Joseph Burgoyne: Think Like a “Malicious Actor” When Assessing Security Risks

Faculty Spotlight

Lecturer in Computer Science
Senior Director, Cyber Security at GE Healthcare
MBA, Southern New Hampshire University; BS, University of Massachusetts Lowell

What are your areas of expertise?
My areas of expertise include medical device cybersecurity, information security, risk management, data privacy, HIPAA, security architecture, audit and compliance (ECC, C-TPAT, ITAR, PCI), physical security, vulnerability and patch management, eDiscovery, litigation support, mergers and acquisitions, training, project management, and investigations.

How does the subject you work in apply in practice? What is its application?
The application of security is risk-based. We cannot eliminate risk, so we try to reduce it to an acceptable level in a cost-effective way. Every organization has a different risk tolerance. Our job is to manage risks across our organization. Security is not a technology, it’s a process that’s ongoing and needed to meet the changing cyber-threat landscape.

Having a security leadership role requires a broad understanding of the business, stakeholders, and overall risk tolerance of the organization. Implementing the appropriate security policies and controls is necessary to protect the confidentiality, integrity, and availability of information.

Even password policies require careful thought. For example, many organizations require password complexity with at least eight characters, and restrict the use of previous passwords. Password complexity includes at least three of the following four requirements: upper case letter, lower case letter, number, or special character. Passwords are typically set to expire every 90 days. These are all configurable settings within each organization.

If we configure more stringent rules, such as requiring employees to change their passwords every 30 days, are we more or less secure? In the password example, if frequent changes to complex passwords are difficult to remember, employees may start writing their passwords down on a piece of paper which defeats the entire purpose and is less secure. I have found the more difficult you make something for employees, the more likely they will find a way around it. Security shouldn’t make things difficult. When evaluating controls, we need to understand the use cases and applications. If a sales person is making a 30-minute on-site customer presentation, we don’t want them to spend half that time trying to get authenticated on their laptop—we want them talking with customers and making sales.

What courses do you teach in the program?
I am teaching IT Security Policies and Procedures (MET CS 684). We look at security risks and learn to implement plans and solutions that support organizational goals.

Can you highlight a particular project within this course that most interests your students?
It’s important to be able to think like a “malicious actor” when you look for weaknesses in systems. In doing so, we can remediate those weaknesses and protect our assets. Within the course we look at security not only from the inside, but also from an outside attacker’s perspective. When we talk about ways an attacker can compromise a system, it’s interesting to watch the reactions in class. Part of being successful in security requires us to think about how systems and solutions can be compromised. When we know how they can be compromised, we can apply fixes and protect our systems.

What “real-life” exercises do you bring to classes?
At the beginning of each class we discuss current security events making the news. It’s important to be objective and fact-based when trying to determine root cause. As security professionals we can’t let our personal feelings influence our thought process and analysis. We review and examine current events to determine what went wrong and, if given the opportunity to do it again the “right way,” what would we do differently?

I also talk about real-life scenarios and past experiences when appropriate, so the class understands the kind of situations we deal with daily. This helps supplement the class material and makes the topics more realistic. Security is never boring.

As a part-time faculty member, you straddle the professional and the academic worlds. What do you consider the unique value this brings to the classroom?
My career has been built upon supporting business strategy and implementing value-added initiatives that support the organization’s long-term goals and objectives.

Security isn’t theoretical; we need to provide and deliver tangible solutions that lower risk and support business objectives. When asked questions, we offer answers and solutions. Security must be an enabler within our organizations, and in close collaboration with key business stakeholders.