Over the past decade we've seen increasing executive interest in understanding risks, protecting privacy, and mitigating the impacts of cyber threats. As a result, a new range of positions have been added to the “C-Suite.” Chief information security officers (CISOs) have emerged as a way for organizations to amplify attention to these and other concerns. In the following article, seven experts from higher education will share their thoughts on “the most secure job on campus.”
In 1984, Willis H. Ware, an early pioneer of privacy and security, wrote an article for the predecessor of EDUCAUSE Review. In it he noted:
“Security and privacy issues are ones for top administrative levels of the educational community, not ones to be buried deeply in the administration, research or teaching hierarchy.”
Now, fast-forward 30 years to today. Can we look back at this passage and say, “mission accomplished,” or do we have more work to do?
The cliche of neverending journeys is apt
There is no “mission accomplished” banner in terms of driving home the importance of security and privacy. That said, the rise of CISOs, CPOs (chief privacy officers), and similar roles in the organizational hierarchy of our institutions absolutely reflects some level of success. These endeavors are reported annually to the “top administrative levels” at the University of Michigan, including our executive officers and regents.
Signs of progress can certainly be found in well-crafted policies put forward by security and privacy officers throughout higher education. These policies often require attention and ratification from those at the top levels of university administration. Still, the CISO role is young and evolving, mostly operates below the CIO, and doesn’t routinely interface with boards or presidents’ councils, which suggests to me that security and privacy haven’t yet elevated to the level of Willis H. Ware’s vision. We still have a long way to go.
When I first started working in security, the CISO never ventured out of the central IT shop to meet with administrators. Fast-forward 10 years and you find that CISOs now commonly brief general counsel, risk management, and even the chancellor or president on security issues and situations. That is a marked shift in visibility and certainly demonstrates some changing attitudes toward security.
Given all the risks, how do you sleep at night? (Or perhaps, put another way, with all the things that could keep you awake at night, how caffeinated are you right now?)
Sleep doesn’t come easily! We are already behind the curve in the “information security race.” With the implementation of new technologies (without adequate risk assessment), outsourcing to the “cloud” (because it’s cheaper, faster, better), and the increase in “attackers” (from novice script kiddies to sophisticated, well-funded nation states), it’s a neverending battle.
We are always a hair trigger away from an attack and breach.
It is increasingly important to ensure that everyone understands the risks that accompany any gains in convenience and productivity. The threat landscape keeps expanding, as do the vulnerabilities and, by extension, the skills required to maintain the integrity of our digital infrastructure.
I like my caffeine as much as anyone, but I like it a lot less when it is accompanied by a late-night incident response.
Ultimately, I think we’ve got to understand the risk we’re willing to accept as an institution. For priority risk and compliance issues, we simply have to understand the timelines we’re using to invest in the people, process, and technologies that can help us reduce our exposure.
Armed with an institutional understanding of our risks, we can all be caffeinated (or not) based on our own individual tastes.
You will not be facing the risks alone
You have to keep perspective — there are so many competing risks, and we have a finite pool of resources. This is why it is critical that security and IT risk are addressed at the C-level of the institution. If you maintain excellent relationships with your stakeholders, you will not be facing the risks alone.
The risk profile I’ve seen in higher education often requires us to take our lumps and carry on. In many cases, I’d relate our situation to canoeing in a wide river that is only knee deep. There is a lot of room to maneuver, and if you flip [your canoe], you can stand up, hang onto your paddle, and get back in.
How do I sleep? (When a potentially major incident is not occurring anyway ...)
Schools from every state have been affected in one form or another, and that's why organizations like HEISC (Higher Education Information Security Council) are so important. We can count on our colleagues to understand what's unique about higher education and share ideas, policies, and procedures.
That said, when I look at the chart above, I am content to be “losing” this rendition of the Michigan-Ohio rivalry.;-)
Earlier in his article Ware also noted, “There is little to distinguish security and privacy issues on the campus from those of the private sector or government.” Do you think that still applies today? What are some key differences between the CISO role in an academic setting as compared to your counterparts in government or in large corporations?
Broadly speaking, we face the same challenges: protecting our “customer” data, protecting key IT systems, staying compliant with key regulations and industry practices, trying to stay ahead of attackers, responding to potential security breaches, etc. That said, there are also some key differences.
Higher ed is an extremely decentralized environment. It is also by definition and tradition an open network for discourse, research, and the sharing of ideas. As a result, CISOs need to be as much an ambassador and advocate of security and compliance as a provider of security and compliance tools and resources.
As a 2014 study from ECAR shows, we MUST be balanced in our approach, leveraging relationships with governance groups, actively engaging university leadership, and not being seen as a roadblock to the “business” of the university. It also might mean accepting more risk than our colleagues in other sectors.
Having worked for a number of years outside higher education, I’d like to echo many of Sol’s sentiments and chime in with some other observations.
As Sol noted, we’re often challenged to strike a delicate balance between risk and openness, or security and usability. Another axis: privacy. Higher education often goes to great lengths to protect the privacy of the groups it serves. Large corporations often want to hold large amounts of identifiable data about users’ behavior … data that can be sold or otherwise exploited for commercial purposes. In education, we have a much different relationship with our customers. Our conservative data collection and retention policies often counterbalance the risks we are willing to absorb by being so open.
Learn more about the ECAR’s analysis of breaches in higher education.
As others have stated, the main difference in academia is the high degree of decentralization, along with the autonomy that accompanies independent funding. A research unit with large grants may often develop their own policies and procedures. They’re often granted the authority (expressed or implied) to set up their own technology infrastructure — independent of any oversight to ensure the security of those systems. As a result, we’re challenged to spend time and resources identifying ways to mitigate the risks they pose.
There is a fair amount of discussion and debate about where the CISO reports. What have you seen, what do you like, and what are some of the pros and cons?
The role of the CISO has changed dramatically. Ten years ago, the CISO (if there was a dedicated security role) dealt with enterprise systems and their security. We are now seen as a driver of security across the entire campus or system and as “risk managers,” particularly when it comes to compliance issues. In some cases I’ve seen the CISO report to their CIO and have a “dotted line” to the top risk executive. Regardless of the reporting structure, we’re being tapped to provide guidance on a range of issues.
“Is information security an IT function or is it a broader business function of its own?” I would answer,
“It is both.”
A 2014 Gartner report by Tom Scholtz suggests a meta-trend in senior corporate security officials reporting outside IT. Some of the advantages in having the CISO report outside IT include an enhanced profile, greater authority, and influence — especially in decentralized and federated organizations. It would also change the perception that information security is “an IT problem.”
Conversely, the advantages of having the CISO report to IT include proximity to key infrastructure support (where most information is maintained during its life cycle) and the ability to be in close contact with functional groups from an operational, tactical, and strategic perspective.
I’ve happily reported to both the CIO and CTO roles in my career. In some institutions, the CISO is complemented by a cadre of more specialized data, privacy, and/or risk officers. At others, the CISO’s responsibilities encompass all of those duties. Still, there is nothing wrong with a more IT-independent CISO role that reports to general counsel or risk management.
In his article from 30 years ago, Ware also bemoaned the lack of a comprehensive body of knowledge about policies and best practices supporting security operations. How close are we to transcending that state? Can you talk about your own growth and professional development resources you’ve come to rely on over the years?
The number of standards and resources for information security have increased tremendously. SANS has continually expanded their cybersecurity courses and security awareness training. And industry-specific ISACs (Information Sharing and Analysis Centers) have increased both in number and activity. The REN-ISAC (Research and Education Network ISAC) provides valuable, vetted information to the academic community.
The EDUCAUSE Higher Education Information Security Council (HEISC) has been a leader in developing resources tailored for higher education institutions. Chief among them is the Information Security Guide, which provides a detailed matrix of effective practices from academic institutions that have been mapped to a range of information security standards. The EDUCAUSE Security Professionals Conference also provides an excellent forum to learn what challenges other institutions face and to network with peers to see how they are addressing their security concerns.
There is no predominant approach to managing governance, risk, and compliance in higher education. Analyses from CHECS, ECAR, and the Core Data Service help us contextualize approaches and right-size them for our own campus environments. I particularly appreciate the Information Security Guide and the annual security conference hosted by EDUCAUSE, which represents a great place to compare battle scars, share effective practices, and advance solutions that weave a common thread through the unique set of challenges often found in institutions of higher education.
I first relied on vendor training to support specific security technologies, moved on to SANS training, and now rely more heavily on both HEISC and the REN-ISAC to check my progress against my peers.
HEISC in particular has grown into a much more comprehensive body of knowledge specific to the needs of security in a higher ed environment. I believe the EDUCAUSE Information Security Professionals conference is the richest professional development available for me and my staff, with all the talks and panels directly applicable to higher ed. It’s particularly powerful to network with our peers and discuss the problems we are facing and how each institution tackles those problems.
In his 1984 article, Ware asserted that: "Educational institutions must commit to spending the resources needed to protect information processeses which give it life; they must institute information policies needed to guide faculty, administrations and students."
Any thoughts on the investments being made in information security?
Obtaining the appropriate level of funding, especially in the absence of a breach, is a constant challenge. We’re often in a position of exchanging some technical solutions for policy-based security.
As the chart below illustrates, and as the 2014 CDS Spotlight on Information Security reveals so well, there’s a stark difference between the funding that security receives in higher education and in other organizations.
That, combined with the fact that our organizations place a disproportionately high value on openness, creates conditions that can sometimes stymie the effectiveness of security programs. As the perceived value of big data and student analytics increases, we may find a lever for correcting the imbalance in funding we experience today.
The security office needs to practice three things to create a favorable environment for funding:
SURPRISE! You've just recieved an email from your president announcing a $1 million dollar bump in your budget.
If your budget were to shrink and you could only implement one technique for improving security on your campus, what would it be and why?
Besides unplugging the Internet?!?! ;-) Seriously though, good security means defense-in-depth and a "layered" approach. Absent that, I would invest in the best incident response team I could.
If I could only use one system, I would keep our automated systems for updating and configuring our servers and personal computers because, as Superman would agree, invulnerability is the best defense. However, if you’re down to just one layer of defense, someone will find your Kryptonite before long.
I’d probably look to open-source solutions so as not to lose what Sol described above as a defense-in-depth layered approach. With those savings I’d hope to invest more in security awareness training.
People are still our weakest link.
I’m torn between two different approaches. One approach would be to implement a technical solution, such as a data loss prevention system that would keep unencrypted sensitive data from leaving our network. The second approach would be to invest in a robust, customizable information security awareness training program that would integrate into our authentication system and certification tracking system — and be mandatory for all faculty, staff, and students.
One final question: Ware noted, “There must be a national concern for providing adequate security protections in our public and private information systems and for attending to the new privacy issues that arise.” Looking forward, where do you think we’re going? What’s keeping you engaged and excited about the future?
What keeps me engaged and excited is the progress we’re making as an IT organization in moving the university toward an even more secure state. Funding will ebb and flow, and one has to be ready for that. The problems vary, but they make the job endlessly interesting — along with colleagues inside and outside the institution.
Privacy is built into the DNA of our universities, and I want to be a part of that push as we evolve and adapt our security policies and practices to protect both our systems and our users’ privacy. When Ware wrote his article, he likely didn’t realize how true his words would ring in today’s society of mass surveillance and state-sponsored data breaches.
The environmental conditions affecting privacy and security have changed considerably over the last 30 years. I recall in the ’90s we would etch our name and SSN on valuable items (such as cameras, cars, etc.) to help facilitate recovery if stolen. What used to be commonly shared information now is considered private.
On the other side of the spectrum, in exchange for online services people now share their innermost thoughts (overtly or inadvertently) online and with a worldwide audience. What was private then is now considered public.
We’ll need to remain vigilant and attentive to a continuum of new problems and solutions. It’s part of what makes this job so intriguing!
With 2014 turning out to be a banner year for breaches — Target, Home Depot, JP Morgan Chase, and a number of others — you can bet there is a lot of attention on information security. Our government also considers cybersecurity to be an important national issue, committing government resources, releasing the NIST Cybersecurity Framework, and increasing the availability of resources from the Department of Homeland Security.
Ware was prescient in pointing out the risks and tensions related to security and privacy in our current digital age. In 1984, the Internet, big data, Google, and cyber-terrorism were the stuff of sci-fi novels. The rise of the CISO in all sectors (private, government, higher ed) is a direct result of the concern for “providing adequate security protections in our public and private information systems.” And while privacy has lagged security, more people — especially students — now attend to “the new privacy issues that arise.”
What keeps me engaged from a security perspective is trying to meet increasingly complex challenges from determined actors. Like the Peace Corps slogan, "It’s the toughest job you’ll ever love."
Feel free to e-mail us to provide feedback on on this page,
give us suggestions, or just say hello!