As more institutions address the rising tides of information security threats, constrained budgets and a shortage of skilled information security professionals, higher education will witness many more new and inventive approaches to improving information security.
Information Security is a Priority, But Progress is Difficult
Information security continues to be a priority for IT professionals at many institutions. Both the data that higher education is entrusted to protect — from student data to research data and everything in between — and the populations that higher education serves vary widely. As a result, the challenges of information security threats and the increasing complexity of technology, architecture, and data continue to influence institutional IT strategy.
Yet, making progress can be difficult. According to EDUCAUSE Core Data Service research, in 2016 information security spending was roughly 3 percent of an institution’s overall IT budget spending, and there were only two central IT information security full-time employees (FTEs) per 10,000 institutional FTEs. These numbers have remained relatively static over time. In both 2014 and 2015, information security spending was only 2 percent of an institution’s overall IT spending and institutions had only one central IT information security FTE per 10,000 institutional FTEs. (Perhaps a doubling of this staffing number from 2014 to 2016 is indicative of a somewhat positive trend in addressing institutional information security concerns?)
One Size Does Not Fit All
In any case, the collision of resource constraints in both budget and staffing, a dynamic threat environment, and the increasingly complex higher education technology ecosystem has forced some institutions to look beyond the traditional information security approach of having an in-house security team lead by the institution’s dedicated Chief Information Security Officer (CISO).
Some colleges and universities, most of them smaller institutions, are finding success with untraditional and innovative approaches to implementing and expanding effective campus information security programs. The out-of-the-box solutions include institutions:
- Sharing a single chief information security officer
- Outsourcing information security services (think a virtual CISO)
- Using a shared belief system to improve information security best practices across all participating institutions.
7 Innovative Lessons for Implementing Information Security in Higher Education
As higher education institutions consider new and different approaches to improving campus information security programs, here are 7 lessons from institutions who have “been there, done that”:
1. Start with a Comprehensive Assessment
Before considering an innovative approach, start with a comprehensive assessment of your campus information security and risk posture. Know where you are and where you want to go.
2. Break Implementation into Projects
Parlay the information security risk assessments into a series of long-term projects designed to improve the information security program. Focus on achievable projects in the short term while building a long-term vision.
3. Right-size Outsourcing Opportunities
For outsourcing solutions, this list of projects can help you right-size the activities that are outsourced, freeing up campus information security and IT staff for projects that need on-campus expertise.
4. Deputize Support
No matter your innovative solution, deputize support from other IT staff and information security stakeholders. They are your most important advocates.
5. Identify Common Ground
For multi-institutional collaborations, identify the common ground that holds the institutions together. This is particularly important if your collaboration spans great geographical distance. That common bond will be important as challenges are identified and resolved.
6. Bring in IT Staff Early
Bring IT staff into potential collaboration discussions early. Doing so will help you better explore potential collaboration areas and help the IT leaders reassure existing staff that the collaboration is intended to strengthen current information security efforts, not replace them.
7. Involve Legal, Risk and Compliance
Involve legal, risk, and compliance counsel into any innovative solution conversation as early as possible. These professionals must fully understand the proposed solution from the beginning to adequately assess legal risk to the institution.
Additional Resources for Budget Conscious Schools
The Higher Education Information Security Council (HEISC) at EDUCAUSE has created a series of papers that provide advice for information technology leaders and managers tasked with developing and delivering institutional information security programs and services on a tight budget.
The three white papers in the series are:
- Building Resources on a Budget. Operating information security programs with scarce resources requires creativity and flexibility. This paper offers pragmatic, actionable ideas for building information security resources on a budget.
- Building Institutional Capability and Sustainability. To succeed and be sustainable, investments in information security programs and tools need a deliberate plan, especially in a resource-strapped environment. This paper offers strategies to build information security capability and sustainability within those constraints.
- Capability Roadmap. Budget-challenged information security programs often must be built from nothing. This paper shares resources on how to formulate a roadmap to create a justifiable information security stance.
As more institutions address the rising tides of information security threats, constrained budgets, and a shortage of skilled information security professionals, higher education will witness many more new and inventive approaches to improving information security.
This blog post was based on an article titled “Small Is Big: Innovative Approaches to Improve Institutional Information Security” published in the EDUCAUSE Review on June 18, 2018. The article was written by Vantage Technology Consulting Group Senior Consultant Joanna Lyn Grama during her tenure as the Director of Cybersecurity and IT GRC Programs at EDUCAUSE.