Creative approaches to information security can lead to big improvements for budget-conscious institutions.
"Small is big!" proclaimed Dan Sanders, information security officer at Widener University, during a standing-room-only session on budget-conscious information security programs at the 2018 EDUCAUSE Security Professionals Conference. The session focused on sharing resources to help information security practitioners successfully protect institutional IT resources and data when they either have very limited resources or are just beginning to build an information security program. Sanders later noted that "both the session and discussions I had thereafter lead me to believe that using and sharing budget-conscious information security strategies will be a topic that stays top of mind for a lot of folks for some time."
It makes sense that information security continues to be a priority for IT professionals at many institutions. Both the data that higher education is entrusted to protect — from student data to research data and everything in between — and the populations that higher education serves vary widely. As a result, the challenges of information security threats and the increasing complexity of technology, architecture, and data continue to influence institutional IT strategy.
The State of Information Security
In 2018, information security topped the EDUCAUSE Top 10 IT Issues list for the third year in a row, leaving some members of the higher education information security community to question whether institutions are making any progress in information security program maturity. And making progress can be difficult. According to EDUCAUSE Core Data Service research, in 2016
- information security spending was roughly 3 percent of an institution's overall IT budget spending, and
- there were only two central IT information security full-time employees (FTEs) per 10,000 institutional FTEs.
These numbers have remained relatively static over time. In both 2014 and 2015, information security spending was only 2 percent of an institution's overall IT spending and institutions had only one central IT information security FTE per 10,000 institutional FTEs. Perhaps a doubling of this staffing number from 2014 to 2016 is indicative of a somewhat positive trend?
In any case, the collision of resource constraints (budget and staffing), a dynamic threat environment, and the increasingly complex higher education technology ecosystem has forced many institutions to consider nontraditional, innovative approaches to implementing and expanding effective campus information security programs. Here, I focus on three approaches that relatively small institutions have used to effect big improvements in their information security posture.
Leadership on the Move: Two Institutions, One CISO
Franklin & Marshall College is located in Lancaster, Pennsylvania, about 70 miles to the west of Philadelphia. The private liberal arts institution has a student enrollment of more than 2,200. Vice President and CIO Carrie Rampp leads the college's IT organization, while CISO Alan Bowen leads its security function. Similar in size to Franklin & Marshall College and located 85 miles to the northeast is Susquehanna University in Selinsgrove. Its IT team, led by CIO Mark Huber, is much smaller (18 staff members) and its CISO is also Alan Bowen. One CISO, two institutions, 85 miles apart.
Franklin & Marshall and Susquehanna have been part of this shared-CISO consortium since founding it in 2013; the arrangement originally included a third institution, which hired its own CISO in 2017. The consortium, which is driven by the boards of trustees at each institution, was founded when the institutions recognized that they could not afford a dedicated CISO or security team on their own and that security by committee simply wasn't effective. The consortium's goal was to use a properly executed shared services agreement and a shared CISO to provide reduce information security risks at all institutions while offering efficiencies and other economies of scale.
Today, Bowen spends two days a week at each institution and works from his centrally located home one day a week. His employer of record is Franklin & Marshall College. The current shared CISO agreement runs from 2017 to 2020, but either institution can terminate the agreement early if necessary. Should that occur, Bowen is not precluded from becoming the sole CISO at either institution.
Bowen refers to himself as a "security team of one" at each institution but with significant support from other IT staff and information security stakeholders. While strengthening each institution's security posture is his priority, Bowen is quick to point out that each institution has its own IT culture and strategy and that a "one-size-fits-all approach simply will not work." For instance, Franklin & Marshall is a Google Apps for Education campus, primarily using Banner for its enterprise resource planning (ERP) software. In contrast, Susquehanna runs Office 365 and Colleague for its ERP. Susquehanna's desktop is largely Windows-based, with a few Macintosh users (about 17%); Franklin & Marshall's situation is somewhat more balanced, although Mac users constitute the majority (60 percent). Table 1 shows the distinguishing features of each institution's IT environment.
Table 1. IT Environments at Franklin & Marshall College and Susquehanna University
|
|
Franklin & Marshall College |
Susquehanna University |
|---|---|---|
|
IT Staff Size |
34 |
18 |
|
Cloud tenant |
Google Apps for Education |
Office 365 |
|
Two-factor authentication |
Google/Duo |
Microsoft |
|
ERP |
Banner/Oracle Linux |
Colleague/Unidata/SQL |
|
Desktop environment |
Mac 60% Windows 40% |
Mac 17% Windows 83% |
Despite the differences in institutional IT approach, Bowen has created a series of shared priorities and contemporaneous projects between the institutions. This year, for example, his focus is on improving incident response and vulnerability management. Bowen intends to strengthen Franklin & Marshall's incident response policy, while customizing a similar plan to institute Susquehanna's first incident response policy. He also wants to ready both institutions to exchange threat intelligence information. Bowen has introduced the Higher Education Cloud Vendor Assessment tool at both institutions, and he plans to strengthen each information security program through effective practices and industry standard processes. "It's a daunting task to lead the next generation of information security efforts at each institution," said Bowen. "We'll get there."
CIOs Rampp (Franklin & Marshall) and Huber (Susquehanna) are committed to making the shared-CISO relationship work. "We knew we needed this role, we had a strong business case for it, and we had support from leadership at both institutions to find a way to make the shared-CISO employment strategy work," said Rampp. Huber added that the consortium works because of mutual trust and has led to benefits that transcend the shared CISO: "We are in a position to share knowledge and experiences and collectively improve our information security capability and maturity."
Bound by Culture: Three Institutions, One CISO
The Association of Marianist Universities comprises three institutions: Chaminade University of Honolulu in Hawaii; St. Mary's University in San Antonio, Texas; and University of Dayton in Dayton, Ohio. Although each institution serves vastly different student populations, sharing the common ground of their founding religious order "keeps us together and at the table when the going is tough," said Kyle Johnson, Chaminade's dean of Information Technology and Services.
Johnson has been working and collaborating with University of Dayton Associate Provost and CIO Thomas Skill and St. Mary's University Vice President for Information Services and CIO Curtis White for more than three years to identify common themes and issues as potential areas for IT collaborations that make sense. Information security was one area they identified as ripe for collaboration.
In 2017 and 2018, the leaders began outlining how a shared information security office might work. The University of Dayton had an established information security capability led by the institution's CISO. Neither St. Mary's University nor Chaminade University had a CISO or an information security office, so information security fell largely to each institution's CIO, and funding for a CISO was in short supply. Further, Chaminade struggled to meet its information security staffing needs due to salary competition with the local military base and contractors.
In 2016, the three institutions coordinated an Eduroam rollout; this experience "gave us the confidence that we could meet the information security challenge," said White. They realized that, by adding staff, they could reasonably extend Dayton University's information security capability to both St. Mary's and Chaminade to create a shared information security office. The plan was for St. Mary's and Chaminade to provide Dayton approximately two-thirds of the funding needed to hire an additional entry-level information security position at that university. That hire would handle many of Dayton's operational information security tasks, while Dayton's CISO could help both St. Mary's and Chaminade determine their information security priorities and create and finalize plans to build a stronger information security capability at each school.
After consulting with each institution's governing board and legal and compliance representation, the shared information security office agreement officially began on April 1, 2018. While that date causes some amusement, Johnson, White, and Skill are adamant that there was nothing special about it beyond its being the start of a new fiscal quarter, which followed the finalization of all of the underlying legal agreements. "We wanted to make sure we had an agreement that was approved at each of our institution's because money was changing hands and we wanted to make sure each institution was insulated from legal liability for the actions of one of the sister's institutions," said Skill. "We wanted to set ourselves, and the University of Dayton CISO, up for success and we felt that a formal agreement did that."
Seeing this idea through from inception to realization required dedication and leadership. For other institutions considering such a collaboration, this project's three IT leaders offer the following advice:
- Identify common ground to hold the institutions together, particularly if your collaboration spans multiple states. That common bond will be important as challenges are identified and resolved.
- Consider the information security capability maturity levels of each participating institution. It can be beneficial if at least one institution is more mature than the other(s), so that the less-mature institution(s) can bootstrap on that institution's maturity level for quick wins.
- Bring IT staff into collaboration discussions early. Doing so will help you better explore potential collaboration areas and help the IT leaders reassure existing staff that the collaboration is intended to strengthen current information security efforts, not replace them.
- Bring legal, risk, and compliance counsel into the conversation as early as possible. These professionals must fully understand the proposed collaboration from the beginning to adequately assess the financial responsibility and legal risk of each institution.
A Virtual CISO: Outsourcing Information Security
Muhlenberg College is a private liberal arts college in Allentown, Pennsylvania. CIO Allan Chen leads the college's 25-member IT organization; none of these staff members is dedicated to information security. The security operations are largely integrated into the IT team as a whole. Because the institution has no CISO, Chen serves as the de facto information security lead.
Chen said he recognizes the important of having an institutional information security program led by a CISO, but he must also consider overall IT staffing needs. "Being a strategic organization is important to us," said Chen. "I would love to have a campus-based CISO, but quite frankly, the amount needed to pay a CISO salary might allow me to hire two to three more entry-level staff in the IT organization. That CISO-level salary can be a hard one to justify." While Chen's long-term goal is to prove that a dedicated information security leader makes sense in today's higher education environment, making sure the institution has information security capability now is equally pressing.
In September 2017, Chen contracted with an information security consulting company to provide virtual CISO services to Muhlenberg College. The three-year contract affords Muhlenberg credits that it can apply toward the work it needs for its information security program. The agreement is flexible regarding the type of security services provided, and Muhlenberg can terminate it at any time. Chen chose the consulting firm because it was familiar with higher education in general and had success stories with other higher education institutions. "Choosing a firm that understood how higher education IT organizations work and understood the sheer magnitude of data that must be protected was very important," said Chen. Although no one from the consulting firm is located on campus, the contract includes support for incident response functions and on-call emergency support in the event of an incident.
The first part of the engagement included an on-campus visit, during which consulting firm staff provided a comprehensive assessment of the campus information security posture using the National Institute for Standards and Technology (NIST) Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53) as a guide. The consulting firm's staff members also met with Chen and his senior staff, as well as several other stakeholders across campus. That assessment led to a compilation of the risks that the institution faces and an assessment of its overall risk posture. Chen said that the formal assessment was very useful and that he hopes to parlay that assessment into a series of long-term projects designed to improve Muhlenberg's information security posture during the contract term.
Security Advice for the Budget Conscious
At the 2017 EDUCAUSE Security Professionals Conference, attendees noted that higher education institutions need more resources to help them grow their information security program capabilities in budget-conscious ways. In response, the Higher Education Information Security Council (HEISC) created a series of papers that provide advice for information technology leaders and managers tasked with developing and delivering institutional information security programs and services on a tight budget. The series includes three white papers:
- Building Resources on a Budget. Operating information security programs with scarce resources requires creativity and flexibility. This paper offers pragmatic, actionable ideas for building information security resources on a budget.
- Building Institutional Capability and Sustainability. To succeed and be sustainable, investments in information security programs and tools need a deliberate plan, especially in a resource-strapped environment. This paper offers strategies to build information security capability and sustainability within those constraints.
- Capability Roadmap. Budget-challenged information security programs often must be built from nothing. This paper shares resources on how to formulate a roadmap to create a justifiable information security stance.
Inspired Innovations
The institutions showcased in this article all faced and addressed an unmet information security need. Rather than downplay that need or fret about how to meet it in a traditional manner — with a dedicated CISO and security team — the IT leaders were willing to think (and act) outside the box to improve their institution's information security posture.
As more institutions address the rising tides of information security threats, constrained budgets, and a shortage of skilled information security professionals, it stands to reason that higher education will witness many more new and inventive approaches to improving information security.
Sustain and Improve Your Information Security Programs
The EDUCAUSE Cybersecurity Program supports higher education institutions as they improve their information security, compliance, data protection, and privacy programs.
Joanna Lyn Grama is Senior Consultant at Vantage Technology Consulting Group. Until June 1, 2018, she was the Director of Cybersecurity and IT GRC Programs at EDUCAUSE.
© 2018 Joanna Lyn Grama. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.