Wouldn’t it be great if there was an app for security awareness? Unfortunately, there’s no quick fix for building a strong security culture on campus. Despite the critical role each member of your campus plays in defending against cyber threats, many institutions struggle to create programs that effectively engage their campus communities. Too often, security awareness gets overshadowed by the demands of security operations, policy, and compliance.
But with the right approach, security awareness can become a strategic pillar of your institution’s information security program. Let’s explore a few practical steps you can take to elevate your program from reactive to proactive—making security awareness a year-round priority.
The State of Security Awareness in Higher Ed
All higher education institutions have a lot on their plates. With competing priorities for IT teams, it’s no wonder that security awareness sometimes gets sidelined. This often results in a reactive, project-based approach that peaks during Cybersecurity Awareness Month in October and gradually loses steam. And while some schools have policies requiring annual training, enforcing them can be challenging. The bottom line: without a strategic, year-round, multidimensional program plan, your awareness efforts are likely to fall short.
Common Challenges and Opportunities to Mature Your Program
If any difficulties of these sound familiar, don’t worry—we’ve seen security leaders across the country struggle with these issues. You’re not alone, and none of them are insurmountable.
Lack of Influence
Without executive support, it’s difficult to enforce training and obtain necessary resources. Buy-in from campus leadership sends a clear message that security is a top priority for administrators, faculty, staff, and students. Some schools collaborate with campus leaders to mandate annual training, demonstrating the importance of security awareness. Others leverage program assessments, risk assessments, or tabletop exercises to engage leadership and educate them about strategies to reduce risks such as reputational damage, data breaches, or compliance fines.
How you engage with executive leaders to prioritize security awareness and provide visible support will depend on your campus culture, but demonstrating how security awareness supports broader institutional goals like student success, operational resilience, or community engagement can lead to investment in future efforts.
Lack of Formal Planning
While many colleges and universities have an information security program, they often lack formal planning, resulting in disjointed and ineffective awareness programs. Resource constraints—such as limited budgets, staffing, and time—compound the issues and can cause security awareness efforts to be deprioritized. For schools with limited personnel, security awareness activities can be quickly set aside and forgotten about. For decentralized institutions, inconsistencies in approaches across different departments can also lead to fragmented approaches or mixed messages about security.
To address these challenges, create clear, unified roadmaps. Identify at least one dedicated team member to manage the security awareness program and leverage existing resources to maximize impact with minimal effort. Having a plan, a team lead, and ready-made campaign materials available will lead to a more consistent and effective approach across the institution.
Limited Integration Into Campus Culture
Even with an established plan for a security awareness program, some institutions still struggle with limited integration into the campus culture. Security often feels like an afterthought rather than a core priority.
Integrate security training into key processes, such as new hire onboarding and student orientations, ensuring that everyone receives essential information from day one. Ongoing education throughout the year is also critical to ensure security awareness remains a continuous effort rather than a one-time event. Leverage National Cybersecurity Awareness Month in October, Data Privacy Week in January, and campus-wide events (health and wellness fairs, career fairs, Earth Day, local festivals, etc.) to provide continuous outreach and keep security top of mind for everyone.
Resistance from Other Departments
Security initiatives may not be viewed as a priority across campus. Each department or functional area has its own strategic priorities, and addressing security risks can be overlooked.
Start by identifying departments open to collaboration. Build a coalition of champions or ambassadors who can rally support by promoting security awareness and sharing tailored communications with their teams. Empower them to deliver messages that resonate with consistent goals, instructions, and expectations.
Build bridges with faculty, staff, and students to make cybersecurity discussions more relatable. The time and effort invested in nurturing these relationships can have a great impact.
Finally, offering targeted training by department or role is crucial. While it’s essential to start with consistent security guidelines, tailoring the training for specific groups—such as faculty, staff, students, and privileged users—ensures relevance and engagement. Customizing the approach to accommodate different learning styles and needs will enhance participation and retention, helping to build a stronger security culture across campus.
Ineffective Communication
Too many people think “It won’t happen to me” when it comes to security threats. To combat complacency, get creative with communications to avoid message fatigue and information overload while demonstrating how security threats can impact people in their professional and personal lives. Mixing up communication methods and collaborating with various departments (like Marketing and Communications or student workers) can help strengthen outreach strategies and create messages that resonate. Use diverse channels including social media, email, posters, podcasts, or community events to keep security top of mind.
There is no need to reinvent the wheel. Existing awareness campaign resources can be a valuable starting point for crafting effective communications, and leveraging AI tools to generate or refine content can streamline efforts and increase efficiency. (But be sure to follow your institution’s AI policies, and make sure you’re using AI-suggested content as a starting place—not as the final product.)
Not Tapping Into External Resources
Building strong external partnerships will help stretch limited resources and foster a collaborative environment. Engaging with community groups and external peers—such as organizations like EDUCAUSE, SANS, and the National Cybersecurity Alliance—allows institutions to share ideas and learn from each other, further enhancing campus security awareness programs. Learning from peers with more mature programs, brainstorming strategies, and incorporating lessons learned will help keep your efforts relevant and effective.
By expanding outreach and collaborating with local organizations, such as libraries, credit unions, or security vendors, you can foster a more security-conscious environment that extends beyond the campus, positively impacting the wider community.
Security awareness is an ongoing journey. You need to remain creative, maintain positive messaging, and continually evolve your approach. With a little creativity and collaboration, you can create a proactive, engaging security awareness program that’s not just a checkbox on your to-do list but a core part of your information security strategy and institutional culture. With a commitment to continuous improvement, your security culture will grow stronger, ensuring the entire campus community is engaged and prepared. So, let’s get to work—your campus community is counting on you!
Every October, Cybersecurity Awareness Month reminds us how important it is to stay safe online. Launched by the U.S. Department of Homeland Security and the National Cybersecurity Alliance, the initiative has grown to educate everyone—from students to business leaders to other organizations—on protecting themselves from cyber threats. The theme this year, “Secure Our World,” focuses on simple steps to secure your digital life. Whether it’s creating strong passwords, being careful about what you share online, or learning how to spot scams, these small actions can make a big difference. Cybersecurity Awareness Month aims to help you, your family, and your organization stay safe in an increasingly digital world. At Vantage, we proudly support this initiative because we believe that cybersecurity awareness and training is for everyone, and especially in higher education, can make the world a better, safer place.
This post was authored by Senior Strategic Consultant Valerie Vogel, who advises clients on information security program development, information security and privacy awareness programs, and IT organizational assessments. She encourages anyone who doesn’t have a password manager to find the option that works best for you (and your family) and start using it today!
Need Help?
Our team of higher education experts is available to facilitate strategic planning and other services with your organization.