I was a new ISO in 2011, having a conversation with an experienced colleague who took issue with some of our information security program. “We are not Fort Knox, after all,” he said.
I was not new to higher-education IT, having worked as a systems engineer and technical manager for 15 years. But I had not planned to pursue information security until our CIO asked me to consider applying for an open position. It was an opportunity for advancement and an interesting proposition.
I have always enjoyed troubleshooting, identifying root causes and tackling difficult technical challenges that others may not want to handle. My colleague’s comment made it clear that I was facing a new challenge. Only this time it did not involve technology, but with gaining buy-in and promoting a culture change.
Information security in higher education has come a long way in the last seven years. I rarely find questions as to whether we should protect our information and resources. But that doesn’t mean our job is easier. Higher education thrives in a diverse environment that produces myriad security challenges. We support thousands of researchers and faculty who have strong self-interests and essentially act as independent contractors. Similarly, our colleges and academic departments have a fascinating mix of autonomy from and dependence on the Institution. Even our VPs can act as independent organizations at times.
• We have academic openness.
• We have research that spans technologies and disciplines.
• We have developers creating web and mobile applications.
• We have resident students and support guests who have a strong affiliation with our students. You know, parents and guardians.
• We have affiliations and partnerships aligned with much of our academic and research activity – research partners, local hospitals, K-through-12, consortiums, business partners, outreach audiences and summer camps.
• We have dozens of merchants operating on our campus.
• We have always had people bringing their devices to our campus, even before “BYOD.”
• We have online distance students.
• We have a massive amount of data to protect and utilize.
• We not only collect data, but continually find new reasons to move data between sources and targets, local hosts and cloud services.
• We have business units that operate with lean staffs, leveraging technology as a business enabler, reducing obstacles to productivity.
• Like every business, we have to protect vital infrastructure and data.
• As publicly funded schools, receiving federal scholarships and grants, we have compliance requirements – FERPA, HIPAA, PCI, DMCA, NIST 800-171, GLBA – a growing list.
• In addition to security, we have substantial privacy interests.
"Information security in higher education has come a long way in the last seven years. Higher education thrives in a diverse environment that produces myriad security challenges."
What a fascinating and challenging environment for an information security professional. I believe we have turned a corner as an industry sector and embraced the challenges before us, and that the opportunity is equal to the challenge. These days, I am rarely involved in troubleshooting technical issues. But I am immersed in protecting data and infrastructure in a diverse research and educational environment. As the “champion” of our current 2-factor authentication initiative, I have helped to craft a multi-faceted marketing campaign, briefed and enrolled our student government, deans, VPs and president, and helped broad constituencies prepare for change. As a “champion” of our risk-management program, I work with numerous technical teams outside of my direct reports to continue to increase our capacity to address risks across operational IT silos while minimizing operational disruption. My roles include technical director as well as business enabler and communicator.
My toolbox today includes strong technical competence, as well as increasing business awareness and engagement, creativity, relationship-building, leadership and facilitating organizational change.
Higher Education Information Security is no longer primarily a technical problem for the IT shop, but an organizational opportunity requiring awareness and collaboration from the highest levels of leadership.