Security leaders in institutions of higher education face unique challenges, as they are charged with keeping data and the network secure, while also allowing for a culture of openness, sharing, and communication—all cornerstones of the academic community. And depending on the college or university, concerns such as tight budgets and staffing shortages can also make running a successful security program difficult. So how do CISOs get their boards to invest in higher education cybersecurity?
In the second part of our series of posts about CISO communication, we look at the considerations and skills required for presenting to the board on higher education cybersecurity, including which tactics will increase their understanding and financial support.
This month, I asked David Escalante, Director of Computer Policy & Security at Boston College and a veteran information security leader, for his perspective on what it takes to advocate for security in this environment.
What unique challenges do CISOs/security managers working in higher education have that differ from their peers in the public sector?
Many large universities are best thought of as small cities. Frequently, an organization is able to focus on a few products, or a range of products in its given industry space. Because of the diversity of things a university does, the variety of software and hardware required to run everything is huge, and this, in turn, means that security teams are stretched thin across all those systems, versus being able to focus on a smaller number of critical systems.
University environments have a culture of openness, and that can conflict culturally with a least privilege or zero trust security model.
Without getting into detail, risk trade-offs in higher education aren't as well understood as in many other sectors. And because of the diverse systems alluded to above, balancing those trade-offs is complex.
What do education CISOs need to keep in mind when they communicate with either the board or other governing bodies in their organization?
Boards in education, in non-profits, and for state entities don't tend to have the same makeup as public company boards do. For a non-profit example, think of the opera company whose board members are the big donors. As a result of this, we've noted that the "standard" templates for cybersecurity communication with the board tend not to strike the right notes, since they're pitched for a public company board made up largely of senior corporate officers. So don't just go "grab a template."
The trend we've seen, advice-wise, of "tell the board stories" seems to resonate better than, say, a color-coded risk register. The scope of the systems running at a big university that need to be secured, plus the board's limited detailed knowledge, makes substantive conversations about specific security approaches difficult. It's better to highlight things both good and bad than to try to be comprehensive.
It's very hard to balance being technical or not. Use a mix. On the one hand, board members have probably read about ransomware bringing organizations to their knees, and may even have read up on ransomware to prep for the board meeting, and will expect some technical material on the subject. On the other hand, almost all board members will not be technical, so overdoing the technical component will lose them.
Don't directly contradict your own management chain—if you've asked for more staff and haven't gotten it, don't ask the board for it.
What other advice would you give higher ed CISOs when it comes to communication?
On the non-board management side, if you aren't already, it's time to emphasize that security is everyone's responsibility. The days when you could "set and forget" antivirus and be secure are long gone.
Now social engineering and credential theft are rampant, and management is consuming information on personal mobile devices. Non-IT management needs to be clear that securing campuses is a team effort, not just an IT one.
At BC, we have been having the CIO, versus the security team, communicate personally with senior management a couple times a year on specific cyberattacks we've seen to emphasize that they need to be vigilant partners, and not to assume that IT will catch all threats in advance.