October 28, 2025
October is recognized as Cybersecurity Awareness Month, a timely reminder of the critical role security plays in enabling research and discovery. At the University of Chicago's Research Computing Center (RCC), high-performance computing (HPC) and data continue to drive innovation across disciplines. As research grows more data-intensive and collaborative, so does the need to protect our systems and data. Maintaining a secure and compliant research environment has become increasingly important, especially as federal agencies emphasize stronger cybersecurity standards. At the same time, researchers rely on openness, collaboration, and data sharing to advance science.
To explore how we can strengthen security without hindering research and collaboration, RCC's Kimberly Grasch spoke with Matt Morton, the University's Chief Information Security Officer (CISO), about the evolving landscape of research cybersecurity, how UChicago is approaching research security, what's changing, what's working, and efforts underway at the RCC in enabling research.
Tell us a little bit about yourself and your role as CISO?
I began as the CISO at the University in 2021. Prior to joining the University, I've worked in security leadership roles for more than 18 years. I enjoy the outdoors and flyfishing.
In my role, I set the tone for IT security on campus and provide the necessary tools. It is essential for all members of our campus community to utilize these tools, report any incidents or concerns, and comply with federal and other regulations.
I supervise staff in security operations, managing identity and access management, and overseeing governance, risk, and compliance. We assist the University in being prepared for and ready to respond to the inevitable security incidents.
Federal funding agencies are placing greater emphasis on cybersecurity standards for research infrastructure. What steps are you taking with the RCC to align with these evolving requirements without overburdening researchers?
The RCC and Office of the CISO collaborate closely to ensure research data and systems meet compliance guidelines while maintaining security and availability. We continue to partner on implementing security measures in a manner that will have minimal impact on researchers and how they conduct their work. Federal funding agencies are increasingly tightening cybersecurity standards. Proper data security protections must be in place to protect the reputations of our researchers.
In what ways have cybersecurity practices for high-performance computing environments evolved to safeguard research infrastructure while preserving the openness and collaboration essential to scientific advancement?
This is quite a juxtaposition-keeping it secure and having open science. Previously, attackers sought computing power, such as crypto mining. Now, there are those working with nation-state actors and organized crime, which makes securing systems more challenging. HPC infrastructure must have customized security solutions. When I worked for a previous institution, we had to implement multi-factor authentication to secure their systems. Implementing solutions such as multi-factor authentication is difficult, as it has to be done without disrupting automated workflows. This is an area we are still working on.
Security isn't just about technology; it's also about people. How can we help faculty, students, and research staff view cybersecurity as a benefit and a shared responsibility rather than a compliance requirement?
The key is for everyone to understand that they are a target. The many advancements in AI have also resulted in an increase in impersonation fraud. Attackers are targeting high-profile people. With the number of Nobel laureates at the University, gaining access to research data here would be of interest. Regardless of the type of research being conducted and the level of sensitivity of the data, an attacker could compromise its integrity.
As research becomes more data-intensive and collaborative, often within and across institutions and countries, what do you see as the most significant challenges and opportunities for securing HPC and research infrastructure in the next few years?
This is a topic I've been discussing with my peers at Ivy Plus meetings. We need a consistent security baseline for academic institutions. This common standard will make it easier for us all to provide researchers across institutions with easy, secure, and compliant access. Our work on the new identity management system will enhance the protection of the university while also improving the secure collaboration between institutions.
What are the most essential tips you can provide to the University research community regarding cybersecurity?
Know you are the target. Protect your identity. Protect your home network. The University provides tools, such as CrowdStrike, that are available for you to use on your personal devices. This is provided for your protection, and the University has no access to your personal information or devices through these tools. Also, be aware of phishing, which has been harder to spot due to AI. I recommend pausing and reading the message carefully, considering if the message makes sense and if the sender's email is accurate. I encourage you to use multi-factor authentication for your banking and retirement accounts.
As the conversation with Matt highlights, achieving secure research is not about limiting innovation; it's about enabling it responsibly. By fostering collaboration between researchers, IT professionals, and security teams, we can build a resilient and open research environment that supports discovery while protecting valuable data and resources.
Good cybersecurity isn't about locking things down; it's about building trust and resilience so that research can thrive safely. With all of us working hand in hand, UChicago is well-positioned to continue leading in both innovation and protection. For general and security training information, please visit security.uchicago.edu.
