The eight Ivy League universities collectively hold some of the most sensitive data on earth: classified defense research, clinical records, centuries of institutional knowledge, and the personal information of hundreds of thousands of students, faculty, staff, alumni, and patients. Their CISOs operate at the intersection of academic openness and strict regulatory compliance, balancing the research university’s foundational commitment to collaboration with the operational demands of protecting assets that nation-state actors, ransomware groups, and opportunistic attackers all find worth targeting. This feature covers all eight.
Michael Tran Duff — Chief Information Security and Data Privacy Officer, Harvard University
Michael Tran Duff has served as chief information security and data privacy officer at Harvard since May 2022, balancing privacy, security, usability, regulatory obligations, and academic freedom across one of the world’s most recognizable research institutions. Before Harvard, he spent more than eight years at Stanford University as associate CISO, interim chief privacy officer, chief privacy officer, and ultimately assistant vice president and CISO, establishing Stanford as a leader in applied cybersecurity and building its privacy program from the ground up during two separate tenures. Before Stanford, he spent more than eleven years at SRI International as director of IT, with full responsibility for all aspects of SRI’s network, server, application, and workstation security across a research institution whose work spans national security, health sciences, and advanced technology. He began his career as a visiting instructor in computer science and network security at Miami University and as a consultant running a firm specializing in high-security healthcare intranets. He serves on the supervisory committee of Stanford Federal Credit Union, on the board of the Bay Area CSO Council, and previously served as a board committee member at SLAC National Accelerator Laboratory. That career arc across SRI, Stanford, and Harvard, three of the most research-intensive institutions in the world, reflects a security leader whose entire professional life has been spent protecting organizations where the intellectual output itself is the most sensitive asset.
Jeremy Rosenberg — Assistant Vice President for IT and Chief Information Security Officer, Yale University
Jeremy Rosenberg has served as AVP for IT and CISO at Yale since November 2023, having previously served as Yale’s CISO since November 2021. He leads a 120-person workforce across security, network services, enterprise storage, and cloud operations, and serves as the primary advisor to university leadership on information risk across academic, research, clinical, and cultural heritage missions. Earlier at Yale, as director of security infrastructure, he led a $5 million endpoint detection and response initiative deploying security software across more than 25,000 laptops and servers, produced multi-year roadmaps aligned to the NIST Cybersecurity Framework, and built an executive incident response team. Before Yale, he spent nearly two years as CISO at UC Berkeley and before that nearly four years as manager of CalNet identity and access management, and nearly ten years at Simon Fraser University in identity and access management leadership. He also served on the board of the Apereo Foundation. His career is anchored in identity and access management, a discipline that sits at the foundation of how a research university controls who can reach what data, and his progression from IAM practitioner to university CISO reflects how deeply operational technical knowledge informs his governance approach.
Donna Tatro — Chief Information Security Officer, Princeton University
Donna Tatro has spent thirty-one years at Princeton University, beginning in various management roles in the Office of Information Technology before becoming director of enterprise infrastructure services, then associate CIO for enterprise infrastructure services in 2014, overseeing networking, virtual and cloud platforms, storage, backup, identity management, collaboration systems, and data centers. She served as interim CISO from March 2025, and was appointed CISO effective March 23, 2026, after guiding a series of initiatives that strengthened Princeton’s cybersecurity foundation, including expanding security awareness across campus, establishing regular risk assessments and policy reviews, enhancing incident response and recovery capabilities, and strengthening protections for digital identities and sensitive data. Before Princeton, she spent ten years at Cornell University as assistant director for user services and departmental computing. Her appointment reflects an institution choosing to elevate its most knowledgeable insider rather than recruit from outside, and Princeton’s CIO described her as someone who has “quietly provided technical leadership and oversight of campuswide cybersecurity” across her entire thirty-year tenure there.
Medha Bhalodkar — Chief Information Security Officer and Enterprise IT Risk Officer, Columbia University
Medha Bhalodkar has served as Columbia University’s first and only CISO since 2006, building the security and risk program from the ground up across an institution that now spans 17 schools, 10 global centers, and more than one million identity and access management accounts. Her responsibilities include IT policies, data protection, cybersecurity, IAM, enterprise IT risk management, and governance, and she chairs the IT Security Council and co-chairs the IT Leadership Council with the CIO. Before Columbia, she spent nearly three years as IT audit supervisor and project manager at the Depository Trust and Clearing Corporation and nine years as data center and IT audit manager at Banco do Brasil. She is the 2020 recipient of ISACA New York’s Wasserman Award for outstanding achievement in information systems audit, control, security, risk management, and governance, and has been recognized as a top global CISO by Cyber Defense Magazine, a Woman in Security by Security Magazine, and Global CISO of the Year by EC-Council. She holds CISA, CGEIT, CRISC, and ITIL certifications and an AMP from Columbia Business School. Nearly twenty years as a university’s founding CISO is a tenure that few security leaders anywhere can match.
Nick Falcone — University Chief Information Security Officer, University of Pennsylvania
Nick Falcone has served as university CISO at Penn since October 2018, where he is accountable for information security outcomes across the entire institution. Before Penn, he spent three years as CISO and chief privacy officer at Einstein Healthcare Network, where he established a five-year security program maturity roadmap, presented regularly to the board of directors on risk appetite and mitigation strategies, and successfully responded to Office of Civil Rights inquiries, also serving as interim CTO with responsibility for a team of more than 40 and a budget of more than $15 million. Before Einstein, he served as director of IT security and compliance at Thomas Jefferson University, and began his security career as a security engineer at The Children’s Hospital of Philadelphia. That career, built entirely in healthcare and higher education security across the Philadelphia region, gives him a grounded understanding of the regulatory complexity and mission-driven culture that defines security leadership at a major research university with clinical operations. He also serves as secretary of the board of Helping Through Hockey, a charity supporting survivors of intimate partner violence.
Mark Dietrich — Chief Information Security Officer and HIPAA Security Officer, Brown University
Mark Dietrich has spent nearly twenty-nine years at Brown University, starting as a system administrator in 1997, moving through systems manager, senior systems manager, director of information technology for the Computer Science department, director of IT security, and stepping into the CISO role in July 2021. He also serves as Brown’s HIPAA security officer. That nearly three-decade progression inside a single institution reflects a security leader whose understanding of Brown’s systems, culture, and risk environment has been built through direct operational experience at every layer. His responsibilities include university-wide information security architecture, security compliance and risk assessment, security awareness programs, and direction of the Information Security Incident Response Team. His profile is a clear example of what patient, ground-up security program development looks like at an Ivy League institution where the CISO knows every corner of the environment they protect.
Robert Edamala — Chief Information Security Officer, Cornell University
Robert Edamala has served as CISO at Cornell University since October 2019, having previously spent seven years as CISO at the University of Texas at Arlington and sixteen years at Temple University across director of information technology and university privacy officer roles. His higher education security career spans more than two decades across three universities, giving him a cross-institutional perspective on the regulatory obligations, research security demands, and open academic environments that define the sector’s security challenge.
Thomas Nudd — Chief Information Security Officer, Dartmouth College
Thomas Nudd joined Dartmouth College as CISO in January 2026, bringing a background built across thirteen years at Liberty Mutual and nearly five years as CISO at the University System of New Hampshire. At Liberty Mutual, he progressed from business analyst and information security analyst through principal information security analyst, technologist, director of cybersecurity engineering, building deep enterprise security capability across one of the largest insurance companies in the country. At USNH, he led the enterprise cybersecurity, network, and infrastructure teams across five institutions including the University of New Hampshire, Plymouth State, and Keene State, serving approximately 32,000 enrolled students annually. He also served on the board of the Northeast Research and Education Network, a consortium connecting New York and New England research and education institutions. That combination of enterprise insurance security engineering and multi-institution higher education CISO experience gives him a grounding in both operational security depth and academic environment governance that is directly applicable to Dartmouth’s needs.
Eight Schools, One Shared Mission
What distinguishes Ivy League security leadership from most other higher education security work is the scope and sensitivity of what is being protected. These institutions hold classified research, clinical data, cultural heritage collections, and the intellectual output of some of the most consequential academic work in the world, across campuses that have operated for centuries and are targeted accordingly. Several of the leaders in this feature have spent their entire careers inside the institutions they now protect. Others arrived with decades of enterprise security experience that they are now applying to one of higher education’s most demanding environments. In both cases, the mission is the same: protect what makes these institutions worth protecting in the first place.
Discover more CISOs securing higher education institutions:
- Wisconsin’s Higher Education CISOs to Watch
- Oregon’s Higher Education Security Leaders: CISOs to Watch
- Missouri’s Academic Security Leaders: The CISOs to Watch Across the State’s Higher Education Landscape
- Where Arizona’s Higher Education CISOs Are Setting the Standard
- Cybersecurity Leaders to Watch in Washington’s Higher Education Industry
