It Takes a Hacker to Protect Maricopa Community Colleges

A hacker mind-set helps Miguel Hernandez redefine security for Maricopa Community Colleges as its first chief information security officer

A talent and a passion for video games led Miguel Hernandez to develop a knack for hacking. Not the sinister, criminal hacking that comes to mind when most people read that word, but the kind of hacking that makes it seem easy for tech types to download, configure, and reengineer stuff for which other mere mortals have to pay.

Now, as associate vice chancellor for information technology and chief information security officer for Maricopa Community Colleges, Hernandez taps into that hacker mentality to protect the entire system.

Hernandez earned a bachelor’s degree, two master’s degrees, and a doctorate degree from the University of Texas at El Paso with the original intention of becoming an electrical engineer. Little did he know, he was already on his way to a career in information security as an undergraduate. While interning at Texas Instruments, he met several other interns who shared his passion for playing classic video games. Together, they hacked and reengineered a Microsoft Xbox console.

Word of his modified Xbox spread. A classmate who worked at the US Army Research Laboratory (ARL) suggested he interview for a job opening there in the information warfare division at White Sands Missile Range. The ARL was training hackers to test and evaluate the security of Army information systems.

“I remember the interview started out with the usual questions, but the atmosphere changed immediately when they asked, ‘Tell us about your Xbox,’” he says. “I was scared at that point. Were they going to arrest me? I wasn’t sure I should talk about it.”

The interviewers were intently interested in his hacker mind-set. He did talk about the Xbox, and his story essentially got him the job. From that moment on, his path shifted to becoming an expert information security engineer.

Today, as the very first CISO for Maricopa Community Colleges, Hernandez’s skills play a vital role. He joined the system in the wake of an information security incident that occurred in 2013.

In November of that year, the ten-college district reported that hackers may have obtained the information of more than two million people, including current and former students, staff and vendors, from as far back as thirty years.

Hernandez was working as senior director of information security at Texas Tech University Health Sciences Center El Paso when he heard the news. “I knew when I read about it that I wanted to take on that challenge,” he says. “I wanted to come in and help them get through this. So when I saw they were hiring their first CISO, I jumped at the opportunity.”

When Hernandez started the job in July 2014, he was a one-man operation. He spent the bulk of his time assessing the situation, evaluating the current security posture, and identifying areas where the system could improve. Then, he got to work.

“You may think the most important place to start an information-security program is with technology,” he says, “but with 200,000-plus students and 11,000 employees, it’s the people that are most important. One of the first things I did was kick off the first mandatory information security awareness training campaign.”

“You may think the most important place to start an information-security program is with technology, but with 200,000-plus students and 11,000 employees, it’s the people that are the most important.”

Miguel Hernandez

The training is designed to educate employees—to make them aware of the security threats they face and how those threats can have an impact both at home and in the workplace. It’s now
a mandatory annual event that is constantly being updated.

“The training never ends because the bad guys continue to get more crafty with their attacks,” Hernandez says. “We need to make sure our people have the most up-to-date information at their fingertips.”

Hernandez has since been able to hire four information security engineers for his department, and he hopes to add four more by the end of 2017. His team works closely together and shares the hacker mind-set needed to find creative solutions quickly.

Meanwhile, Hernandez is getting help on the technology side, working with third-party technology suppliers Parallels and Kaspersky to shore up Maricopa’s defenses.

“Working with these two companies and the products they offer us has been a great experience,” Hernandez says. “They make up two very important pieces of our overall technical strategy, which we call ‘unified security.’”

The idea, he explains, is to unify how Maricopa Community College handles information security by standardizing processes system-wide. For example, instead of each location in the district using its own anti-virus solution, Hernandez has championed the deployment of the Kaspersky solution district-wide, giving each entity one solution that goes well beyond anti-virus protection.

“The same idea holds true with Parallels,” Hernandez says. “We want to unify the manner in which we manage and centrally encrypt Apple products. If I can help our colleges become experts in a handful of security tools that everyone uses, we can leverage that expertise across the system because we’re speaking with a common security standard.”

This massive initiative is a far cry from his days of hacking into the Xbox and working at the Army Research Laboratory. “I remember noticing that the CISO at the Army Research Laboratory had a PhD and was credentialed as a Certified Information Systems Security Professional (CISSP),” Hernandez says. “From that moment on, I set out to earn a PhD, obtain a CISSP, and become a CISO just like him. I’m proud to say I met all three of those goals.”

Did Hernandez think back then that he’d become a CISO in higher education? No, he says, but he always knew he would be a CISO somewhere.

Information Security on College Campuses

In the era of Big Data, college campuses are among the richest resources of private information for would-be hackers. Registrants provide everything from personal financial data to social security information, all of which identity thieves covet.

“The reality is that we live in an era when the question isn’t if your organization will experience a cybersecurity event, it’s when,” Maricopa Community Colleges’
Miguel Hernandez says.

Every college and university is vulnerable because students, faculty, and staff are vulnerable to phishing attacks and other scams perpetrated by email. Consistent training is the key to making sure universities understand that information security is everybody’s responsibility.