Keeping research cyber threats at bay

In Ciarán ("keer-awn") Bowe's office in the Durham Center, there's no clutter, just the necessities: a computer, two monitors, table and chairs, microwave and a small refrigerator.

Bowe avoids distractions because his job demands he keeps an eye on the details and the big picture simultaneously. He is information technology services' (ITS) security compliance manager, charged with research security and payment card compliance across campus.

It's a role he believes in but never could have envisioned 15 years ago, before a family friend visited Ireland on vacation. A year later that friend became Bowe's wife, Jill, who grew up in Iowa and called Ames home. After two years abroad the couple moved to Ames, and Bowe's plans shifted.

"I had a background in financial services, so I thought I would come here and get a good job at a bank," he said. "That didn't happen right away, and my wife encouraged me to look for something at the university."

He landed in the internal audit office, working on operational, compliance and financial audits for every college and division. Bowe is a certified information systems auditor and became the first IT auditor at Iowa State in 2018. By 2020, IT compliance became more vital, and chief information security officer Rich Tener tabbed Bowe to lead the effort.

"Anything with a regulation, industry standard or contractual obligation with a cybersecurity component involves me," he said.

Bowe assists Iowa State's run of record external research funding by helping researchers meet partners' cybersecurity requirements. How important is his role?

"His work is extremely complex and oftentimes it's in an area he may not know anything about, going into it," said Jerry Zamzow, associate vice president for research. "There are security plans that need to be put in place, updated and reported on regularly, and we get new grants every day that bring new requirements. Without his work, research can't start -- and that affects faculty, staff and graduate students."

Follow the story of the data

Bowe shatters the stereotype of an IT professional bound to a computer all day. Working as an auditor helped him develop relationships with research administrators in the offices of sponsored programs administration, intellectual property and technology transfer, research ethics and others. Those connections ensure security questions get referred to him.

"My role is primarily relationship-driven," he said. "I am by no means the most technical person on my team. What's important is that I can develop relationships with researchers, we trust each other, and can talk through and address issues, starting with an agreed set of facts."

The relationship is vital because each project requires Bowe "to reinvent the wheel," Zamzow said.

"He learns from them what they are trying to do and then comes up with a way they can do it that meets the requirements," Zamzow said. "He is calm and doesn't try to police what they are doing. He is support-oriented without being an obstacle, while still doing his job."

Some research awards are tied to regulations that have specific security controls for project data, and even unregulated efforts must comply with the university's minimum security standards. Bowe doesn't need an in-depth understanding of the science as he delves into a project. His question set for researchers remains fairly consistent:

• How will data be generated or received?
• Where is the data going to be processed and stored?
• What systems will it interact with?
• Who will have access to it?
• How will access be controlled?

"My job is to follow the story of the data, because security controls have to be wrapped around the process every step of the way," he said.

Developing a security plan takes hours to weeks and involves conversations with a principal investigator, sponsors, units and other IT employees to understand the nuances, Bowe said. Each step of a plan can impact multiple groups, so he must consider them all.

Enhanced security coming

Bowe said Iowa State takes cybersecurity seriously and credits ITS leadership for encouraging professional development so employees remain knowledgeable and current as cyberattacks get increasingly sophisticated.

Bipartisan action at the federal level has resulted in stiffer regulations around research security, and sponsors are asking more questions while requiring more security for even basic science, Bowe said. A universitywide cybersecurity plan soon will be necessary for all federal research on campus, a result of the government emphasis on research security.

"The federal government is becoming increasingly serious about enforcement around regulations for securing certain datasets," he said. "We have always taken it seriously."

Payment card protection

Carrying cash or writing a check to pay for items on campus is becoming a thing of the past. More than 40 campus units accept card payments in about 100 online or physical locations, from dining services to Veenker golf course and the ISU Extension Store, Bowe said. Another piece of his job is to make sure payment cards are processed using only approved vendor systems.

Bowe works closely with the treasurer's office to ensure a portfolio of secure and compliant tools. He meets with every unit using card transactions to understand their process, ensure the tools they use have been approved and educate them on risks posed by scammers. Approved tools must be used as intended, and payment card data can't ever be stored on university systems, he said.

"I try to be transparent about the security and compliance risks that drive why we need to do things the way we do,” Bowe said. "It's ultimately so that campus units can continue to bring in large and small amounts of revenue to pursue their part of the university's mission. Payment card funds help support research, teaching and student activities."