Security, Identity, Privacy, GRC
Information security is the #1 issue on the 2018 EDUCAUSE Top 10 IT Issues list for the third year in a row. This topic continues to dominate the yearly list because the higher education regulatory and threat landscape, as well as service delivery models, are changing rapidly, with increasing complexity. Information security and the topics that are closely associated with information security, such as privacy, identity management, and governance, risk and compliance (GRC), include both technology and business-process elements that transcend the IT department. There are few obvious, easy solutions for how to run institutional IT systems and protect the critical data contained in those systems in a way that complies with applicable laws and regulations; enables teaching, learning, and research; allows the seamless operation of business functions; and significantly reduces institutional risk.
This section covers the 14 trends and 22 technologies included in the security, identity, privacy, and GRC domain.1 The two trends significantly influencing institutional information security posture—the complexity of security threats, and the increasing complexity of technology, architecture, and data—hint at the Gordian knot that institutions face. Moreover, the rather slow adoption of strategic information security technologies—only 1 of the 22 security technologies listed here is included on the 2018 Top 10 Strategic Technologies list—indicates that the knot will not be sliced quickly but rather will be painstakingly unraveled.
Trends
Included in this domain:
- Blending of roles and blurring of boundaries between IT and academic/administrative areas
- Campus safety
- Climate change
- Complexity of security threats
- Compliance environment
- Incorporating risk-management approaches into IT strategy and service delivery
- Increasing complexity of technology, architecture, and data
- Institution-wide data management and integrations
- Internet of Things
- Managing mobility (of people, data, institutional resources)
- National and global political uncertainty
- Strategic relationships with vendors
- Ubiquitous digital sources and streams
- Vendor relationships that bypass IT
Understand how the most influential trends are affecting your institution.
Two trends are influential at 61% or more of colleges and universities:
- Complexity of security threats
- Increasing complexity of technology, architecture, and data
Review the trends that are taking hold and address them at your institution.
Six trends are influential at 41–60% of institutions (listed below from highest to lowest level of influence):
- Institution-wide data management and integrations
- Compliance environment
- Campus safety
- Strategic relationships with vendors
- Incorporating risk-management approaches into IT strategy and service delivery
- Managing mobility (of people, data, institutional resources)
Understand these trends, and consider their possible role at your institution.
The influence of three trends is limited to 21–40% of institutions. Higher education is monitoring these trends with respect to emerging IT strategy and the deployment of security, identity, privacy, and GRC strategic technologies (listed below from highest to lowest level of influence):
- Blending of roles and blurring of boundaries between IT and academic/administrative areas
- Vendor relationships that bypass IT
- Ubiquitous digital sources and streams
The remaining three trends were of limited impact in our research:
- Internet of Things
- National and global political uncertainty
- Climate change
Technologies
Included in this domain:
- Applications of analytics to security (such as user behavioral analytics)
- Blockchain
- Cloud access security broker
- Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard)
- Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions)
- Content-aware data loss prevention
- Cryptocurrencies (e.g., Bitcoin)
- Database encryption
- DDoS prevention products and services
- DNS security
- End-to-end communications encryption
- Enterprise GRC systems
- E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow)
- Federated identity technologies
- Life-cycle contract management
- Location-based computing
- Mobile device management
- Next-generation firewalls
- Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials)
- Private-cloud computing:
- SIEM (context-aware security)
- Threat intelligence technologies
Complete initial deployment and maintain these technologies.
Our research shows that about half of institutions are planning to deploy and maintain one security, identity, privacy, and GRC strategic technology:
- Next-generation firewalls
Pilot and start deploying these technologies.
At this time, about half of institutions are planning to pilot and deploy these five security, identity, privacy, and GRC strategic technologies (listed below from highest to lowest attention):
- Database encryption
- Federated identity technologies
- Mobile device management
- DDoS prevention products and services
- Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions)
Decide when these technologies fit your strategy, and start planning.
About one-half of institutions are watching these five security, identity, privacy, and GRC strategic technologies carefully, deciding and planning for potential future deployment (listed below from highest to lowest attention):
- E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow)
- Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard)
- Threat intelligence technologies
- End-to-end communications encryption
- DNS security
Learn about and track these technologies.
A majority of institutions are tracking and learning about the following 11 security, identity, privacy, and GRC strategic technologies (listed below from highest to lowest attention):
- Private-cloud computing
- Life-cycle contract management
- SIEM (context-aware security)
- Content-aware data loss prevention
- Applications of analytics to security (such as user behavioral analytics)
- Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials)
- Cloud access security broker
- Location-based computing
- Enterprise GRC systems
- Blockchain
- Cryptocurrencies (e.g., Bitcoin)
Peer Institution Approach to Strategic Technologies
Understanding what peer institutions (both current and aspirational) are doing can help you gauge whether your institution's current approach is on track or might warrant reconsideration. Some technologies are more relevant for some types of institutions than others. We looked at broad demographic categories, including Carnegie class, institutional size, and approach to technology adoption and found differences in attention score based on those factors. (See the methodology section for explanation of our attention score calculation.) In figure 11, the US mean is the average attention score for an item from all US respondents. The minimums and maximums are the lowest and highest average attention scores among all groups within the categories of Carnegie class, institution size, and timing of technology adoption, with labels indicating which group or groups returned that score. In the event of a tie, all tied groups are represented.
Preparing for the Future
Understanding the technologies that are most relevant for your institution and how fast a certain strategic technology may be growing is critical to institutional IT strategy. We estimated the pace of growth based on the percentage of institutions we predict will implement each technology over the next five years (by 2023). Figure 12 positions each technology in one of 12 cells based on institutional intentions (the "recommendation for today") and the expected pace of growth of that technology. Reflecting what was noted above, the figure shows that institutions are deploying many information security technologies and reviewing and tracking even more.
Note
-
Our rationale for including security, identity, privacy, and GRC technologies in one domain is that EDUCAUSE Core Data Service research shows that central IT information security departments tend to have responsibility for identity management, privacy, and GRC practices in most US higher education institutions. These technologies are referred to collectively as "information security technologies" in this report.
↩︎