Bringing Cybersecurity to the ForefrontJeremy Epstein | Senior Computer Scientist, SRI International
The following interview is with Jeremy Epstein, a senior computer scientist with SRI International. Epstein has spent his career working on improving cyber security across a wide range of industries and organizations. In this interview, Epstein directs his focus toward the postsecondary space. He discusses the cyber security threat that will be facing higher education institutions in the coming years and shares his thoughts on how IT leaders can secure their systems without limiting their options for customers.
1. Why should higher education IT leaders be focused on improving their cyber security infrastructure over the next 10 years?
Obviously cyber security is becoming important to everybody in every industry. You just need to open the front page of any newspaper and you’ll see the hack-du-jour. Whether it’s credit card numbers, social security numbers or medical records, someone is always being hacked.
Educational institutions are no different. They have some unique issues in that not only is there the student information—much of which is required to be protected under the Family Educational Rights and Privacy Act (FERPA)—but also they have unique equipment in scientific laboratories, things like that, that are increasingly connected to the Internet and are increasingly at risk.
2. Higher education institutions are in the middle of a modernizing process in which online shopping elements are being folded into the student customer experience. As more information is being shared and processed online, how should this impact the way higher education institutions regard IT security?
On the business side, they need to be every bit as sensitive and protected as any business would be, whether it’s an e-commerce business or any other sort of business. [This is] not a model that is traditional for universities, since universities are typically very focused on being open. Now they have to be a lot more concerned about protecting information and minimizing who has access to it. This is an intellectual sea change for universities in many respects. They’ve been used to protecting private information like transcripts and things like that against unauthorized access but now there’s a lot more information that they have that they have to protect as they modernize and as they’re dealing with students’ information in new ways.
3. What are some of the steps college and university leaders can take to improve their cyber security infrastructure?
Realistically, having homegrown, in-house security is something that’s going to be limited to the biggest and most well-off educational institutions. The smaller ones need to recognize that hiring outside experts to take care of a lot of these security problems is the only way they can reasonably keep up to date.
Their mission is education; their mission is not cyber security of their corporate infrastructure. That’s going to be a change. They’re going to have to find a budget to hire those outside experts. It’s not a one-time deal. These are things that are going to be ongoing forever and ever.
4. Is there anything you’d like to add about the importance of cyber security in the modern higher education infrastructure and why it’s valuable for institutions to look outside for their cyber security solutions?
The most important thing that differentiates the universities from commercial organizations is the equipment and how they’re going to protect that because that’s an area where there isn’t a lot of precedent in the commercial world. The microscopes, the telescopes, the nuclear reactors that a few schools have on campus, all of these things are increasingly connected to the Internet and the universities need to think seriously about who might attack them, why they might attack them and how they’re going to secure them.
This interview has been edited for length.
– – – –
- As more and more postsecondary information and equipment is being digitally stored and accessed, institutions need to seriously consider the strength of their cyber security infrastructure.
- Only the biggest institutions will be able to develop adequate in-house cyber security teams; everyone else should look to service providers for support.
Author Perspective: Analyst