Weaving Security into the Fabric of Culture

Amber Smith, Executive Director of IT and CISO, Ohio Christian University

Amber Smith brings 40+ years of IT experience across mainframes, UNIX, XENIX and Microsoft systems. A Certified Systems Engineer and Trainer, she supported Texas Southern University and the College of Biblical Studies, led as Sonis User Group President for 25 years and now serves as Executive Director of IT and CISO at Ohio Christian University.

Through this article, Smith shares how cybersecurity, for her, goes far beyond ticking boxes. It's about building a culture where everyone plays a part, staying curious and prepared for what's coming next and leading to keep people, data and systems truly safe.

A Relentless Drive for Protection

My commitment to cybersecurity isn’t something I clock in and out of; it’s a constant, active pursuit. In my free time, I stay current by reading security news and exploring insights from sources like Certified Information Systems Auditor (CISA), the U.S. Department of Homeland Security (DHS) and InfoSec. I also attend webinars, summits and peer meetings to stay ahead of emerging threats.

But staying informed is just the first step. Every time I learn something new, I bring it back to our environment—analyzing vulnerabilities, updating protocols and strengthening our defenses. Because just like in the physical world, knowledge is the first line of defense against risk. For me, security isn’t just about technology. It’s about building a security-first culture. That means empowering everyone, not just the IT team, to be part of the solution. I believe in layered defense, so that any attacker finds our systems too complex to compromise and moves on.

Readiness must be tested. That’s why we need unannounced drills across departments—not just tabletop exercises, but real-time simulations that reveal where communication breaks down or training falls short. Real security is about preparation when it matters most, especially when no one sees it coming.

Guiding the Ship with a Strong Crew

I’m fortunate to have an exceptional team. Without them, none of these cybersecurity efforts would be possible. I might be guiding the ship, but they’re the ones keeping it moving forward.

I’ve had the opportunity to contribute to several highimpact initiatives with them. One that stands out is my work with the Incident Command System for Industrial Control Systems (ICS4ICS), where I helped integrate cyber security protocols into the National Incident Management System (NIMS). That year of hands-on involvement led to certifications as an Incident Commander, Operations Section Chief and Planning Section Chief—each of which strengthened my ability to lead during high-pressure events.

One of the projects I’m most proud of during that time was leading the development of the Higher Education Incident Response Exercise, a downloadable framework that colleges and universities can adapt to their own needs. It’s a tool designed to build readiness across institutions.

“While compliance is essential, I believe it’s only half the story. Real protection means being resilient, so I constantly ask: What else can we do to be better prepared for the ‘what if’ moments?”

That same mindset of preparedness has guided me throughout my career. Back when I was regularly on campus, I walked every building, documenting each building's full network layout and infrastructure. From cables to equipment to structure—everything was labeled and mapped. That attention to detail ensures we’re not only secure but organized and prepared for anything that comes our way.

Growing a Risk-Informed Culture

I’ve made it a personal mission to ensure everything in our network is meticulously documented. From layouts to protocols, I believe the finer the detail, the stronger our defense. But protection isn’t just about keeping threats out; it’s also about how quickly we can recover if something does happen.

To guide our security efforts, I rely heavily on industry standards like the Gramm-Leach-Bliley Act (GLBA) and the National Institute of Standards and Technology (NIST) framework. While working with the Operational Conversion Unit (OCU) in the Air Force, I led the University’s efforts to achieve GLBA compliance by the deadline, an achievement that earned me the Administrator of the Year award.

That experience deepened my interest in governance and oversight. So, when a third-party Risk Assessment fell short of expectations, I spent three weeks learning the process myself to engage in an informed discussion.

Now, I’m actively pursuing certifications like Cybersecurity and Infrastructure Security Agency (CISA) and Cybersecurity Maturity Model Certification (CMMC) Assessor and diving deeper into the world of Governance, Risk and Compliance (GRC).

While compliance is essential, I believe it’s only half the story. Real protection means being resilient, so I constantly ask: What else can we do to be better prepared for the “what if” moments?

To that end, I’ve led initiatives beyond checkboxes, like having every department complete its contingency plan. These individual plans don’t just help departments prepare for disruptions; they also serve as the foundation for a comprehensive institution-wide Business Continuity Plan. The insights gained from those department-level submissions are often the missing links in creating a resilient institution.

Preparing for the Quantum-AI Era

Powerful forces like artificial intelligence (AI) and quantum computing are shaping the future of cybersecurity. When used ethically, AI offers transformative potential. But in the wrong hands, it poses threats we’re only beginning to understand. Organizations are pouring billions into these technologies, advancing faster than most realize.

As someone wired to anticipate worst-case scenarios, I often think about the “harvest now, decrypt later” risk. What if today’s encrypted data is being stored, waiting for the moment quantum computing breaks it wide open? I’ve already implemented post-quantum cryptography internally, but external protection is still limited, due to lagging browser support. That gap keeps me alert.

Another growing concern is how easily sensitive data can end up in AI systems. As AI tools become more common, people may unintentionally share confidential information, which could be stored, used or exposed in ways they didn’t anticipate. Now imagine combining that with the unmatched speed and power of quantum computing. Together, AI and quantum could create technologies that are incredibly capable, but also challenging to control or contain.

We must act now by securing what we can, by staying informed and by preparing our next generation through education in AI, cybersecurity and quantum readiness. Because in a future where technology evolves faster than policies, our greatest defense won’t just be code, it will be critical thinking, continuous learning and a culture that treats security as everyone’s responsibility.

Quantum Computing

Microsoft

Artificial Intelligence

Homeland Security

Business Continuity