Culture
Master of Confidence, Vigilance, and Ease of Mind: Meet Andres Andreu, SVP of Cybersecurity
Cybersecurity and education are both constantly changing fields. In just the last couple of years at 2U, we’ve moved from primarily supporting graduate degree programs to supporting lifelong learners throughout their Career Curriculum Continuum journey by adding boot camps, short courses, and even more learning opportunities to come. The need for a global cybersecurity leader—someone who could think broadly about the entire user’s journey and consider every department that internally supports those users in order to create a mutually safe environment, externally as well as internally—became more and more critical. So when I began looking for an SVP of cybersecurity toward the end of last year, I sought an agile leader who I knew could respond to the external influences and internal shifts our business is always undergoing. They also needed a huge appetite for curiosity; an inquisitiveness that extends beyond the role itself and into what everyone else at 2U does, too.
With Andres “Dre” Andreu, 2U landed a flexible and empathetic leader with an extremely high level of knowledge. Under his watch, I’m confident that students, faculty, and 2Utes will continue to learn, teach, and work in the safest and most resilient digital environments. I say this because the two of us go back pretty far, to when Dre interviewed me to work with him at The Princeton Review a little over 21 years ago. In 2000, we were tasked with building one of the first-ever Learning Management Systems, which is when I learned that Dre is a leader who people want to follow. It was an exciting but also challenging time to be working in education. Having Dre to collaborate with gave me and other team members a trampoline that we all needed to get to the next level.
It’s hard to pin down where Dre’s abilities come from. Maybe they’re from his days serving our country. Maybe they’re a result of his fluid Judo philosophy. (He has been competing since he was young and is a nationally recognized Judo coach!). But Dre’s leadership and cybersecurity skills really came to fruition on his career pathworking in law enforcement and the public sector, serving on education boards, and inventing commercial cybersecurity products around which he built his own company and even wrote a book. People just naturally felt safer and with a sense of purpose around him.
Dre has been on my team since January, and I’ve already seen so much progress and positive change. With October being National Cybersecurity Month, he and I recently got the chance to sit down and dig into the last nine months. Check out the highlights of our chat below. By the end, I think you’ll see why he’s one of the first people I’ll call if any of those dystopian “sentient tech” novels I’ve read ever come true...
Hey there, my friend. So how about we start with you explaining how you found your way into cybersecurity. Did you study it intentionally or was it more something you fell into?
It was definitely not intentional! I’ve actually reinvented myself a couple of times in life. Believe it or not, I started off as an Afro-Cuban painter and graffiti artist. But when I realized I didn’t have the specific social networking skills to make it in the art world, I went into what made the most sense for me next, which was federal law enforcement. I suppose I gravitated towards a security role because that mindset came naturally to me from my culture and upbringing. I grew up in New York, but I’m originally from Cuba, a Communist country where the walls are always listening. You grow up with this sense of paranoia and see the world through that lens.
I ended up on the tech side of law enforcement after a couple of years. When I was writing code for a living, I was always that guy asking questions like, “What if someone does this, will they break the app?” My superiors saw I had that intrinsic curiosity, so they kept dropping security responsibilities on me. I eventually ended up taking on those roles full time.
So how would you describe what an SVP of cybersecurity does?
At a high level, I’d say I help protect all that is 2U, which is an ecosystem that’s extremely complex and wide in scope. More formally, I’d say we develop and implement a cyber and information security program that covers elements that span from government-risk compliance (GRC) and resilience all the way to active protection of our users and partner-facing solutions. My team is one of the few at 2U that functions across the entire organization, which means we work hard at establishing consistencies with all of our internal teams and external partners.
In the immediate sense, my team provides a protected ecosystem that safeguards the transmissions of everyone’s exchanges. In the bigger picture, we offer ease of mind because students, faculty, and employees can focus on what's most important to them.— Andres “Dre” Andreu, 2U’s SVP of Cybersecurity
On that note, how do you support internal as well as external operations at 2U—our university partners, their students and faculty, etc.?
I came in to develop and implement consistent standards and practices across our entire operation, from our academic learning sites to the content engines that feed all of our delivery mechanisms. To me, it all comes down to maintaining confidence and instilling a vigilant mindset with our users. In the immediate sense, my team provides a protected ecosystem that safeguards the transmissions of everyone’s exchanges. In the bigger picture, we offer ease of mind because students, faculty, and employees can focus on what's most important to them, and not have to worry about the security of their daily efforts, assets, and interactions.
What are some of the greatest opportunities and challenges your team is working on these days?
I think the biggest opportunity we have is to really broadly and positively impact the overall security maturity of 2U. That’s incredibly important, because when a university considers partnering with us, one of the first things they do is give us these questionnaires to determine where we are on that spectrum. My small but mighty team helps a great deal on this front by strategically picking the areas to put our best efforts forth, such that the end result impacts the entire business. I’d say one of our biggest challenges continues to be unifying all of the different engineering teams across our lines of business. It’s happening, it’s just a lot of work!
What’s one of the most important lessons you’ve learned about leadership?
I’ve learned a very clear leadership lesson about failure: Learn from it and don't let it drag you down. Having practiced Judo and boxing since 1982, I know that everyone hits the mat at one point or another. The question is not just are you going to get up, but how are you going to get up? You can do so half-heartedly, but you'll reek of defeat and it's already over. Or you can get up and say, “Alright, I got knocked down, but let's keep going. I don’t care what happens, but you’re not going to bring me down.” That positive attitude is something I learned as a kid fighting, and I brought that into my professional world. Now I’m not afraid to fail—and anybody who tells me they've never failed, my response is, “Well, then you’ve probably never done anything.”
Wow, what an incredible mindset. For people considering following in your footsteps into the cybersecurity field, what other practical advice or insight would you give them?
Pick a specialization in this field and pursue real depth of knowledge within that space—and then accept nothing but the best you can be in it. No one can take depth of knowledge away from you, and you can take it everywhere you go. All the security-centric code I’ve ever written in my life? It’s still with me. I know my stuff. Also, do not become a buzzword-compliant slick talker who speaks a lot but in the end says nothing. One buzzword right now is “zero trust,” for example. If you mention that term, you better be ready to explain it and use it in the proper context.
We’ve talked about how you got here. Now, let’s dig into why you are staying. What is it about 2U’s mission that inspires you?
Education is the key to a better life. My family came to this country seeking freedom and a more empowered existence. I’m an immigrant, and people like me historically haven't had access to quality education. I know what that struggle is like in terms of everything being an uphill battle. I made things happen for myself—I had four kids, a full-time job, a marriage, and a house—but I still had a dream to finish my bachelor’s degree. Distance education allowed me to do that while I was working at The Princeton Review; I didn’t have time to go to a physical classroom otherwise. So the value of 2U instantly resonates with me. If I can help anyone else who’s in a position like I was in then, I’m all for it.
That’s amazing. So October is Cybersecurity Awareness Month. How about we end with a “tried and true” cybersecurity best practice that many people might not be aware of, but should be?
Sure thing. So, weak or stolen passwords are used in 81% of hacking-related breaches, which means creating a strong passphrase is one of the best ways to protect yourself, your data, and your systems. But even a 16-character passphrase can be cracked in under a day if it’s not carefully crafted. So avoid using words and phrases that relate to you personally like your name, birthday, or favorite song lyrics. Also avoid common idioms such as “the best of both worlds” or “when pigs fly.” Everyone should check out this list of 10,000 most commonly used passwords for specific words to avoid. At 2U, everyone uses a password management system that stores all of their usernames and passwords in a secure, encrypted vault; it also has a built-in feature that will generate random passwords for you.
Other key tips? Choose a different passphrase for every single account, use multi-factor authentication, watch out for social engineering schemes where people may try to get you to share personal credentials with them, and most importantly: Don’t share your password, or work computer, with anyone. That includes your most trusted friend, coworker, family member, or spouse. “Keep it secret, keep it safe!”