In November 2021, Alex Aragona joined McGill University as the new Director of IT Infrastructure and Information Security (the unit formerly known as Network and Communication Services- NCS). We spoke with him about the importance of cybersecurity in higher education, his vision for McGill’s data and systems security, and the experience he brings to this role.
What is your background and what have been your past roles?
My most recent role was Executive Director of Application Portfolio Management and Chief Information Security Officer (CISO) at Concordia University. There, I oversaw all the application development and support, as well as cybersecurity, for the university. Anything concerning our cybersecurity strategy and roadmap, security awareness training, or incident response fell under my team. In my 18 years at Concordia, I held various roles and prior to Concordia I worked for 7 years in the private sector. For much of my career, my areas of specialization have revolved around application and database management and security, and my interest in cybersecurity and past roles have provided me with much hands-on experience in this area.
What are your goals for cybersecurity at McGill? What direction do you see us going in terms of improving McGill’s cyber security posture?
Cybersecurity posture is something that is never static. It's something that requires constant adjustment, since threat actors and their methods of attack change. Something that I would like to see or implement at McGill is a constant culture of awareness. We should always be thinking of security with a “safety-first” mindset, from both a technical aspect and from an end user perspective.
Whether you’re securing your own data, or working to secure McGill’s data and systems, being cybersafe is each person's responsibility. This can include everything from keeping your devices and software updated, to not clicking on a suspicious email or message. I think if we can get to a culture where people are constantly educating themselves and keeping up to date with some of the best practices, we will be in a very good position. And this applies to everyone: Faculty, staff, researchers, and students are all responsible for maintaining a cybersafe environment.
In your first few months, working here at McGill, do you see any challenges from a cybersecurity perspective that might be unique to McGill?
All universities face the unique challenge of being open to share information while needing to secure their systems and data. Given McGill’s size and the global breadth of its research scope, this is particularly challenging.
Like many universities in Quebec, McGill has collaborated with other higher education institutions to promote cybersecurity in this domain and has a large presence at the table. What are some of McGill’s relevant accomplishments that you have noted?
I think that McGill’s involvement with CANSSOC is something that that's very important to note. The fact that McGill has just recently achieved 100% coverage on Two-Factor Authentication (2FA) across the full community is a very important achievement. There are probably other achievements that I have yet to discover, but if I think about the two major ones that stand out, these are impressive from a cybersecurity perspective.
And what do you see as important topics in cybersecurity, both in the global sense and for higher education, or at McGill and why?
I think, from a global sense, we need to be aware that threats right now come from almost anywhere and can land straight into your inbox. During COVID, over the past two years, people have been digitally connected more than ever due to remote and hybrid work. The attackers know this and try to prey on the fact that we are so busy and sometimes may not be as vigilant. I think that there is a global awareness of persistent threats. And, the targets are no longer just the big companies or financial institutions, but all industries and types of data including research, clinical information, private data, etc.
What are some key things that you hope to achieve or put in place over the next three to five years?
I think five years is long from an IT perspective. I usually like to look at the next three years. We will need to fully assess McGill’s cybersecurity posture, and I'd like to achieve what's known in the cybersecurity community as “defense in depth”. I think a lot of good work at McGill has been accomplished, but there is always room for improvement.
Defense in depth
The more security layers an attacker needs to traverse, to get to that “crown jewel” - which could be either research data, your personal information, or financial data - the better protected you are. This involves adding layers of protection: the bottom, comprised of technical or hardware layers, while the top layer is the end user and their awareness. If we can achieve that type of defense in-depth ubiquitously across the community, that would be a particularly good accomplishment.
Building community awareness
I think there must be a certain base of cybersecurity awareness throughout the community. The more aware and vigilant we are helps to ensure that we all are our own first line of defense. If we take password safety as an example, brute force is not the only way that attackers guess your password. They can phish you to click a certain link, and subsequently trick you into providing your credentials. Attackers can then use your credentials to gain access to your work email, social media accounts or even a financial institution for example. I think everybody has to be aware of the multi-faceted nature of the threats that can reach them and how to recognize them.
Enabling productivity while protecting
One more important point that I would like to achieve is a balance between security and ease of use. I think it is very important to secure our data, but equally important to ensure that our community can fulfill their mandate with relative ease. Information security and IT are there to enable and foster productivity and it’s important for us to remember this when implementing controls.