�鶹��Ƶ

Matthew Dalton joined �鶹��Ƶ as Chief Information Security Officer (CISO) in May, bringing more than 25 years of experience as a cybersecurity leader at R1 institutions. In his new role with Information Technology Services, he will provide vision and strategy for information security at Virginia’s largest public research university. 

We sat down with Dalton to learn more about today’s cybersecurity environment and how students, faculty, and staff can make sure they’re staying “cyber smart.”

What does information security entail, particularly in a higher education setting? 

One of the main responsibilities of my role is to help set the cybersecurity strategy for the university, allowing the flexibility and freedom necessary for creative, educational, and research endeavors, while preventing the negative impacts of cybersecurity events.

Information security is about managing the risk to the community, their data, and the systems they rely on, as well as the risks that are presented to the university from everyday events, malicious actors, and nation-state threats. Depending on the kind of information that a person possesses or accesses online, the threats can be very different across the university. 

You have led information security at several different institutions. What drew you to a career in higher education, and specifically to �鶹��Ƶ? 

You could say that higher education is in my blood. Many of my family members have worked in education. There are family stories that my great-grandparents on one side met because they taught at the same college. In my immediate family and closer generations, many of them met at the same college and went on to careers that stressed the value of education.

For me, the brightest possible future comes through education, learning about others' experiences, and using our combined experiences to find a better path forward. I think that �鶹��Ƶ is one of the best examples of that in action.

What are the biggest changes in cybersecurity in higher education since you first entered the field? 

I have seen two big changes. The first is the change from believing that individual researchers or departments at a large institution should manage information security requirements on their own. These days, it takes a coordinated effort across many different parts of the university to protect the information assets effectively. 

The second change is the need to bring information security closer to the individual person, rather than just the device or network that they are using. Early on, the computers were massive, and protecting the room that they were in may have been sufficient. Today, user credentials are the keys to the kingdom, and getting access to those unlocks the data that is everywhere, thanks to the cloud.

How do you work across other departments to reduce risks to the university? 

With information technology embedded in everything across the university, it is essential that the security program works across the university as well. It’s more than just helping people not to click on that suspicious email; it’s about learning what they do in their role, so that the protections we put in place can complement, rather than compete with, their activities. 

How does artificial intelligence (AI) factor into your role as chief information security officer? 

Just like technology in general, AI is a force multiplier. You need to consider how AI can be used by people who are meaning ill intent just as effectively as it can be used by those who are trying to protect. 

It is important that AI be adopted into our strategy both from a threat-modeling perspective and how to deploy better protections for the university, so that we can respond effectively and quickly against whatever attacks come our way.  

How can we better protect our personal information online? What are some important things for students, faculty, and staff to do in their daily lives? 

Probably the most effective way to protect yourself online is to be aware of the hectic pace of the world we live in today. Be thoughtful in your approach, especially when it comes to emails, texts, social media messages, or any other way that some entity might interact with you. 

You need to stop, take time to breathe, and don't let the message dictate how frenetic a response you give. Think about whether this is a legitimate email or message, whether it's either too good to be true, or if it is trying to make you act with urgency. 

Almost every scam or phishing attempt has three things in common:

1. The message tries to assert an authority that it may or may not have, posing as a tax collector, police, or even something like IT support. 
2. The message offers you something of value, like winning the lottery or an unclaimed prize—or a chance to avoid pain, such as past due taxes, and threats that your account is about to be suspended.
3. The message holds a sense of urgency, telling you to act now, or telling you that you are actively in danger. 

If it seems strange, don’t engage. Instead, report it to .

Check out these other cybersecurity resources from George �鶹��Ƶ: