Skip navigation
Research Report

How to engage your campus in a security-first culture

We’ve long known that higher education institutions are vulnerable to cybersecurity attacks given their rich data sets and distributed and changing population of end-users. But recent movements to the cloud and the pandemic-induced transition to remote and hybrid work has expanded the perimeter that already-strapped IT units need to protect.

Cyberattacks have increased both in frequency and ferocity, leading to compromised operations, leaked personal data, multi-million-dollar losses, and even school closures. Now more than ever, IT leaders and their teams need the support of boards, cabinets, and the overall campus community to improve their institutional security posture and protect their institutions from devastating attacks.

Our recent executive roundtable, Developing a Security-First Campus Culture, offered CIOs the chance to collaborate and discuss ways to tackle these very challenges. Read on to learn about some of the roundtable takeaways that are most useful for institutions, or download the slides from the roundtable.

Download Session 1 Slides Download Session 2 Slides

 

Review the Key Takeaways

 

1. Three main challenges to building leadership commitment to enterprise-wide security

  • Security risks are not appropriately elevated

    IT leaders often struggle to get leadership to perceive cybersecurity as an institutional risk rather than an IT concern. This is partly because leadership often lacks sufficient awareness about the risks they need to weigh in on while the responsibility for action solely falls on the CIO or the CISO. As one CIO told us, “We lack a systematic way of involving non-IT leaders in assessing, accepting, or mitigating risks for the institution.”

    Institutions can address this issue by creating an enterprise-wide risk-assessment system where the highest-priority risks are proactively elevated to highest levels of leadership, including cabinets and boards, for mitigation or acceptance.

  • Leadership lacks decision-making preparedness

    When risks inevitably become incidents, leaders often lose valuable time and make suboptimal decisions because they are not adequately prepared. Organizing executive-level table-top exercises can provide cabinet leaders with the opportunity to flex their decision-making muscles prior to incidents.

  • Distributed stakeholders flout information security policies

    Finally, boards and cabinets can help CIOs protect institutions by empowering IT to enforce compliance with security policies across campus. At Virginia Tech University, the board clearly articulated in a resolution that the “vice president of IT has the full authority to establish and ensure compliance” with IT security policies and set the expectation that “departments are obligated to support” the vice president on IT’s security policies.

This resource requires EAB partnership access to view.

Access the research report

Learn how you can get access to this resource as well as hands-on support from our experts through IT Strategy Advisory Services.

Learn More

Already a Partner?

Partner Log In

Great to see you today! What can I do for you?