach and dedication to customer delight positions them as culture leaders within and beyond UTO, and enables them to better safeguard the community and enable innovation across ASU.” 

Featured UTO Humble Heroes: Tom Castellano, Richard Chappell, Donelle Culley, Carolee Deuel, Stephen Garcia, Alyssa Goldstein, Fred Hernandez, Michelle Hernandez, Rebecca Hirschfeld, Martin Idaszak, Robert Kamilli, Ahmed Khalil, David Lee, Darnell Loggins, Giovanna Lopez, Jeff Lords, Kevin Lough, Jason Pratt, Sean Reichert, Frank Rodriguez, Karen Tamayo, Tina Thorstenson, Jennifer Tweedy, Barnaby Wasson, Jeni White, TJ Witucky, Brett Woods and Melody Young.

Nominate a UTO Humble Hero.