How to engage your campus in a security-first culture

IT leaders often struggle to get leadership to perceive cybersecurity as an institutional risk rather than an IT concern. This is partly because leadership often lacks sufficient awareness about the risks they need to weigh in on while the responsibility for action solely falls on the CIO or the CISO. As one CIO told us, “We lack a systematic way of involving non-IT leaders in assessing, accepting, or mitigating risks for the institution.”

Institutions can address this issue by creating an enterprise-wide risk-assessment system where the highest-priority risks are proactively elevated to highest levels of leadership, including cabinets and boards, for mitigation or acceptance.

When risks inevitably become incidents, leaders often lose valuable time and make suboptimal decisions because they are not adequately prepared. Organizing executive-level table-top exercises can provide cabinet leaders with the opportunity to flex their decision-making muscles prior to incidents.

Finally, boards and cabinets can help CIOs protect institutions by empowering IT to enforce compliance with security policies across campus. At Virginia Tech University, the board clearly articulated in a resolution that the “vice president of IT has the full authority to establish and ensure compliance” with IT security policies and set the expectation that “departments are obligated to support” the vice president on IT’s security policies.

Ohio State University provides the option to end-users to take trainings as if it’s a game, on their own time and pace, across the year using the Cybersecurity4You platform. Users earn points for completing training, and those points help them achieve up to five levels, which translate to rewards ranging from charitable donations to digital subscriptions.

InfoSec teams from Arizona State University connect with individual departments to discuss their units’ specific business needs and the types of training messages that will resonate best with their units.

One of the best examples comes from Barry University, where their president sent an email out to all instructors and staff in summer 2021 announcing the new annual security training policy, and communicated clearly that if they fail to comply, they will have their network access suspended until the course is complete. They also ensured everyone carve out time for the trainings by allocating an additional “summer half-day” to all instructors and staff as an incentive for doing the trainings.

Fairfield University recently saw a dramatic decrease in their failure rate by the tenth month of conducting monthly self-phishing campaigns, despite sending out more sophisticated phishing emails.