Security in 2007: No Surprises Here (Well Maybe a Few)
Each year O'Keeffe and Company conducts an online and in person IT Security survey of IT directors and managers for CDW-G. This year there were 151 respondents from a variety of higher education settings. The results are an important barometer of the state of IT Security in higher education. The full report is available here. If you haven't downloaded it already, you should do so now: It's important.
Things That Jump Out
As I read the report a couple of things stood out. First, high profile IT security incidents continue to plague higher education. For the second year in a row 58 percent of the respondents reported an IT security incident. And again, sensitive data residing on unprotected or vulnerable computers is ranked as the top security risk. (See my July 13 Campus Security Newsletter column "Who Knows What Evil Lurks in the Cyber Heart?" for comments on this problem.)
The second thing that jumped out at me was that things don't seem to be getting any better, although the good news is that they don't seem to be getting any worse. For the last three years the number of respondents reporting that they feel very safe from malicious attack has hovered around 8 percent, while the number that felt safe has stayed around 37 percent. There were no consistent trends of feeling more or less safe over that period.
Why Aren't Things Getting Better?
When asked what were the barriers to improving IT security, the responses were: too few staff resources, lack of funding, higher education culture, and lack of defined security policy. No surprise here. What I did find a little surprising was the apparent emphasis on technology to overcome these barriers. This may be an artifact of the way question was poised to the respondents. "Which of the following security devices are utilized on your campus?" The choices included such things as network authentication software, card access systems, and IP cameras. The problem is that acquiring these devices, while important, doesn't address resource, cultural, or policy barriers. How are institutions approaching the underlying problems?
To pursue this I had a long conversation with Louisiana State Universities CIO Brian Voss and their Chief Information Security & Policy Officer Brian Nichols. In the wake of Hurricane Katrina, LSU has been in the vanguard of improving IT security and implementing disaster recovery and business continuity strategies. Staff dedicated to IT security, disaster recovery, and business continuity have increased from zero to nine FTE. Voss noted that nothing works like a problem to drive a solution. He also argued that CIOs must realize that IT security is a problem that they themselves have to solve and they shouldn't expect that they will necessarily be given additional money to do it. In their case he used efficiencies in the network budget to enhance IT security. Nichols pointed out that you cannot enforce a policy if you don't have a policy. You can find out more about LSU's security practices and policies at http://www.lsu.edu/itsecurity and http://www.lsu.edu/itpolicy.
Nichol's view is consistent with the observations of Joe Sartin, CDW-G's senior sales manager to higher education, who notes that it is hard to implement IT security in an environment that doesn't have institutional security policies and standards.
Apples and Oranges: What's Going on Here?
One of issues considered for the first time this year in the CDW-G survey is the relationship between IT Security and Physical Security, a topic that I discussed in my Sept. 14 Campus Security column "Converged Security: Can Ex-Cops, Propeller Heads, and Bean Counters Make Nice?" When asked "How would you describe your campus' integration of IT and physical security," 25 percent of the CDW-G respondents answered "fully integrated" or "mostly integrated." The survey was surprised at the slow integration and concluded "only 25 percent of campuses have successfully converged their programs."
By contrast, I was surprised that 25 percent responded that there was any degree of integration because a month earlier I had been unable to find a single campus that had converged the management of physical and IT security! What's going on here?
After talking to a few campuses it became clear what happened. Surveys are difficult to write, and their interpretation is tricky. The precise wording of a question can affect the responses. Similarly, subtle differences in how a word or term is defined can lead to varying conclusions. We were comparing apples to oranges.
The Real Story on Convergence in Higher Education
Why has the administrative convergence of physical and IT security, which is relatively common in the corporate sector, not gained traction in higher education? The corporate sector is profit-driven and views "convergence" through the lens of an administrative hierarchy; administrative convergence of physical and IT security is increasingly common. Higher education, on the other hand, has as its core mission research and education and administratively is highly decentralized; it does not see the administrative convergence of physical and IT security as a necessary condition to the integration of the physical and IT security functions.
Voss explained that distinction using LSU as an example. The Office of Public Safety and the IT unit work together closely in what Voss said he views as a partnership. "We each do what we do best in close cooperation with the other." He cited the Emergency Operations Center or EOC as an example. IT worked closely with Public Safety in the design of the EOC and would be part of the facilities operation in the event of emergency. Similarly, IT provided technology support in the selection of a text messaging system to alert the campus in an emergency. To ensure that the two units are operating in coordination with each other and prepared to integrate emergency services, Nichols said he meets monthly with his counterpart in Public Safety. Voss said he sees the administrative convergence of physical and IT security in higher education as being similar to the once touted administrative convergence of libraries and IT. Sounds good in the abstract, but hasn't been widely adopted in higher education because the culture and, more importantly, the mission are too different.
Viewed from that perspective, the question raised by the CDW-G survey is not about administrative convergence; it is about what a campus is or should be doing to ensure that all aspects of security are integrated in such a way to support the institutions mission.
Read More:
