National Cybersecurity Awareness Month is upon us and as Chief Information Security Officer at EAB, I look forward to this month all year. It’s a time to have conversations across a broad spectrum of audiences in the spirit of education and continuous improvement. It’s also a chance to initiate meaningful conversations with leaders beyond IT about how to build a community that is more resilient to cybersecurity threats—especially in the context of improving data protection and security practices as part of broader data strategy efforts. Below I’ll outline why cybersecurity is critical to the mission of higher education and offer guidance for how to discuss cybersecurity with your students, colleagues, and boards.
Cybersecurity is imperative to the mission of education
One of the things that I valued the most about my time in higher education (at both University of Maryland, College Park and The George Washington University) was the sense of community. On a typical college campus, you’ll find people of all backgrounds, ages, and ethnicities, all united for a singular purpose: to drive progress in our world through scholarship and research. When we think about cybersecurity and why we spend time and money to implement security processes, tools, and technologies on our campus, we do so with this purpose in mind.
Unfortunately, this purpose is under threat from cybercriminals like never before. The most recent waves of ransomware (malware that holds data and systems hostage until a ransom is paid) have disrupted classes and operations at a time when campuses are already under unprecedented pressure due to the COVID-19 pandemic. The most recent example of this occurred just 15 minutes from EAB’s corporate headquarters, at Howard University. Despite its best efforts to respond to this incident, they were forced to cancel in-person and hybrid classes for multiple days as a result of the attack.
How to address cybersecurity with your students, staff, faculty, and board
Students: Engage your most frequent users
I haven’t been a student in a long time, but I have always been a passionate advocate for creating opportunities for students to contribute to IT and security programs on campus. Our students live in campus housing, eat in the dining halls, connect to campus WiFi, and use our technology systems. They know campus computing better than anybody else because they live it every day. A good question to ask yourself as a campus leader is, “how are we engaging students to help solve our most challenging problems?”
As a biproduct of engaging students, you can gain insights into how IT services are working for them and how pain points or frustrations could be leading to risky workarounds. Getting this first-hand perspective can help leadership formulate proactive approaches to building good security practices into new and existing IT services. And of course, students are almost always willing to contribute when there’s free pizza involved.
Faculty and staff: Build accountability to protect their vital work
One of the most unfortunate conversations I’ve ever had to have as a CISO was with a longtime faculty member who was the victim of ransomware. She had 45 years of research on her personal computer, no backups, and lacked the technical acumen to completely understand what had happened. Unfortunately, this was far from an isolated incident. Many faculty members believed using their own equipment was advantageous compared to using university-owned equipment. But by going it alone, they put themselves and their data at risk.
Incidents like this can be avoided if faculty and staff use the tools and resources provided by the university. Resources like VPNs, cloud storage, and computers equipped to detect security threats are made available to faculty and staff to enable them to do their work without having to worry about downtime or data loss. But a lack of governance and accountability can create an environment where standards can’t be enforced, and IT becomes more disparate and unmanageable. These conditions make security incredibly challenging, even for a well-funded, large campus security team.
Enforcing standards reduces complexity, saves money, and improves security. For this to happen, campus leaders need to create enforceable policies, enforce them, and hold faculty and staff accountable. I promise you: if you do it right, academic work should not be impeded by these standards.
The Board: Demonstrate the value of security investments
Every Board has its own unique set of concerns and its own risk appetite. It’s likely that your Board has already been briefed on cybersecurity at some point, but if they haven’t, make sure to discuss these key points:
- Your organizational readiness to respond to and recovery from a cyber incident
- How security investments are enabling the institution to meet strategic objectives and compliance requirements
- Major strategic initiatives and/or investments, including any technology that will enable research and how security investments will contribute to grant opportunities
What else might your board want to hear about? Ask them directly. Given what is going on in the world and at other institutions, it’s likely that they have questions. Give them the information they need to understand the threats you face and the actions you’re taking to manage it. A good way to express this is in the form of Objectives and Key Results (OKRs). When done well, OKRs should be easy to understand and allow you to show quantitative progress against these objectives over time. This is also the best way to show that investments are paying off or that new investments are needed to counter emerging threats or gaps.
Sustain forward momentum through collaboration
As is the case in all complex and diverse organizations, everyone needs to work together to overcome challenges and make progress. While challenging, good cybersecurity practices on a college campus are attainable. With effective governance, communications, and accountability, any institution can put the odds more in its favor. And that’s the point. Cybersecurity cannot be “solved.” No application, network, or system will ever be 100% secure. Fortunately for us, perfection is not the goal. We all have a part to play in making it more difficult for cybercriminals and other malicious actors to meet their goals. In doing so, we take deliberate steps to keep our institutions online, operational, and out of the news, so we can focus on the priorities and objectives that can change lives, and the world, for the better.
So, happy National Cybersecurity Month! Using these tips, I hope you’re able to have meaningful conversations with campus leaders this month.
Does your school have a comprehensive data strategy?
Use this workbook to turn your data aspirations into action steps