Blair’s Problem-Solving Vision Created CMU’s Information Security Office

Mary Ann Blair doesn’t wear a badge or a police uniform, but her mission is to protect and serve the Carnegie Mellon University community. She’s CMU’s chief cyber cop and founder of the university’s Information Security Office (ISO). 

Blair’s rise to head of information security at Carnegie Mellon was an unlikely one that began 30 years ago. A psychology and philosophy graduate of the University of Pittsburgh, Blair started her career conducting psycho-social research as part of the National Surgical Adjuvant Breast and Bowel project. From there, she took a position with the National Liver Transplantation Database project at Pitt, working with the late, legendary Dr. Thomas Starzl. The team established methods that matched donors and recipients, and enabled investigation into what helps patients recover. She also coordinated information coming from the computer servers at five transplantation centers across the country as data director for Pitt’s Epidemiology Data Center.

Her course abruptly changed after a phone call.

“I had earned a master’s degree at Pitt in information science and was just starting the Ph.D. program in epidemiology, when I got a call from CMU about an IT (information technology) job. So, I thought I’d take a break from what I was doing … and the rest is history,” she said.

Blair was CMU’s director of Administrative Computing at a time when security breaches were beginning to pop up across the higher education landscape. She pulled together a few colleagues from Administrative Computing and Computing Services — two distinct operations at the time — and co-authored a white paper, titled “Developing a Coordinated and Sustainable Information Security Program for Carnegie Mellon.” In it, Blair referenced an article from the Software Engineering Institute’s Computer Emergency Response Team, “Avoiding the Trial-by-Fire Approach to Security Incidents.” Her goal was to get ahead of the curve.

“We wanted to create a centralized function that would monitor networks, provide training and awareness, and provide policy and tools. It was a holistic approach.

“For me, it has always been about seeing a problem and being interested in addressing it,” Blair said. “CMU values vision and execution. If you have a vision and you develop a path to execute on that vision, CMU will support you whether you’re faculty, staff or a student.”

Her vision and plan were approved by university leadership and CMU’s Information Security Office was established in 2004. Shortly after, CMU detected its first security breach of personal information and the ISO responded quickly, contacting those who were affected and providing guidance for protection from identity theft. The immediate response set the standard in higher education and the steps taken became best practices for EDUCAUSE, the nonprofit organization that supports information technology in higher education.

“For me, it has always been about seeing a problem and being interested in addressing it.”

“It was awkward to gain notoriety because we had a breach,” Blair said, “but it allowed CMU to build on its reputation as the birthplace of cybersecurity and incident response teams. One of the tenets of our white paper was to make sure we were taking our own advice that we were giving to the world.”

Today, the ISO team of 22 individuals includes an identity and access management team, a policy and compliance team, a training and awareness team, a security engineering team and an incident response team. The ISO’s Security Operations Center monitors CMU networks around the clock looking for suspicious activity and vulnerabilities. A staff member at CMU-Qatar covers the midnight to 8 a.m. shift.

“We talk about protect, detect and respond,” Blair said. “Security is only as strong as our weakest link, so we need every person to play their part. Part of our duty is to inform, make people aware and give them the framework and guidance for securing themselves whether they are on campus or at home. If you do the basic things, you’re not going to get hacked.”

Blair said the basics include using strong authentication, keeping your systems up to date, having good backups, and not clicking on every link or browsing all over the internet where attacks are sitting “like ticking time bombs.” She said all the basics are listed on the ISO website.

“If you do the basic things, you’re not going to get hacked.”

As part of its training and awareness program, the ISO conducts monthly simulated phishing campaigns to assess an individual’s vulnerability to a hacker.

“If you click on one of our links, you’ll see it’s a simulation and we’ll tell you what you should have noticed before clicking. That operation came out of research conducted at CMU’s CyLab in 2008 and is now a standard and best practice across all industries,” Blair said.

This month, the ISO is sponsoring a “Catch the Golden Phish” contest in recognition of National Cybersecurity Awareness Month. The ISO is randomly sending every undergraduate student at CMU one simulated phishing email message based on a real-world phishing attack. Students who catch the phishing attempt and report it using the Phish Alarm button located in either Gmail or Exchange will receive a congratulatory message and will be automatically entered to win a prize. 

When a real phishing attempt is identified by the ISO, the office alerts the recipients, blocks the attacker, blocks the response if one was sent and ensures stolen credentials weren’t used to login to other systems. If you receive a suspected phishing attempt, immediately forward the email to iso-ir@andrew.cmu.edu.

“Generally, our folks are so good at reporting things so quickly that we sometimes redact that phishing attempt from peoples’ inboxes long before they ever knew it was hitting them,” Blair said.

The ISO also is hosting a series of webinars this month to raise awareness of cybersecurity issues. Topics include cloud computing and the 2020 global attack on SolarWinds, a provider of IT monitoring software, that affected CMU. The intruder built malware into SolarWinds products that hacked systems when patches, or updates, were applied.

“We saw the activity in our Security Operations Center and we thwarted the attack and mitigated the problem long before the rest of the world was aware of what it was,” Blair said. “That attests to the diligence and vigilance of our team. It was a software supply chain attack, and there were over 33,000 victims of that breach.”

“The energy of the campus and CMU’s mission ... makes CMU a super-special place to be.”

Despite their success, Blair and her team remain humble.

“We’re not here to make a name for ourselves,” she said. “Every day without a headline is the best day. If no one notices us, then we’re doing our job.”

After 17 years as head of the ISO, Blair remains energized to collaborate and innovate, and looks for ways to connect with the educational and research mission of the university.

“We are a natural laboratory for cyber study. We partner with researchers and we love to make those types of connections that lead to advances, like simulated phishing. Those are real-world advances that you just don’t get anywhere else.

“The energy of the campus and CMU’s mission are very exciting and rewarding and makes CMU a super-special place to be,” Blair said.

In her spare time during the pandemic, she’s been doing a lot of stand-up paddle boarding, biking and snow skiing, and can often be found cheering at her son’s soccer games. She also organized a small group that meets regularly to play the ukulele.

“I am a very active person,” she said.