In August 2023, whereas 1000’s of scholars at William Jewell School had been hauling mini-fridges and textbooks into dorms, the invisible, digital coronary heart of the campus was flatlining.
For a lot of safety groups, David vs. Goliath mismatches are the brand new regular, particularly within the training sector. Increased training has develop into a playground for risk actors who view universities as delicate targets: environments with huge assault surfaces, backlogs of technical debt, and IT groups compelled to do their finest MacGyver impersonation with restricted budgets. In contrast to a Fortune 500 firm with a devoted SOC, many mid-sized establishments depend on annual vulnerability scans that develop into out of date the second they’re printed. When a gaggle like LockBit goes down a geographic checklist of targets, they are not in search of a problem; they’re in search of the trail of least resistance.
For Nick Gicinto, an alum and veteran safety chief with expertise on the CIA, Tesla, and Uber, the decision for assist from his alma mater was a homecoming he by no means anticipated. He arrived to discover a campus in chaos and an insurance-mandated incident response course of that was extra targeted on compliance than precise closure.
Nick’s expertise on the entrance strains of this rescue demonstrates that cybersecurity resilience is about greater than technical restoration. In 2026, practically 140 new vulnerabilities are being discovered every day, and attackers are extra subtle than ever earlier than. This onslaught has compelled CISOs to shift their philosophy: you’ll be able to not construct a program across the hope that you simply’ll catch each flaw. True resilience now depends on radical, real-time visibility.
Greg Pollock, Cybersecurity’s Director of Analysis, sat down with Nick at RSAC 2026 to peel again the curtain on this assault. What follows is the complete, unfiltered transcript of that dialog. In it, Nick explains why he needed to sideline the usual IR playbook, how he purged the community, and the way he now makes use of third-party validation to show summary safety metrics into ROI for non-technical management.
This text initially appeared within the Might 2026 subject of The UpGuardian, a month-to-month publication devoted to cybersecurity storytelling. In case you like this story, subscribe to obtain future problems with the publication immediately in your inbox. Resilience Underneath Fireplace: Nick Gicinto on Surviving LockBitNick Gicinto (left) and Greg Pollock (proper) discussing the William Jewell LockBit assault at RSAC 2026.
Editor’s Observe: The next transcript has been edited in locations for readability.
Nick Gicinto: I used to be at residence in August of 2023, which was move-in weekend for our faculty. And as an alum, I occur to reside a few miles from the campus. I obtained a telephone name saying, “Hey, something really serious has happened at the school, and we need some help.”
This was really an existential risk to a small, personal liberal arts faculty. We had been hit with LockBit ransomware the identical week Boeing was hit for 60 gigabytes of knowledge. And I didn’t suppose it was truthful {that a} small personal liberal arts faculty needed to defend itself towards the identical threats that had been additionally profitable towards an organization like Boeing. So, I stepped up as a volunteer, as an alum, to assist them via the method of working this ransomware assault.
Sadly, what we discovered once we introduced the faculty’s incident response vendor in was that they had been following a playbook of check-box workout routines that the insurance coverage firm wished them to comply with. These workout routines weren’t actually ample in having the ability to inform us whether or not or not our community was nonetheless compromised. We didn’t have any info from the forensics investigation about how they obtained in or what we did to stop them. We additionally knew that 60% of ransomware victims get hit once more, as a result of they don’t shut the vulnerabilities or gaps earlier than they both pay the ransomware or they determine to not pay, after which, as soon as they restore from their backups, they get hit once more. I felt prefer it was a race towards time to have the ability to establish how we obtained hit and the way we might shut the hole to make sure we didn’t get hit once more.
A university of this dimension could possibly survive ransomware as soon as, however it definitely cannot survive it twice. Increased ed is already underneath assault, a minimum of in America nowadays, with enrollment down following COVID. They want as a lot income as they will probably get, they usually can’t afford to have most of these assaults incapacitate them and compromise their fame.
The anatomy of a LockBit ransomware assault
Nick Gicinto discussing the anatomy of a ransomware assault with attendees of RSAC 2026.
Greg Pollock: Nick, with out moving into personal particulars, what did you discover out by way of the forensics? As a result of, as risk researchers in all probability recall, LockBit is understood for being extraordinarily prolific. On the time, they had been probably the most prolific ransomware group, and usually focused the bottom hanging fruit utilizing already uncovered credentials or recognized vulnerabilities.
NG: Yeah, I believe this was a reasonably traditional operation for LockBit. And we additionally heard after the truth that LockBit hit a number of different universities near us. Nearly like they had been simply taking place a listing, taking a look at schools geographically after which simply hitting them suddenly, type of like a shock assault.
Conducting their assaults throughout move-in weekend will increase the chaos, stress, and urgency {that a} faculty has, and significantly may enhance the probabilities that they may pay, proper?
However what I discovered is that the majority increased ed establishments are a really delicate goal. You’ll suppose, and you’d anticipate that they might have MFA throughout the board. You’ll anticipate that they might be sufficiently progressed in the direction of transferring in the direction of cloud for safeguarding a minimum of the coed information and the vital datasets and issues that matter most to the faculty.
What I form of discovered once I obtained there was that many of the issues that will be intuitive to us, or intuitive to a safety group, significantly from my expertise coming from locations like Uber, Tesla, and the CIA. Right here, they simply can’t give attention to it as a matter of prioritization as a result of they’re struggling to maintain the lights on in different places. And so, the quantity of technical debt that existed, the quantity of shadow IT that existed, and the truth that they had been largely counting on one annual scan of their surroundings had been simply completely inadequate.
They wanted a whole overhaul of individuals, course of, and know-how, which I believe is what numerous schools are in all probability dealing with. They’ve obtained an overworked IT group that’s making an attempt to maintain the community up with bubble gum and toothpicks. They don’t have the assets. They don’t have the bandwidth. Additionally they don’t have the cyber coaching and experience. However they’re anticipated to offer the accessibility and the safety on the similar time, they usually simply cannot do it.
So LockBit very simply took benefit of that. My aim is to consider how we are able to stop this from occurring once more. How can we make our faculty a tough sufficient goal the place we’re not going to be victims of these low-hanging fruit sorts of assaults anymore?
Ransomware timing: why attackers strike on holidays
GP: While you speak about occasions of the yr which are actually susceptible, risk responders take care of that on a regular basis. When it’s Christmas Eve for us, it’s Monday morning for financially motivated attackers. Are there different occasions of yr or methods through which that habits manifests?
NG: I imply, there’s one thing about Friday at 6:00 PM that dangerous guys actually get pleasure from, or chaos simply appears to present itself, proper? So I believe that’s typical. We type of knew that holidays had been going to be problematic.
For larger corporations with a bigger assault floor, you may be hit so many alternative ways in which I don’t suppose attackers typically await a specific time. After they discover one thing good, they go after it as quick as they will. And so [at Uber, Tesla, and the CIA] it was incumbent upon us to be hyper-sensitive and vigilant and conscious of our assault floor vulnerabilities, extra so than a school is.
Bypassing the standard IR playbook to seek out affected person zero
GP: Yeah, that’s an incredible level. At these enterprises, you’re doing fixed monitoring, you might have a number of assets. Right here, you’re simply making an attempt to be arduous to hit.
Let’s transfer on to the way you addressed this. So that you are available in, and it’s in whole chaos. However you might have in your thoughts a psychological mannequin for a way you’re going to work via this and construct a brand new program. So take us via that.
GP: Yeah, as a result of that creates work, proper? You’re creating extra work for your self by discovering these vulnerabilities.
NG: For certain, for certain. And you already know, satirically, proper, when you do not give attention to it, the pile will get so much larger, and it’s actually arduous to dig out of that. And you then’re like, “Well, which level 10 vulnerability do I want to tackle today?”
In order that was a part of my perspective: I wanted to have whole visibility as a result of I didn’t know what I used to be taking a look at. I could not actually see a lot. I could not even reconstruct the assault itself forensically as a result of they had been counting on the generosity and kindness of Microsoft and their A1 licenses. I used to be most involved about realizing whether or not or not [LockBit] was nonetheless in our community, realizing whether or not or not we had vulnerabilities that wanted to be closed, after which determining how to attract out the negotiation lengthy sufficient to the place I had that time period the place they weren’t going to hit me once more. Sadly, I used to be working with an incident response vendor that wasn’t working for me. They had been working for the insurance coverage firm. So I wasn’t getting the solutions I wanted, and I wasn’t getting the visibility. I used to be topic to the instruments that they delivered to the desk and what they selected to be preferential with. And so I needed to take issues into my very own fingers.
That’s the place I obtained my very own community concerned. And I used to be, you already know, blessed to work at some superior corporations and know lots of people who had been completely satisfied to come back and assist a school in a troublesome spot. And so I used to be grateful that, you already know, we might descend on the faculty and put our experience to work using a few choose instruments that had been tremendous helpful as a result of we wanted to have the visibility. Proper?
Remediation technique: rolling credentials and securing the community
Greg Pollock (proper) and Nick Gicinto (left) outlining how William Jewell School fought off LockBit and reclaimed their programs.
GP: When you might have this lengthy checklist of vulnerabilities, as individuals usually report, do you undergo and attempt to pinpoint these and patch them separately, or do you utilize much less of a scalpel and extra of a sword to tear the server down after which simply put in a brand new one? How did you method the pile of labor to make it manageable?
NG: Nicely, you already know, in most incident response playbooks, once you take care of ransomware, the very first thing you do is you’re taking the whole lot offline, proper? So a minimum of we had the advantage of the truth that we had been already offline. It’s not like I’m going to tick anyone off by bringing in a software and doing one thing, proper? I had that profit. We had been making an attempt to get issues up and working.
However I begin with a risk-based method. What’s a very powerful factor that I’ve to guard, and what’s the more than likely approach to get at that? So we began fascinated by: how does any person get in from the skin? So that you take a look at the firewall, you take a look at the VPNs.
You understand, I assumed that each credential was compromised, so we simply flat-out rolled all of these. You understand, it was like Oprah, “You get a new password! And you get a new password!”
Constructing a sustainable safety program
GP: Alright. Let’s shift the timeline a bit. When you had been out of the disaster, how do you go about constructing a sustainable program? The know-how, individuals, and course of a part of it, however then additionally, how did this expertise issue into your method?
NG: Nicely, the factor that I valued probably the most within the midst of a disaster, which was visibility, can also be the factor that I search for to maintain me from moving into one other disaster. As soon as I established the instruments that would enable me to see outdoors, inside, after which to see our perimeter, I had a program that I might construct round. I might reply to what these programs had been telling us on a day-to-day foundation. I needed to construct one thing scalable and one thing sustainable with options that will assist me. I additionally relied on the experience of a few of my companions, as a result of I wasn’t going to have the ability to see the whole lot myself.
I additionally wanted any person who might preserve me knowledgeable and alert. You understand, all people thinks about, “Okay, have an endpoint detection response system, have it managed, use an MDR.” Proper? All that stuff is sweet. It’s sadly solely going to offer you part of the attitude of visibility. And if I solely relied on outsourced administration to inform me what was happening in my community, I used to be not going to have a full perspective as a result of they’re at all times so restricted, these distributors are so restricted in what they’re keen to do and what they’re keen to do to assist you. I actually wanted to have that possession of my very own program and be capable to use instruments that I knew every day had been going to offer me the knowledge I wanted in order that I might take motion that day.
Measuring cybersecurity ROI: talking CFO with information
GP: Sooner or later, you primarily want to have the ability to make the case to different individuals, whoever funds you, whether or not it’s the board or whoever it’s inside your group: “Here is why we need Tool X” or “We need personnel for Capability X.” How do you method describing the worth of safety when it’s not a disaster, to have the ability to get that assist and that funding?
NG: Yeah, in fact. I imply, each greenback issues, proper? It doesn’t matter whether or not you’re Tesla or whether or not you’re William Jewell. I had to make use of instruments that assist me to inform the story in order that I can clarify it to the individuals above me who management the finances. The CFO isn’t going to be technical. The place can they derive worth in ways in which they will perceive?
GP: So that you weren’t giving them the checklist of CVEs? Had been you giving them one thing else?
NG: I attempted that! It didn’t work. They weren’t keen to come back in and patch issues with me, so I ended sending them these each day. However to reveal ROI, significantly should you’ve not been attacked, is basically troublesome. How do you reveal the ROI of all the cash you make investments to not be attacked? Is it as a result of no one attacked you or since you prevented the assaults? Proper? It’s actually arduous to show that.
So what I seemed for had been different ways in which I might reveal a baseline of “Where were we at the point that we were attacked?” and I used that as my baseline. I used to be ready to herald instruments that would quantify and provides me information in order that every time that ransomware subject occurred, I knew this was the worst that our safety was at any given time. The instruments I introduced in would give me the flexibility to point out enchancment in sure methods, the place we might construct extra protections and cut back danger. However to quantify that towards the place we had been when the ransomware assault occurred was an effective way for me to point out, “Hey, we’ve got marked improvement in these areas, and oh by the way, we haven’t been attacked.”
GP: Proper. That is sensible. And that form of brings us to the top of the story, which was having the ability to get better, placing a program in place, and having the ability to measure the place you had been and your enchancment. Subsequently, with any additional funding, you could possibly level and say, “Hey, we have quantifiable improvement to validate that this thing I said was going to improve us actually did.” Actually return on funding.
NG: Yeah, completely. And now, year-over-year, and even quarterly, I can put collectively a abstract to say, “Hey, look, this is where we were in January, this is where we are now in April.” I’ve instruments that enable me to reveal precisely the place we’re on a graph. It’s numeric. They perceive that, particularly a CFO. Present them numbers, they usually’re of their completely satisfied place. And that’s how we run this system now: by utilizing third-party unbiased validation to inform us that we’ve made sure enhancements. And in addition, it’s good to say we’ve had zero assaults.
GP: Yeah, that’s good!
From Tender Goal to Resilient Enterprise
Nick Gicinto and William Jewell’s journey from a frantic move-in weekend in 2023 to a sturdy, sustainable cybersecurity program in 2026 underscores a vital fact for the trendy CISO: resilience and visibility are tethered to at least one one other in a number of methods. To be really resilient, you want to have the visibility to see the trail ahead, for you and your program. You additionally want the visibility to see what vulnerabilities you’re uncovered to and what you want to do to patch them.
As Nick demonstrated, the transformation from a delicate goal to a resilient enterprise requires three distinct shifts:
Possession over outsourcing: Relying solely on insurance-mandated distributors or free licenses creates blind spots that attackers thrive in.Radical visibility: Inside and exterior risk scanning are vital intelligence feeds that can help you spot threats shortly and reply to assaults in minutes, fairly than days. Talking the board’s language: Intensive lists of CVEs don’t resonate with CFOs and different executives who management the finances. Communicate their language and use quantifiable danger metrics and third-party validation to reveal ROI in a means they will perceive.
Whether or not you’re a small, liberal arts faculty like William Jewell or a worldwide enterprise, the aim is identical: enhance your safety posture and acquire the visibility wanted to trace the place you might be and what you want to do to get the place you wish to be.
This text initially appeared within the Might 2026 subject of The UpGuardian, a month-to-month publication devoted to cybersecurity storytelling. In case you like this story, subscribe to obtain future problems with the publication immediately in your inbox.
