- Higher education's unique culture makes us attractive targets for cybercriminals, which institutional and board executives must consider in their deliberations and decision making regarding overall campus health.
- Educating your board about information security gives them a clearer picture of organizational cybersecurity challenges and the potential costs to your institution of failing to manage cyber threats and risks — including financial and reputational costs.
- Obtaining the board's support puts you in a better position to effectively manage information security risks on your campus.
Institutional and board executives can play a significant role in providing the support necessary for successful information security programs. Outlining specific information security challenges with board executives offers an opportunity to build relationships with them and educate them on institutional risks. Receiving their input on key decisions will pave the way for a more effective response to security challenges.
Boards not previously briefed on information security are likely to ask the following questions:
- Why would anyone want to attack us?
- What is the maximum loss potential of a breach?
- What is the scope of what needs to be protected?
- What does the legal and regulatory landscape require?
- Do we have data breach insurance?
- How does our information security posture compare with a peer institution or industry standards?
Key Goals for a Board Briefing
Well before your planned briefing, take steps to organize the information you want to present. This is your chance to both educate and influence the board on their involvement with information security on campus.
- Provide a risk assessment: Identify information security challenges you've overcome and highlight specific security improvements you've made.
- Identify next steps: Information security is a process, not an end state. Identify open issues to set the stage for your next report to the board.
- Build a productive, mutual relationship: Including information security as part of a regular board report, whether to the full board or a board committee, benefits the information security program's governance perspectives and demonstrates the board's understanding and commitment to information security goals.
Briefing the Board
Whether the chief information officer, chief information security officer, or both leaders present to the board, you will need to communicate some basic information that not all board members will know, such as the role of the CISO on your campus. Executive leaders will surely appreciate a successful and collaborative partnership between the CIO and CISO for the good of the institution. This partnership will also demonstrate a serious commitment to developing an effective information security program. Executive leaders may be acutely aware of IT challenges, but they don't always get an equally focused perspective on information security concerns and, in particular, cyber risks, vulnerabilities, and threats.
Be honest and direct. Don't sugarcoat the truth. However, simply stating that your institution is vulnerable to insider threats, external attacks, or security breaches, without the requisite ability to provide evidence of strategic information security goals and objectives (based on industry standards and practices) could put you in an unfavorable position. Don't evade difficult questions, and admit when you don't have an answer and promise to provide one shortly after the meeting ends.
Align your points with strategic objectives and goals. This is perhaps the most important point we can make, as doing so adds impact to your briefing and appeals to the board's standard approach to deliberations. Explain areas of weakness and strength in your campus's cybersecurity status. Threats involving people, processes, and/or technology that affect your institution are relevant to the board, but even more important are your recommendations — this is an opportunity to improve your institution's information security posture if you have the board's support.
Be brief, but educate. Your first appearance before the board may be 15 minutes or less. Provide a handout to increase the board members' clarity on the points you plan to make and a relevant article or two that they can read later that will reinforce your message and provide context. Your board likely has little experience with cybersecurity. Discuss the challenges inherent in security:
- Security is invisible by default. Identifying legitimate attacks — let alone breaches — is challenging.
- Confidential data may be held in a variety of places. Confidential data doesn't just reside in central databases but it is widely distributed — in the cloud, on a thumb drive, on a mobile device, etc.
- There is a complicated regulatory landscape in breach disclosure. Navigating complex federal and state laws may complicate your responsibilities in reporting out to the wider community when (not if) your institution suffers a breach. Your campus legal counsel will need to be involved.
- There is a relative lack of legal enforcement. Legal authorities may have difficulties tracing cybercriminal activity to its original source, as well as distinguishing whether the originator is a criminal, a hacktivist, or a state actor posing a threat to national security. This makes punishment of cybercriminal activity difficult and all too rare.
- Potential losses involved due to cybercriminal incidents and data breaches can be staggering. In the aftermath of a major security incident the fall-out can range from financial (often measured per record) to reputational damages, and it can take a lot of money and a long time to recover from a major incident.
Share a report of the attacks launched over the past week or month with board members. While the board members may not understand all the types of attacks and their degree of threat, they will better appreciate the challenges faced in keeping your network secure just by seeing the number of attempts. Such data will also provide the board with a platform for more detailed questions in the future and thus develop richer future discussions.
Explain the concept of a risk management culture. This is a process of maintaining acceptable risk, not an end state of eliminating every risk. Richard Bejtlich, author of a variety of books including The Tao of Network Security Monitoring, suggests that the best answer to the question "Are we secure?" is "Let me check." This helps contextualize the fundamental challenges in information security.
Recognize that you may not have all the answers today — and that's OK. For example, you haven't yet identified all the information security risks if you have only considered your IT organization. It is necessary to take a comprehensive approach and examine information security risks from multiple perspectives across the institution (people, processes, and technologies). The board wants a demonstration of your commitment, effective progress, and productive results.1
Information security is still in a nascent stage.2 We believe a paradigm shift is needed — too often, the attention and resources provided to information security are disproportionate to institutional risks.3 While many institutions are learning this the hard way at considerable expense, this state of affairs has started to reverse as more board and institutional executives take notice and get more involved. CIOs and CISOs play a pivotal role in educating boards to gain their active support and willingness to invest in ramping up effective information security efforts that can reduce the risks of incurring a data breach.
- For a discussion of enterprise-wide IT risk management, see Joanna Lyn Grama, "Understanding IT GRC in Higher Education: IT Risk," EDUCAUSE Review, February 23, 2015.
- "Outside the Box: Evolution & Ascent of the CISO," EDUCAUSE Review, November 24, 2014.
- The 2014 EDUCAUSE Core Data Almanac shows a ratio of 77:1 IT staff to information security staff. Is that ratio appropriate for the modern threats and risks of a data breach? Does that alignment of staff resources reflect the perceived value of information security? If that ratio is the benchmark, is it any wonder that small and medium-sized organizations struggle to justify information security staff?
Brian Basgen is executive director for IT at Bay Path University, where he also teaches in the graduate cybersecurity management program. Basgen has been working in the field of information security for the past 12 years and has created information security programs for three organizations. He is an active member of the EDUCAUSE community and is currently serving as the co-chair of the 2016 Connect Conference.
Tammy Clark is chief information security officer (CISO) at the University of Tampa, where she reports to the university president and leads an information security program that was recently ISO/IEC 27001:2013 certified by BSI, an accredited international registrar. (ISO/IEC 27001:2013 is a popular international standard that provides requirements for building comprehensive information security programs.) She has developed industry-certified information security programs from the "ground floor" at two institutions (and performed consulting work with many others) over the past 15 years. Clark is currently a member of the Higher Education Information Security Council (HEISC) Leadership team and co-chair of the HEISC Editorial Board, which produces an online Information Security Guide for the higher education community.
© 2016 Brian Basgen and Tammy Clark. The text of this EDUCAUSE Review article is licensed under the Creative Commons BY-SA 4.0 license.