Cybersecurity Leaders - Gabriel Doncel - The First Global Cybersecurity Observatory

Cybersecurity Leaders – Gabriel Doncel, Director Information Security at Drexel University

Cybersecurity Leaders – Gabriel Doncel is a global cybersecurity professional with 15+ years of experience in a variety of IT Security roles that include information security leadership, architecture, engineering, and infrastructure support.

Gabriel joined Drexel University in 2019 where is currently Director of Information Security. He is also part of the University of Delaware and Wilmington University Adjunct Faculty. As a member of the Information Security team at Drexel, and working closely with the campus community and outside parties, his focus is to protect the people, information and systems of Drexel University.

Prior to joining Drexel, Gabriel was Cybersecurity Resiliency Program Manager at Christiana Care Health System.

He earned a Bachelor of Science degree in Computer & Network Security from Wilmington University, a Master of Science degree in information Systems and Technology Management, and a Master in Business Administration, both from the University of Delaware. His certifications include CISSP as well as C|CISO.

Are there any common traits as to what makes a successful security program?

A successful security program is one that is aligned with the goals of the organization, utilizing effective control mechanisms to protect people, information and systems.

Striving to mature the security program from mostly reactive to proactive is key, as is identifying and preventing incidents from happening in the first place. One of the ways to advance a program and to showcase this progress is to regularly update metrics that highlight what is working well, and what needs to be addressed. Another way to assess your program is to perform regular resilience testing in the form of pen tests, purple team or table-top exercises. These are great tools to evaluate your progress in a controlled and low pressure environment, and identify areas that could use additional attention.

Lastly, depending on your industry, there are a number of frameworks available that a successful security program should be aligned with, NIST, CIS Top 20, HiTRUST, to name just a few.

Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?

As security leaders, we need to approach our organizations as educators in technology, security and privacy issues. One of the techniques I have often used is to discuss cyber hygiene from a home-use and personal perspective, and then relate those behaviors to the workplace. This can be accomplished by presenting scenarios that are engaging and relatable to most users. We need to leverage all of the tools at our disposal, engaging throughout the organization in different ways, from attending department meetings as a guest speaker, new employee orientations, regular newsletters, and providing online training. It is also crucial to reinforce positive behavior, and leverage the team’s competitive nature, for example recognizing those that often identify phishing emails and scams, or discover vulnerabilities.

Throughout the year there are also scheduled events such as National Cybersecurity Awareness month in October that give us an additional opportunity to engage with the community and showcase our team’s progress, including fun activities, awareness posters, and contests that raise awareness in an fun and educational way.

What are the biggest challenges you face in the year ahead?

One of the biggest challenges we face, is our ability to maximize the investments in technology that we have already made, identify areas that may need additional attention and implement controls that will provide an acceptable level of security without overtaxing our users, as well as our existing security and IT staff.

As more of our workloads move to the cloud, being able to extend similar controls to those cloud environments to maintain a similar level of cyber-resilience will be another major challenge that involves making sure our staff is educated in these new skills and tools needed.

Lastly, the threat landscape continues to evolve, and the proliferation of IoT, 3^rd party vendors, and cloud solutions increases our threat surface.

How can CISOs / Leaders balance security and innovation?

As leaders, we need to encourage innovation across our organization, but we also need to take on the role of advisors so that security requirements are accounted for as early as possible in new initiatives. Data and innovation go hand in hand, so as cybersecurity professionals we need to have a clear understanding of data security and privacy requirements and work with our constituents to focus on potential risk and remediation strategies.

We also must think of ourselves as innovators and challenge our teams to think of new ways to look at existing problems, simplify how we implement controls and drive higher levels of automation to compensate for the lack of resources. Adopting cloud solutions, to reduce our team’s infrastructure footprint and maintenance burden, or embracing SOAR tools, that assist in the integration of existing solutions and automation of repetitive tasks, are some of the ways that we can drive innovation.

How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?

Information sharing is critical not only within our own sectors but also reaching across to other sectors that are more mature in cybersecurity, as well as government institutions and law enforcement. In the US we have Information Sharing and Analysis Centers (ISAC) that represent different sectors and play a key function in providing resources that are unique to our industries, such as gathering and distributing alerts and advisories, workshops and even incident response assistance.

There are also many other opportunities at the regional level or through networking organizations to connect with security teams that are facing similar challenges or implementing similar tools. These can be very valuable in order to exchange lessons learned, what has worked well for others, and avoid potentially costly mistakes. In the Philadelphia region the Higher Education and Healthcare cybersecurity community is very close, and we often have calls and events where we can network.

It is also important to stay abreast of developments in the vendor space, leveraging these partnerships for awareness of new developments and technologies in the industry.

Closing statement

As leaders in cybersecurity, our roles are becoming increasingly difficult, yet highly visible. We need a new approach where we empower our organization by implementing cyber resilience processes and technologies that minimize risk to manageable levels.

We also have a duty to develop and mentor future generations and those already in our organizations that are interested in one of the many facets of information security. This is key to minimizing the risks that skills shortages pose to our programs in the long term.

Cybersecurity Leaders – Gabriel Doncel, Director Information Security at Drexel University