Don Welch is the CISO for the University of Michigan to include the Health System and branch campuses. He came to Michigan from Merit Network, where he was the CEO. During that time they have added a full portfolio of IT services, created the internationally recognized Michigan Cyber Range and built 2400 miles of fiber optic cable through ARRA Broadband grants. Prior to Merit, Don was the Director of Enterprise Technology (CTO) and Merchandising Systems at H-E-B, a $12B retail/distribution/manufacturing company that operates in Texas and Mexico. Prior to that, he served in the Army, attaining the rank of Colonel. His last position was CIO and Professor of Computer Science at West Point. Among his other Army assignments, Don was the a member of the Army’s counterterrorist unit: Delta Force. He has also been the senior human resources manager for the Army’s professional information technology workforce. At the start of his Army career commanded two light infantry companies and three infantry platoons.

He has a BS from West Point, MS in CS from Cal Poly, San Luis Obispo and the Ph.D. in CS from the University of Maryland. He also earned paratrooper wings and the Ranger Tab.

Sajid Khan: Don, Thank you very much for taking the time out for this Interview. Can you begin by sharing your perspective on the role of CISO in an educational institution such as University of Michigan?

Don: By design, universities are quite decentralized with an emphasis on innovation and creativity. This freedom and agility is core to the mission of a research university. Freedom and agility is contrary to making security easy. My role is to protect the institution and as much as I can the individuals in the university community. I have limited authority, so I have to have trusting relationships throughout the University and make progress through influence.

SK: What particular challenges you feel exists in your current role at University of Michigan? Are you planning any initiatives keeping in view your past experience?

Don: Research universities are actually very complex. Most people realize that universities have athletics, teaching, research, and patient care. Universities also have facilities, retail operations, power generation, etc. Almost every industry function you can imagine is represented in a research university.

Research universities also have a lot of information that others want and are will to invest significant time and effort to get. Intellectual property, personal health information, credit card information are among the many types of information that universities must protect.
The lessons from my time in the Army really ring true. Information security does not come from buttoning down things as tightly as you can and then making sure nothing gets unbuttoned. Our adversaries are smart and they adapt to what we do. So we have to constantly understand what they are doing and adapt. Security today requires an operational mindset. It is not static.

SK: What particular IT Infrastructure and Information Security systems have been adopted by the educational institutions, particularly large universities such as University of Michigan?

Don: I would say the most significant change is the move to the “cloud.” The University of Michigan has a “cloud first” strategy. Culturally, this is a significant change. Many IT staff have been at universities since the earliest days of computing. At that time, they worked on developing the technology that became the commercial standards. Letting go of that control is difficult. Understanding that in many cases cloud providers can do a better job than we can – even in security – is hard. Understanding how to provide security with cloud providers is new to us. So not only do we have to adapt to leveraging the cloud, but we have to understand how we secure ourselves when much of our information is held by others.

Another change is that higher education is investing more in systems that look deeper to find intrusions. The threats against us include some of the most sophisticated attackers and we are moving to try to meet that theat. A focus on end-users is still important, but understanding what information is the most critical and protecting it with increasingly sophisticated tools is the trend.

SK: Can you share some of your future plans for the University of Michigan?

Don: We want to make it easier for our community to do the right thing. Michigan thrives because researchers think up new ways of looking at data and break down barriers between domains. I don’t think we have any school or college that doesn’t have at least some research collaboration with our health system. Many of those collaborations include ePHI, and so HIPAA compliance impacts researchers across the campus. In some cases faculty are surprised to find out that they have to deal with FISMA, ITAR and other compliance standards. I think providing easier to use tools that faculty need to stay safe while they accomplish the university mission is the key protecting Michigan. Identifying and creating IT services that are compliant with various standards will help and an important one of those tools. Providing guidelines, guides, consulting and services are necessary for the university to push the envelope while managing the risk.

SK: What’s been your impressive achievement in your career so far?

Don: It has probably been outside of information security. In my role at Merit Network I built a team that was able to accomplish some significant projects. We had built a few hundred miles of fiber, but needed infrastructure to serve the rural and remote parts of Michigan. As part of the stimulus program we competed for and won grants to build 2400 miles of fiber. Not only did we have the challenge of building the fiber, but if you have any experience complying with the layers of sometimes conflicting federal bureaucracy, you can understand the magnitude of accomplishment. Not only did we succeed but were honored as one of the best projects in the country. During that period we also started the Michigan Cyber Range: a unique training environment for cyber security that gained international recognition. While continuing our day-to-day operations we created two new, unique, and nationally recognized capabilities. Building the team that was able to accomplish that is what I am most proud of.

SK: Could you please share your leadership Style? Does your leadership style vary with the role?

Don: Trust is at the core of all leadership. The team has to trust the leader and the leader has to trust his or her team. Within that trusted environment, it is the leader’s role to provide the team with what they need to go further and faster than they thought themselves capable. Training, resources, guidance, support, coaching; whatever they need to succeed. I think of the leader as an offensive lineman on a football team. They don’t score, they enable the backs and receivers to gain yards and score points. These characteristics don’t vary whether you are an informal team leader or a CEO. The way you apply them varies based on the mission, the individual skills, experience and the maturity of the team.

SK: What advice would you offer for other information security / cyber security executives who aspire to follow you?

Don: You are first and foremost an executive and leader in the organization. Your focus happens to be information security. Your role is to help the organization accomplish its mission while tolerating the right amount of risk. You can’t create a zero-risk environment and your organization has to thrive. Hitting and staying in that sweet spot while dealing with adversaries who are capable and constantly adapting is the challenge. Good executives are invaluable to their organizations and as an information security executive if you are really good – no one will know it.

SK: Anything else you would like to share with our readers.
Don: Thanks for the opportunity.