David Capps, Ed.D., joined the University of Colorado as chief information security officer (CISO) for CU system administration in August 2022. He was concluding 10 years at the Federal Reserve Bank of New York, where he served as vice president – director of technology and risk compliance, and previously had worked at Fordham University as director of IT planning and strategy.
Capps has a noteworthy month in store. October is Cybersecurity Awareness Month; it also is the month CU has chosen for the launch of a new security training requirement that will help employees recognize potential risks, apply proper safeguards and promptly report suspicious activities. All faculty, staff and student employees now must complete the Information Security Awareness Skillsoft training course every two years.
October also is the heart of football season, when Capps enjoys spending some free time rooting on teams in his home state.
“This one is going to get me in trouble, but I will proudly claim that I am a huge Kansas City Chiefs fan!” Capps said. “I was born and raised in Missouri, and my sports allegiance remains there.”
His wife still practices law in New York City, so much of their free time is spent traveling back and forth across the country.
“And if we aren’t in Denver or on Long Island, we may be visiting one of our three older children who live in other places,” Capps said. “I also love to cook and take advantage of being in Colorado. From buying a new bike here to take advantage of the trails, to hiking, to buying fresh vegetables from the South Pearl Farmer’s Market on a Sunday morning, I truly love being here in Colorado!”
1. Your office recently launched a campaign promoting CU’s Information Security Awareness training, which is required for all CU employees every two years. What does the training course entail, and why is it important for CU faculty and staff to complete it regularly?
The training course is one that has been around for a while, and one that we update each year with new material to cover different topics within cybersecurity. The change that we are making to have it become required every two years is because of the importance of the efforts, the need to ensure that everyone understands the new material we add, and the need to reinforce the basic tenets of cybersecurity that protect the university every day.
As the course will show, each person within the university has a role to play in information security. Having a curious mind about the nature of a suspicious email, or taking time to ask yourself where will the data go that you have attached to an email or similar, helps maintain our secure posture. Just a few seconds can make a huge difference when it comes to technology and information security. Think before you act and don’t hesitate to call on the security resources we have at CU. We are here to help and happy to do so.
2. Updates to the IT Security Program policy, APS 6005, recently were published. What changes were made and why?
The updates that we made to APS 6005 were done for a few reasons. A basic one is because there is a fundamental need to revisit policies and a set basis to ensure they are still up to date and accurate. These documents form the basis of our governance, and we need to make sure that they still are applicable.
And in doing this update, we realized that titles and roles had changed on campuses. Part of the effort was just basic housekeeping.
But another reason we made the updates was to try and streamline and simplify the verbiage and direction to make it easier to understand. Someone who is not a security expert should be able to read the document and now relate to how it impacts them and what rules they need to follow.
In addition, I’m working with our education and awareness team to create training that will further help educate people on how to apply and comply with these rules. We want to make sure that everyone understands and works together to help protect the university, and education is a huge way to help ensure that we do.
3. What special circumstances do CU and other institutions of higher education face when cultivating a culture of positive information security?
Higher educational facilities are a huge target for cyber criminals. We have tremendous amounts of data related to students, to health, to research, that separate us from a typical business.
Because of this, we are a high-profile target. A hacker can obtain a ton of information from a source such as CU in just one place. We also typically have a need to be more open in certain aspects, such as allowing our students to bring their own devices and tie into our wireless networks.
Because of all these aspects, we have a need to balance security and freedom that allows us to do our work in a secure and efficient way.
4. How has your experience in past roles at the Federal Reserve Bank of New York and at Fordham University informed the work you now do at CU?
Both Fordham and the Fed were incredibly like CU. While there is an obvious connection with Fordham, you must understand that the Fed is a highly academic organization with a large focus on research and analytics, not unlike a college campus. Both of those places also operate in a federated environment in terms of governance.
Here at CU, we strive to harmonize our efforts across the CU campuses and system offices. And at the Fed, there were 11 other reserve banks that I had to work with to help develop technology risk efforts.
I think both places were wonderful places to work that gave me tools and knowledge that I apply every day here at CU.
5. You have been the CISO at CU for just over a year. During that time, what strengths have impressed you and what opportunities are you most focused on?
The people here, at all levels, are amazing! They want to collaborate and do the right things to protect CU, and it has truly been a pleasure meeting people at all the campuses. That desire and openness is one of the true strengths of CU.
As for the opportunities, I feel that we have a wealth of things that we can collaborate on together. And I like how you said “opportunities,” and not “weaknesses” or “problems.” As the campus security and technology teams continue to collaborate and share knowledge and information, we continue to learn of more and more opportunities where we can get better.
Information security doesn’t have an end, it’s a journey. And I really enjoy all the people that I’m traveling with now.