Prioritizing Security in Higher Education
Security in higher education was always seen as an IT issue, but it goes way beyond that. Common threats reach an institution constantly, and everyone needs to be aware of what can happen. In this interview, Allan Chen discusses the common threats in higher ed, how security plays a role in the larger institutional strategy and why higher ed leaders need to care.
The EvoLLLution (Evo): What are some of the most common threats or cautions higher ed leaders should be aware of when it comes to security?
Allan Chen (AC): The biggest issue is that the same threats from five or ten years ago are still around as major vectors today. So, phishing emails, user-created vulnerabilities and compromises are still major concerns. These are risks for both the user and the institution. The fact that they’re still around means users aren’t getting the training they need, or we need other ways of training for it to sink in. We must find a way to address the same issues we’ve had, since we’re not making progress on that front.
Evo: What role does security play in the institution’s overall strategy, planning and decision-making process?
AC: About three to five years ago, security didn’t consistently play a role in the institution’s strategic planning. The key words are “institutional strategic planning.” It was always an IT issue, and we had to ask for support, both personally and policy-wise. Now, it’s slowly becoming an institutional-level issue, which is critically important to overall progress and eventual success on security initiatives. With this institutional perspective, more resources can then be allocated to security. When the institution recognizes this issue as a threat to the entire organization, you start re-prioritizing resources (both human and financial), which leads to having different tools and staff available to support plans. It leads to a greater emphasis on those resources.
Evo: What are the challenges to getting broad buy-in for the right security supports and the building the understanding of their necessity across the institution?
AC: It’s the understandable, long-term perception that technology is an IT issue. That doesn’t mean the CIO or director of IT doesn’t have to speak to this at the highest level but that others at the institution outside of IT must understand what is being asked for. Before, IT leaders were responsible for not only advocating for support of security efforts but, in many cases, also educating the institution on why such backing was important. Other leaders certainly cared, but security remained a relatively abstract notion. Meanwhile, security is something that all leaders, all the way to the president or chancellor, should know the basics on. IT leaders who sit in cabinet are responsible for understanding topics such as discount rates and deferred maintenance. Similarly, institutional leaders should have a basic understanding of security and other technology matters.
Evo: What are some best practices to start fostering that culture of security awareness and getting people to prioritize security across the institution?
AC: The challenge is that I don’t think that question is answered even today. As I mentioned before, we’re still seeing the same threats today. I don’t know if security awareness has a proven solution to the problem. We do training, but it’s not sticking for everyone. Many recommend monthly trainings, but people get training fatigue and participation decreases. Then someone will suddenly click on a link, and it happens all over again. It’s a constant cycle.
I think the biggest impact is institutional support for security efforts. Senior leadership needs to come out, publicly, saying that security is everyone’s job. The president should send a couple of emails a year to remind people to listen to the IT division’s appeal for good security practices and to take part in regular trainings. It must come from the highest level to get buy-in. It must come out of more than just the IT department.
IT departments can also make security more accessible and even fun for the community. I know there some institutions do security events, ranging from an awareness day to carnival-like activities. These initiatives help get the messages across, communicating that good security practices are important and that everyone has a role in securing the institution in a way that is easier to digest than dry announcements about the latest vulnerability or yet another training session.
Evo: What are some trends you’re seeing when it comes to security in higher ed?
AC: Security is recognized as critically important for the institution, yet the field is still maturing in higher ed. It’s not that the tools aren’t effective, but people aren’t sure what to do with them or whether they are the only necessary solutions. The maturation of security is about going from tools to people and from IT to institution. Everyone in the institution has a responsibility to understand what security means. We shouldn’t be starting from the bottom floor. Especially for smaller institutions, where getting more software and hardware is easier than getting more people, maturing from one stage to the next can be difficult.
At CalArts, we partnered with an outside consultant to get advice, so that’s our tool. And they are effective. They developed this comprehensive program that runs from policy to best practices, but now the question is whether we have the human power to implement it. Having great policy is fine, but if there isn’t anyone to make sure the institution is following that policy or using those best practices, then there is a major gap that will undermine everything.
Evo: What impact does security awareness have on the institution and student experience?
AC: There are many ways in which improving security awareness impacts an institution. Some are negative such as training fatigue from too many assigned videos and workshops or too many informative emails that go unread. For students, I am particularly concerned about the difficulty in getting the word out and how what we’re asking for affects how they go about their daily lives and proves to be a burden on getting work done. More and more, we are asking them to install this or that software or stop doing something dangerous or start doing more of something good.
There are a lot of positives, too. Obviously, better awareness leads to better practices and habits, strengthening the organization’s overall security posture from top to bottom. If nothing else, security awareness gets folks asking the right questions before they make a mistake or click on the wrong link.
This interview was edited for length and clarity.
Author Perspective: Administrator