Marc Scarborough, Rice University’s Chief Information Security Officer, is a technologist at heart whose passion for computers began as a hobby in the 1990s. Since joining Rice in 1998, Marc has spent 27 years evolving with the institution’s technological landscape. Starting as a consultant and division representative for the schools of engineering and natural sciences, he supported Windows, Linux, and Macintosh systems. By 2000, he was promoted to manage a team overseeing central campus resources, laying the groundwork for Rice’s cybersecurity efforts.

When Marc first started at Rice, the university had no formal security program, except for the early Computer Incident Response Team, which represented the Windows platform. 

“Training for incident response sparked my interest in cybersecurity,” he recalls. 

“Understanding how attacks worked and how to investigate them was fascinating.” 

Between 2004–2005, federal regulations prompted Rice to designate an Information Security Officer, and Marc stepped into the role. His initial focus was on writing security policies, building secure frameworks, and launching initiatives, such as participating in the university’s first credit card compliance committee.

In the early 2000s, Marc tackled issues like copyright violations, often tied to music-sharing on hacked systems. “Back then, attacks were more juvenile compared to today’s sophisticated cybercriminal enterprises,” he notes. Cybersecurity has since transformed from an IT-specific concern to a campus-wide issue affecting personal information, payroll, and more. “In 2005, phishing wasn’t a household term. Now, most people know what it means, even if they don’t always spot it,” Marc says.

To Build Awareness

To build awareness, Marc’s team has leveraged the National Cybersecurity Awareness Month, which took place last month in October, by hosting programs, focus groups, and training sessions. The Information Security Office delivers timely email updates, newsletters, and structured training to meet the community where they are. “Our goal is to demystify cybersecurity and reduce fear,” Marc explains. “It’s rewarding to help people navigate complex threats and feel safer reaching out to us, even for personal cybersecurity concerns.”

One emerging challenge is the responsible use of AI to prevent cyber threats. Marc notes that AI has made phishing attacks more sophisticated, with better grammar and targeted messaging based on publicly available data. “Attackers use AI to craft emails that feel personal and urgent, triggering emotional responses,” he says. Deepfakes and AI-driven research tools also enable more precise attacks. To stay ahead, Marc encourages skepticism: “If something feels urgent or unexpected, pause and verify. That’s the best defense for non-experts.”

Rice’s approach to detecting, responding to, and recovering from breaches is robust. The Information Security team uses advanced tools to monitor for common attack methods, flagging attempts, successes, or further actions. Community reports of phishing or suspicious activity are critical, supplementing technological alerts. “We get thousands of alerts weekly, but only a small percentage require action,” Marc explains. When an issue arises, the team conducts internal triage, escalating to the campus Incident Response Team if needed. For significant incidents, external partners, insurance providers, or the crisis management team may be involved. The process includes containment, recovery, and an after-action report to assess what went well and what can improve, ensuring compliance with federal reporting requirements.

Looking Ahead

Marc is excited about the upcoming initiatives. On August 15, 2025, Rice launched WhooRU, a new identity governance platform replacing MyNetID.rice.edu. This update streamlines onboarding by tying access to roles and job functions, ensuring new hires get the resources they need quickly. Another project is a cloud-based research cybersecurity platform to support high-security research, opening new opportunities for Rice’s academic community. 

Marc’s message to the Rice community is simple: “Stay vigilant. Cybersecurity is everyone’s responsibility. If something feels off, report it to us at iso.rice.edu. Any suspicious email can also simply be forwarded to phishing@rice.edu." By fostering trust and collaboration, Marc and his team are committed to keeping Rice’s digital environment safe and empowering the community to thrive with confidence.