Across higher education, IT security started, many years ago, as just another set of duties assigned to existing IT staff members. As time progressed and risks became recognized beyond the IT department, IT security became more structured and IT security committees were formed. These committees were typically just a regular meeting of the people tagged with security responsibilities in each IT technical area. As risks continued to evolve, many institutions took the step of naming an IT security leader and created an IT security department. This type of evolutionary growth has been typical of IT security organizations across higher education and shows no sign of slowing down any time soon.
In the most recent evolutionary steps, many IT security organizations are growing well beyond their original information technology roots. Risk management, privacy, legal and contractual issues, records management and retention, compliance, training, forensic investigations, incident management, business process oversight, and many other topics often make their way to modern IT security organizations. These topics are very different from the original IT security needs from 15+ years ago, and are requiring new skill sets within the IT security organization. Institutions may choose to outsource a particular skill set, develop it in separate departments within the institution, or develop it as a specialized capability within the IT security organization. Institutions should consider how the following skills best fit within the structure of the institution and the institution’s IT security organization.
"IT security organizations have come a long way in the last 15+ years, and still have a long way to go. Institutions may find that some skills need to be deprecated while new skills become essential"
On a daily basis, IT security organizations evaluate vulnerabilities, determine the value of information and essential functions, calculate financial and operational exposure, and handle risks within the resources and risk appetite of the institution. While this has grown to be an essential part of most IT security operations, it is not the primary skillset of most traditional technical IT security staff members. Institutions should consider how to cultivate well-trained risk management resources within the institution and the IT security organization.
Privacy, Legal Issues, Forensics, and Incident Management
Privacy and legal issues are becoming a common topic for IT security organizations. What a network engineer down the hall programmed into the firewall in the past, the cloud now requires we write into contracts with vendors. The regulatory and statutory environment around privacy, data breaches, incident management, e-discovery, forensics, and information security are also pushing IT security staff members to face legal issues. Most legal staff members, within an institution, are also not versed in technology. This leaves institutions with staff members that understand law/privacy or technology, but not both. As the legal landscape around these topics continues to evolve domestically and internationally, institutions will be forced to figure out how to best address the integration of technology and law within the campus structure. In some cases, institutions may want to give their lawyers IT training; and in other cases, institutions may want to give their IT staff members more legal knowledge. Either way, legal and technical resources within each institution will need to find ways to integrate in the future.
Records Management, Retention, and Compliance
Records management, records retention, and compliance issues are growing to be a significant part of the time spent by IT security organizations. Most IT security organizations are now facing multiple audits per year, and a well-managed governance and policy structure is essential. Institutions should consider whether bringing in people with backgrounds in public policy, law, public health, and other policy and governance disciplines would augment the IT security organization with needed skills.
Training and User Education
Most IT security staff members would say that community members are currently our biggest vulnerability, and the only way to “patch” a community member against attacks is through education. Unfortunately, most traditional engineers have no background in training or education; and even worse, engineers are stereotypically not known for their people skills. Institutions should consider how to best infuse communication and education related skills into IT security organizations. We may need people with backgrounds in education, public health, public policy, technical writing, and public speaking to work with our IT security organizations to “patch” our communities.
Business Process Management
Finally, business process management is becoming a common topic in many IT security organizations. Very often, the information that we are being asked to protect is owned by business units within the institution, not the IT organization. These business units often look to the IT security organization to help them manage data risk. In order to work with functional areas to address these risks, IT security staff members need to understand the business motivations of the unit, the business risks, and the customer service aspects of the business unit. Most IT security organizations do not currently possess staff members with business skills, but these skills will be essential as business units and IT security organizations work together to address data-driven business needs. Institutions should consider how people with a traditional business background may bring needed skills to the IT security space.
IT security organizations have come a long way and are continuing to evolve. Institutions may find that some skills are becoming outdated while new skills become essential. The key for each institution is to find the best way to cultivate new skills in an efficient manner. In some cases, existing staff members can be retrained to meet new needs. In other cases, new staff members may be needed or skills may need to be acquired from outside companies. In the end, all institutions will need to be nimble and ensure that IT security organizations evolve and meet the needs of the community.