Chief Information Security Officer,
University of Arkansas System
WAY BACK IN March of 2019, we at ACDS published our very first newsletter. The interviewee for Volume 1, Number 1 was Eric Wall, then sitting in a windowless basement office at UAMS watching over their internal tech security. In that interview, he talked about being self-taught, with no college under his belt. But a lot can change in nearly four years. In this, our 44th issue, we talk with Wall about his new position as CISO for the entire University of Arkansas System. Watching over the internal security for 22 different schools is a very big job, one that Eric Wall is uniquely qualified to handle.
So when did all this happen?
It’s been talked about for a while, but I just started the new job in April. And right here at the outset, I want to go back to that initial interview you mention in your intro. Back in 2019 I bragged about how much I’d done without a college degree, and almost like Karma slapping me in the head, my boss walks up and says, “Hey, look, you’re doing great stuff here, man, but you’re only going to go so far in academia without a degree. Go to school, get a degree.” And I started school a month after that interview. As we speak, I’m six months away from having a Bachelor’s Degree in Business.
Congratulations—that’s really great.
Thanks, I feel really good about it. But back to the new job: I credit UA President Dr. Donald Bobbitt and the board of trustees and all the school chancellors and Steven Fulkerson, the UA System CIO, for their vision in making cybersecurity a System-wide, System-level conversation. There are 22 schools within the System. Only three of those—UA Fayetteville, UAMS, and UA Little Rock—have dedicated cybersecurity people. The other 19 have just been kind of on their own.
And some of these schools aren’t small. There’s UA Pine Bluff—not a small school. There’s the Division of Agriculture—not a small operation by any means. But for a lot of the schools, their IT shops are one, two, three-person shops. I’ve been in a small shop in my career, and sometimes it’s all you can do just to keep the lights on. You don’t really have time to dig into a specialty and keep up with the changing threat landscape that we see with cybersecurity. I used to say it was a daily changing thing, but it’s now almost an hourly changing thing.
Was there someone in a similar position before you, or is this a totally new thing for the UA system?
It’s a brand-new position that they created and posted for applicants, and I applied for it. But Steven Fulkerson, the System CIO, has led an initiative for the last few years to bring all of the schools under one umbrella from an HR and a financial system perspective. Used to be, there were 22 different financial systems out there. For every board meeting, which happens every quarter, trying to get all 22 schools’ financials together was almost a constant thing.
Well, now all 22 schools are live on Workday, which is a Cloud application that allows organizations to manage their HR and their financials and get quick visibility into how they’re doing. So now if the board wants expenditure information on all 22 schools, we can get that in 30 seconds. It took about three years to get all 22 schools implemented into Workday. UAMS was the last one to go live—they went live this past July.
Was cybersecurity just one facet of this unified vision? Or was there something that had been happening that made the cybersecurity more of a priority?
There are constant threats, and there have been some incidents throughout the System. But again, this cybersecurity aspect was part of Steven Fulkerson’s holistic vision. He went to the board and said, essentially, “Cybersecurity isn’t a UAMS conversation, not a Cossatot or a Pine Bluff or a Fayetteville or a Batesville or a Phillips County conversation. It’s an us conversation.”
And to make that work, the System needed someone who could be nimble and adjust to the diverse needs of all of these schools. Because they all need something different. One morning I may be working on high-level strategy ideas with Fayetteville or UAMS, and in the afternoon I’m drilling into a portal of one of the smaller schools and saying, “Hey, look, this isn’t configured to best practices. MFA fatigue attacks are a thing, you know, so let’s get away from doing the approved or denied push notifications on your phone. Let’s start doing number matching. Let’s start providing additional context.”
So it’s a really fun job. I get to be in the weeds, but I also get to have strategy conversations.
You mentioned incidents—can you tell me what kinds of cybersecurity incidents you’re talking about?
I can give you a little bit of detail about it. We had one of our smaller schools hit by ransomware before my position was even created. And the conversations afterward were like, “Gosh, I never would have expected that they would want to come after us.”
And my reply was, “The bad guys don’t care who you are. They didn’t wake up in the morning and say, “Hmm, I’m going to hit UA Small School down in whatever little town.” They just knocked on the door, and we’ve got to be resilient enough to not answer.”
It’s a numbers game. The more doors they knock on, the more answers they’re going to get. And the more answers, the more money they’re going to get. These days, ransomware is a service. You don’t even have to have skills now to be a hacker. The real hackers will give you the software for free, maybe even give you some targets, and say, “Here, go for it. Just run this stuff.”
And then if the “script kiddies”—that’s what I call them; they’re not real hackers, just kids running scripts—if they’re successful, then they’re obligated to give a cut of the take to the authors of the software.
Or knees get broken, I guess.
Yes. They swim with the fishes. But what I’m really learning, and what I’m trying to teach my schools is, the threat landscape’s changing so, so quickly. What that means for us is that we’ve got to change as well, because the bad guys have to be right only one time. We have to be right every time. So we’ve got to do more, faster.
A lot of the time and focus for cybersecurity and ransomware goes into prevention. But just as valuable is the ability to recover after an attack. Okay, they got in, we’re locked up. Now what? In one case, the Bitcoin ransom was the equivalent of X dollars. The question was, Do we pay it, or can we restore our data? We tested our restores, and our test backups seemed to go pretty well. So we said to the hackers, “You know, we’re not going to pay.” Instead, we just wrote off the ransomed data and restored everything over one weekend. We were back up and running by Monday.
So you’ve got to be confident that your backups are good. That’s a very, very critical part of it.
What were some of your concerns going into this new job, and how has that worked out?
Part of my concern was, I’m going to be seen as the bad guy and the schools are going to resist. But what I’ve found is that they’re all for it. They say, “What you’re telling us to do, we’ve been trying to get done.” But while they do want to strengthen their cybersecurity stance, they also want to keep their regular users happy. It’s a bit of an internal conflict for some of them.
So I tell them, “Hey, look, schedule it, do it, and tell everybody that the mean guy in Little Rock told you to do it. Blame it on me.” I don’t have to have the one-on-one relationship with their users. I don’t go to church with them, I don’t see them in the grocery store. It’s not that I don’t care about their opinion or how these changes impact them—we want to do everything we can in a frictionless and cooperative way. But my ultimate charge is protecting the data of the System and that’s what I’m worried about the most.
Do you have a lot of people working with you on this?
For a 25+-year computer nerd, I’m in a kind of funny—quote-unquote—situation. Because I’m a CISO shop of one. I have no staff, none of the people I work with reports to me. So I don’t have the authority to tell them to do anything. But using my people skills, I can convince them. Hey, look, this is what we’re seeing. And for the most part they’re extremely open minded. They want the help.
How are you getting around to all these schools—in person, or on Zoom?
I’m doing a lot of Zoom calls. But I do travel. I’m trying to make my rounds to all the schools. Security isn’t just the software part of it, it’s also physical. So I want to visit everybody’s data centers, data closets, whatever they have. Sometimes they’re a little reluctant, worrying that maybe they’ve not paid as much attention to their data closets as they should, and things are kind of messy. But I tell them, “I’m not holding this against you—but I can’t help you fix it unless I know how bad it is.”
So it’s been good to visit and put faces and names together. Sometimes when you’re in a small shop, you can feel kind of disconnected from the mothership, from Little Rock. And I think part of my job is to make sure that they’re not alone.
You know, when I got into computers all those years ago, I didn’t know what was going to happen on any given day. I didn’t know who was going to call, didn’t know why the phone was going to ring or what the problem was going to be on the other end. Now, after a long, long while in IT, I eventually worked my way up to the CIO level, and somewhere along the way I began to feel like, Well, I kind of do know what’s going to happen now on a day-to-day basis. That’s when I decided to switch my focus to cybersecurity. It reset the variables and became exciting again because everything changes so quickly. And I can be a big help to these schools.
But you can’t rest on your laurels. Cybersecurity keeps changing, keeps mutating. That’s why I’m also getting involved with other groups across the state. I’ve just joined the advisory board of Forge Institute, for example. Iron sharpens iron, and I want to be around all these other thought leaders. I want to learn how they’re handling challenges and share how I’m handling them.
We need to put our brains together and draw from all sorts of populations to fill the gaps that we’ve got, because this challenge isn’t going to slow down.