While Cybersecurity Month is not up there with Halloween and pumpkin spice when you think of October, it is a great time to put the spotlight on this critical topic. It’s especially important at Nelnet, where we have numerous brands across eight industries, including banking, government, telecommunications, and financial services, to name a few. Protecting the personally identifiable information (PII) of millions of customers and associates is vital to the success of the organization.
According to Nelnet’s Chief Security Officer Ryan Combs, Nelnet’s cybersecurity teams “do all things cyber for all things Nelnet, meaning that we’re involved at a shared service, corporate level. You name the line of business and we are probably involved in some capacity or a lot—it varies.” This explains how Nelnet has been a perfect environment to develop the careers of young professionals looking to gain experience in the cybersecurity field and has been able to attract talented cybersecurity professionals looking to flex their muscles with new challenges.
Security First, Compliance Always, Audit Anytime
Combs says Nelnet takes an approach to the field of cybersecurity that’s summed up in a short phrase: Security first, compliance always, audit anytime. Combs explains what this means: “Compliance is the floor, it’s table stakes. We have to be good at compliance, and that compliance is multiple different frameworks. Because of the diversity of those frameworks, we also have to expect that we will have audits at any given point in time, not just when there’s one planned. We may have engagement from regulators, the Federal Deposit Insurance Corporation (FDIC) and Federal Student Aid (FSA). We have an ongoing compliance process that we use. So compliance and audit are things that are the bare minimum that we have to do.”
Where does security come in? According to Combs, “Given the nature of cybersecurity, compliance and audit are what I call lagging indicators, meaning the frameworks we have to be compliant with and we’re audited against aren’t as current as the things happening in the world of cyber. ‘Security first’ doesn’t mean it’s a priority over other things. It means it has to be in the context of compliance and the audit landscape that we operate in.”
To protect against threat actors or bad guys, Nelnet takes a security first and a defensive posture. According to Combs, “Our strategy is to invest in prevention as an organization, not just within the cyber team, but through the relationships we have with all technology that Nelnet uses to do business. We also assume that sometimes that can fail. So we invest equally in detection, understanding that if we’re under attack or something bad is happening in our environment, the faster you can detect it, the faster you can respond to it.”
Combs notes that if teams act quickly enough, “We can either minimize the impact or turn it back into prevention because we were able to respond so quickly that we stopped the outbreak.”
Nelnet’s Director of Cybersecurity Ryan Regnier heads up Protective Operations, which includes both defensive and offensive cybersecurity teams. The defensive approach ensures we’re doing detection at the fastest rate possible. The offensive team does application security and also includes a red team, more commonly known as ethical hackers. The responsibility of this team is to identify weaknesses in our environment before bad guys do.
According to Combs, another group called Vulnerability Operations includes three teams working closely together. One identifies vulnerabilities to the attack surface and works with other teams to mitigate or remediate those vulnerabilities. Another team, Detection Engineering, considers what we need to ingest across all of our technology in order to do threat correlation. The third team, Architecture and Engineering, can architect a solution that has less vulnerabilities as time goes on.
“Lastly, the Governance, Risk, and Compliance area is combined with privacy, and this is where we manage our risk,” says Combs. There are over 100 engagements per year. The group runs a security architect review board and hosts a steering committee to review highly complex and technical risks.
Challenges of Managing Cybersecurity at Nelnet
Combs notes, “The most challenging part is understanding the diversity of the business that we have in this hybrid holding company called Nelnet. It’s critical for us to understand our businesses and then bring the expertise, experience, and depth we have in our cyber background into the context of that business to help it be successful.”
According to Combs, the goal in working with our businesses involves balancing cost versus risk and compliance: “It’s understanding the context of cyber threat intelligence and how it’s evolving in the world, and then finding the middle ground to balance out the business’ need to do business and the objectives they’re trying to accomplish with the right security controls for compliance. This all needs to be in the context of threats that are evolving minute by minute.”
Regnier notes one thing that’s the same across all of Nelnet: “Our team does a lot of firefighting or detective work, and that really doesn’t matter what business you’re in, or what framework. We’re applying the same principles, so that makes it fairly easy. What makes it more difficult is the business is so broad and we have so many different offshoots in different directions. When a particular thing is happening, it’s complex to determine, ‘Who do we need to notify?’ And then, ‘Does it affect this other thing?’ So, those are the bigger challenges because we’re so diverse.”
Cybersecurity Reminders From the Experts
When it comes to security advice or recommendations, Regnier says picking just one thing is challenging. He advises always being skeptical of everything and looking for signs to make sure you’re not falling victim to a scam. “Even if you did fall victim, the best way to protect yourself is to use really solid password hygiene, including multifactor authentication (MFA) where it’s available on everything you possibly can,” advises Regnier.
As Regnier points out, we’ll manage an estimated 500 passwords in our lifetime. “The things we’re trying to instill here at Nelnet really should trickle down into your personal life, and hopefully you’re able to go to your peers or family and say, ‘Look, you should do this because it just makes sense.’ It’s annoying to change your password every 45 days and use a long and unique password, but in reality, you protect yourself when you do,” says Regnier.
Combs adds, “This is a highly monetized industry. Bad guys will try to get ahold of your credentials. So know how to protect your identity with MFA and password management. And understand that there is a bad guy trying to get your identity from almost everything that you’re interacting with on the Internet. Understand how that evolves and constantly evolve your use of that in your personal and work life to help protect yourself as much as you can.”
Learn More about Cybersecurity
We hope you enjoyed learning more about Nelnet’s cybersecurity teams and receiving tips from our experts. For more information on how to protect yourself from phishing scams, improve security on your mobile device, and more, explore these Cybersecurity Awareness Month resources from Nelnet brand CampusGuard.