The Growing Importance of Cybersecurity Governance to Universities
The threat of data breaches, ransomware, and denial of service attacks is growing with each passing year. Big data and the Internet of Things are also exploding, so the scope of the problem is growing almost exponentially. We not only need to deal with the lone wolf hackers, but also organized crime, and even nation states. Effective hacking tools and vulnerability intelligence on universities is available over the dark web, as easy as going to Amazon or Facebook. From someone that has had responsibility for cybersecurity for the past twenty years at two leading universities; I would like to offer my observations and recommendations to university leadership.
The most important recommendation is for university Presidents and Boards is to get engaged and aware of the cyber risks poised to their university. Cybersecurity preparation is not just about technology. Even though the CISO (and only one-third of universities have a CISO), generally reports to the CIO, it is about process, people and technology. It is the process and people side, or what constitutes good governance, needs much more focus these days. Without good cyber governance, universities will continue to fight fires and deal with the fallout from poor incidence response and inadequate preparation and planning. Universities on average spend less than three percent of their IT budgets on cybersecurity and often only address the issue of cybersecurity with their Boards if there is an incident. It has become apparent that many CISOs and CIOs do not get good cyber support from university leadership, both funding as well as engagement from the entire management team.
We can do better, but it will take a mature program of cyber governance
Eventually your university is going to have a significant cyber incident. It could be a loss of data that requires notification to those affected, including your local and state authorities. It is likely; a story covering the incident will appear on the front page of your local and even national papers, hurting your reputation as a good custodian of student, employee, alumni, and even donor data. You will also be required to pay for security monitoring for these individuals, which could cost millions of dollars depending on the number affected. Your university could be hit by ransomware where critical data is encrypted and you will be required to pay a ransom, often in bitcoins to decrypt your data. You could also be hit by a denial of service attack. One major university was shut down for days until they could address the issue of such an attack. Eventually one of these incidents is going to happen, even to prepared universities. If an event occurs, do you have a mature cyber incidence response program in place to recover? Many do not have a program, and those that do, may not practice it. Such a program should include a broad range of senior leadership such as the President, General Counsel, University Communications, CFO and Risk Management, CIO, CISO, Executive Committee of the Board, and so on. It is not just the CIO and CISO.
Part of the fault lies with CIOs and CISOs for not providing a plan or strategic roadmap, including a Cyber Framework, that identifies gaps, benchmarks to peers, levels of maturity, and priorities for support. CIOs and CISOs need to work on their ability to communicate in the language of risk and business value rather than just technical terms. Some of the important issues to address do not take much funding, but simply a recognition that the university needs to make cyber risk mitigation a priority and institute some changes, such as the requirement for cyber training and accountability of decentralized units to conform to best cyber practices. For example, does your university get rid of older legacy data or data no longer needed? One university I attended kept data on everyone for over 30 years, and after a highly publicized breach, the number of individuals affected approached several hundred thousand costing tens of millions to mitigate the impact. If they had removed the old data, they could have significantly contained the impact of the breach.
Some good news is that universities are generally good about collaborating and working together. Associations such as EDUCAUSE provide much needed cyber support and advice to member institutions, including a comprehensive cyber education and awareness program. Other groups such as REN-ISAC provide shared threat intelligence to its members, including hundreds of universities. At American University, we have launched the Kogod Cybersecurity Governance Center (KCGC) to conduct fundamental research to help progress on the cyber governance front and to provide executive education to senior management and Boards. For example, we have hosted a couple workshops for CIOs and CISOs to explore the challenges around cyber governance, see our in KCGC Practice article: “Real-World Strategies for Obtaining Senior Leadership Airtime and Buy-In on Cybersecurity.”
Higher Education has a poor cyber reputation due to the large number of breaches that occur each year relative to other industries. We can do better, but it will take a mature program of cyber governance.