Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
What Every President Should Know About Cybersecurity
What Every President Should Know About Cybersecurity
At the VASCAN conference held yesterday at the University of Virginia, the President of James Madison University, Linwood Rose, observed that the typical president is not informed about information security and challenged the audience to "recruit and engage their institutional president" in the effort to create a culture of security at their institution. Below is a summary of his remarks:
- Use October, National Cyber Security Awareness Month, as an entre for discussion with your president and her or his cabinet
- Prepare a primer for your president that outlines your organization's reliance on information and networked technologies
- Help your president and institutional policy makers understand why policies are not enough - that action and leadership by example are necessary
- Create clarity and simplicity to your message; don't just share the problem but offer solutions
- Perform a resource audit to identify requirements and needs that you can clearly articulate and present
- Conduct awareness campaigns (citing JMU's R.U.N.S.A.F.E. program)
- Follow-up the meeting with the president; don't let the issue drop following a single meeting with the president and her/his cabinet
In case you are not familiar with Linwood Rose, he is also a member of the President's National Infrastructure Advisory Council so he has a unique appreciation for cybersecurity. Some of his thoughts are captured in a recent EDUCAUSE Review column on Leadership: "Information Security: A Difficult Balance"
The topic of Executive Awareness requires constant vigilance. In February of 2003, David Ward President of the American Council on Education, sent a Letter to Presidents urging them to:
Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability.
Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.
Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.
Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.
Alan Paller, director of research for the SANS Institute, followed President Rose's remarks by urging the IT professionals in the room to confront their executives with real data - preferably statistics indicating cybersecurity issues experienced at their institutions. Below are some questions that might help outline the content for that part of the conversation:
- Has your campus network ever experienced downtime that prevented email communications, access to your web site, or the availability of online resources?
- Has the personal information of your students, employees, or alumni contained in an institutional database ever been compromised?
- Has your institutional computing resources ever been misused by unknown third parties for malicious or illegal purposes?
- Has your IT department needed to clean up after a security incident or invest scarce resources in responding to the spread of a new computer virus or worm?
If you have not experienced any of the situations identified above, then you either have an excellent information security program already in place or you’ve been lucky! You can point your executives to stories of how colleges and universities across the country continue to fall victim to cyber security threats and vulnerabilities that have created urgency for institutional action.
Finally, if the Security Task Force were conveying messages to presidents today, similar to the letter to ACE President David Ward sent in early 2003, we might stress the following:
Encourage campus cyber security awareness events during October and support awareness activities and training of students, staff, and faculty throughout the year.
Assess your preparedness and determine the degree to which you have established an “information security governance” framework at your institution. (Note that an Information Security Governance Assessment Tool for Higher Education is forthcoming from the Security Task Force and will provide a method that will help you identify general areas of concern.)
Establish broad information security program principles and assign senior management accountability for information security. Empower your chief information officer, chief security officer, or the appropriate officer at your institution to address cyber security by giving them the authority and resources necessary to protect critical information assets. For an example of a policy in this area, see http://www.itpo.iu.edu/Resolution.html
Specify the information security metrics to be reported to you annually or at appropriate intervals throughout the year. A carefully chosen set of information security metrics for management reports of information security status will clarify to management what you consider important and on which you wish to be kept informed.
The Education and Awareness Working Group of the Security Task Force will be pursuing a project to equip campus security professionals and CIO's with the information and tools necessary to better engage their executive leadership. We welcome your suggestions and input (send comments to Security-Task-Force@educause.edu) as we pursue this task.