Medha Bhalodkar, Chief Information Security Officer (CISO) and Enterprise IT Risk Officer at Columbia University, is responsible for the cybersecurity, compliance and information technology (IT) risk management of the institution’s 17 schools and 10 global centers.
Managing the university’s over 1 million student, faculty, alumni and other stakeholder identities and protecting digital assets from cyber threats is no easy task, but Bhalodkar leads with years of expertise, having built Columbia’s cybersecurity and IT risk management program from scratch.
Bhalodkar was recruited into programming after graduating with a B.S. in Chemistry and Biology from Mumbai University. Over her career, she has held IT leadership roles in data centers, IT auditing and risk management. She is the recipient of many cybersecurity and risk leadership awards, including the Global CISO of the Year from EC-Council, two-time North America Information Security Executive of the Year from Tech Exec Networks, and the 2020 Wasserman award from the New York Metropolitan Information Systems Audit and Control Association (ISACA). Bhalodkar was only the fourth woman to receive the Wasserman honor since its founding in 1978.
In 2006, Bhalodkar became Columbia University’s first CISO. Her IT background in the financial, education and healthcare sectors informed her work in higher education as she carefully built the framework that protects Columbia’s community and cyber assets today.
“I started with forming the policies — understanding what’s critical for Columbia, what data is sensitive, what is not safe to do, and what needs to be protected from a security standpoint,” says Bhalodkar. Working closely with the Chief Executive Officer (CEO), Chief Information Officer (CIO) and Chief Financial Officer (CFO), she prioritized the protection of intellectual property, such as the research of Nobel Prize-winning faculty at the school, and personally identifiable information (PII).
After classifying the types and priority levels of the university’s data, Bhalodkar developed policies pertaining to its protection on the server side and at endpoints, and she worked to create a governance structure for the institution’s data management and cybersecurity efforts.
Prior to developing the cybersecurity and risk management program, the IT teams at all of Columbia’s facilities operated in siloes. Bhalodkar unified and centralized cyber operations with the new framework, allowing her team to collect and assess threat information across the university and its entities.
At the start of the program, Bhalodkar had one employee. Now, she oversees multiple teams of information security and risk management professionals to manage Columbia’s IT policies, data protection, cybersecurity, identity and access management (IAM) and enterprise IT risk management and governance across the institution.
In scaling the program to the university-wide framework it is today, Bhalodkar tackled security and risk challenges head-on. She focused on remaining on top of the ever-changing security threat landscape and evolving regulatory requirements of international data protection and higher education environments; developing relationships with leadership across the organization, including Columbia’s global centers around the world; and reporting risks and mitigation strategies to the institution’s Board of Trustees in a concise, accurate and centralized manner.
The risk and regulatory challenges of centralizing a global operation necessitate clear communication of the IT risk management framework across Columbia’s various facilities, according to Bhalodkar. Whether she is liaising with global center leaders or the university board, she stresses the importance of tailoring risk communications to her audience. “Understanding what you’re communicating and how you are demonstrating impact is far more important than communicating isolated volume, numbers or threats,” Bhalodkar says.
It’s also important for cybersecurity leaders to aid the overall mission of their organization, according to Bhalodkar. Building security as a business enabler comes down to how IT teams interact with other departments, she says. Instead of enforcing security policies reactively, cybersecurity team members can approach other departments working on projects involving IT components by offering proactive guidance. “If a project has a technology component and security asks, ‘Can we look at the workflow and help co-create the right strategy for you?’ it shifts the perception of the cyber team from roadblock to enabler,” Bhalodkar says.
Bhalodkar isn’t just an expert at communicating with her colleagues — she also helped create Columbia’s Master’s program in Enterprise Risk Management, educating future business leaders on how best to mitigate and assess risk in their organizations.
“That program is very, very dear to me,” she says. The Master’s program, similar to Columbia’s cybersecurity and IT risk management framework, was developed in response to organizational risk siloes, so risk can be presented “to leadership through a single pane of glass, rather than everybody reporting differently,” she says.
She worked directly with Columbia’s Dean of the School of Professional Studies to draw up the degree charter, addressing these siloes. In the five-plus years since the program began, more than 25,000 leaders have graduated after learning the foundations of risk management Bhalodkar helped develop.
When she reflects on her accomplishments, Bhalodkar is most proud of bringing lessons from each aspect of her career path to her security and risk management work. She credits her teams and guidance from many of her peers and leaders for her success today and is passionate about passing it forward to other women who look to enter the cybersecurity and risk management field. From her time as a programmer and data center manager to her CISO and Enterprise IT Risk Officer roles, “All of that traveling has made me what I am today and will drive me forward from here,” Bhalodkar says.
