Why Higher Ed Needs to Step Up Its IT Security Game
With colleges and universities becoming an ever more tempting target for hackers, there is a growing demand for c-level leadership in the realm of cybersecurity. But do institutions know what to look for in a CISO?
The latest statistics on information security incidents are downright frightening.
Nearly 80 percent of organizations today suffer cyberattacks, some repeatedly, according to the "2015 U.S. State of Cybercrime Survey" from Pricewaterhouse Coopers (PwC), CSO magazine, CERT and the U.S. Secret Service. Furthermore, the typical organization now experiences 3.8 insider security incidents on an annual basis, claims a recent security report from SpectorSoft.
And as alarming as those numbers obviously are, they do not take into account the number of incidents — from both external and internal threats — that remain undetected or go unreported.
Statistics like these also illustrate why IT security is becoming an increasingly important topic on campus. While healthcare, financial services and the retail sector grab the lion's share of data breach headlines, colleges and universities remain a very tempting target for hackers. The reason: all of the personal, financial and healthcare data collected on students, faculty, administration and staff, all conveniently housed at a single source.
With that in mind, Jane LeClair, chief operating officer at the National Cybersecurity Institute at Excelsior College in Washington, DC, recently stressed the need for higher education to step up its game around IT security. And she urged colleges and universities that haven't already done so to embrace the role of the chief information security officer, or CISO.
LeClair appeared at the Campus Technology 2015 conference in Boston speaking on the topic "Cybersecurity at the C-Level: Preparing Future Leaders.' While she discussed the need for more cybersecurity professionals at all levels of the organization, she stressed the growing demand for a single accountable IT security individual that can hold his or her own with other top executives in the organization.
Wanted: C-Level Security Leader
The role of chief information security officer (or chief security officer) is still merely a "wish list' item for many organizations. But the ranks of high-level security leaders are growing. That is fueled in large part by the constant media headlines of large data breaches and stolen personal information, and the potential liability to an organization.
As LeClair noted, "The CISO is an evolving and increasingly challenging role. The individual is responsible for all security-related matters, including regulatory compliance, risk management, technology controls, disaster recovery and raising the awareness of security at the C-level.'
The last point is perhaps the most important, LeClair stressed: security awareness. That is, a formal program for teaching employees and students about security risks they may create internally; and educating top officials on what all the data is that the school collects, where and how it is stored, how and by whom it is accessed, what the associated risks are, and what protections are in place.
Along with that comes an assessment of what the cost to a college or university might be should data be compromised — including actual financial costs and damage from a public relations perspective. And most importantly, what are the risks to the actual students and employees who may be victimized.
The unfortunate reality is that many organizations have a false sense of security, according to recent research from IT security firm BitSight. That includes many colleges and universities, which may count themselves among the organizations that should be safe from harm.
"Some people didn't really get the enormity of the problem,' explained Lysa Myers, security educator at security solutions provider ESET North America. "It seems like when you have organizations where their purpose is to do good, people get a sense of 'who would attack organizations that are there to help people?' But it doesn't really matter to criminals. To them it's about the information, not why you have the information.'
What's more, Myers added, "The fact that there is such a target-rich environment in education is what makes it so valuable. And if you're playing fast and loose with student information, that's going to be stuck with them for the rest of their lives, potentially.'
An Attractive Target
Myers agrees with LeClair that higher education is an especially vulnerable sector when it comes to cybersecurity.
"A lot of people have the misconception that the most valuable thing for hackers is credit card information," Myers explained. "In fact, getting things like medical records or social security numbers can be up to 10 times more valuable than a credit card record. Those are things that you can't reissue. With credit cards, if you get breached, you send out a new one."
"Colleges are unique in that they have both," Myers continued. "They're basically like a small city. They have almost every kind of business all rolled into one. Schools also tend to have a culture of openness of information. Security and openness is usually exclusive, which they aren't. That is fight that seems to be going on at universities and colleges right now."
Another possible battle on some campuses might be how the chief information officer (CIO) can make a best case for hiring a CISO. After all, IT security is like insurance — you really hate paying for it, but boy are you glad you have it if needed.
It has also been widely reported that IT budgets in higher education are fairly level in 2015, if not on the decline. Adding to the IT security staff can be tough, especially at a top manager level salary.
One solution being tried at some organizations is the rent-a-CSO model, where an organization can try before it buys. There may a few reasons behind the popularity of this approach, including the inability to find a permanent qualified candidate in the job market; or the inability or undesirability of meeting market salary rates for a full-time individual.
Either of those excuses could come back to haunt the organization, noted Ric Messier, senior security consultant at Champlain College in Burlington, VT, who spoke with Campus Technology about what is being done on campus to combat growing threats.
"From my experience I think there is a little bit of denial going on," Messier explained. "At the top level of the organization there is probably too much reliance on, 'well, we have the right policies in place', or, 'do we have the right policies in place?' A policy is not going to keep somebody out of your organization. There's not enough focus on 'what are our real risks and vulnerabilities and how are we going to effectively address those?'"
Defining the CISO Role
Even when a college or university does decide to hire a CISO, it can be a long journey to getting the role just right.
That was the case for Wayne Brown, vice president of IT and CIO at Excelsior College in Albany, NY.
"I've been a CIO since the mid-90s, and I've hired a few CISOs in my time," Brown confirmed. "Up until about a year ago I had not gotten it right. The first one I hired was very policy focused and she could write a heck of a policy. She knew about securing the scene, and chain of evidence, and all that good stuff, but she could barely turn a computer on and was not a network person by any stretch. The second one I hired had come up through the network side and could work on routers and switches and servers and all that good stuff ... two different ends of the spectrum."
"The third guy that I hired — he's the guy," Brown noted. "He came up through the networking side, understanding networking and the tools. But he can also carry on a conversation and I've had him before the board doing presentations. Interpersonally he does a good job. He's got those soft skills and he's got the IT background to do it. It really takes both."
Brown also knows a thing or two about what CIOs are looking for in a CISO, and vice versa. He conducted research on the topic with his private nonprofit organization called The Center for Higher Ed CIO Studies.
"I did two different surveys," Brown explained. "One went to CIOs in higher ed. It asked about tasks that CISOs might perform and what the importance and the effectiveness of the CISO were in performing those tasks according to the CIO."
"I sent the second set of surveys to CISOs and asked them some of the same questions. I also asked CIOs what education CISOs should have, what their major should be, what skills they should have, and a lot of background type of questions. I asked the CISOs the same questions," Brown said.
"The interesting thing that came out of it is that CIOs are looking for very technical people, and when you asked the CISO that is doing the job every day what the skills requirements [are to do the job], they list softer skills — really skills that are very similar to what I find in my CIO research, like leadership and communication and relationship building," Brown said.
So while there is growing recognition of the importance of the CISO role, it may be some time before some colleges and universities get the job right.
As evidence, consider the finding of a recent study on the CISO role by ThreatTrack Security. According to the firm's research, a majority (75 percent) of C-level executives do not believe the CISO deserves a seat at the leadership table.
"Despite a rash of high-profile data breaches in the last year, many in the C-suite fail to fully appreciate their CISO's contributions and view them primarily as scapegoats in the event of a data breach," the research report noted.
But wait, it gets worse.
"This year the data is stunning," noted ThreatTrack President John Lyons. "With growing concerns about data breaches, organizations appreciate the need for cybersecurity leadership at the highest levels, but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations. In some areas, CISOs are losing ground."