In higher education, we live in an age of data and IT infrastructure vulnerability. It's not a matter of "if" an incident will happen at your institution; it's a matter of "when." It is inevitable.
If you are an IT or other executive leader in higher education, be aware of this: We live in an age of data and IT infrastructure vulnerability.
Let that sink in for a moment. Read it a couple of times. In the following interview, University of Kentucky CIO Brian Nichols states: "We all know that data breaches or other risk failures are inevitable; it's not a matter of if, but when." Nichols knows what he's talking about. In addition to CIO positions at UK and Louisiana State University, he has served as a university system auditor, held the title of chief information security officer (CISO), and headed a broad risk management organization at LSU.
If you haven't had a data breach occur at your institution, you've been uncannily lucky, or perhaps one has happened but you weren't aware of it. Even if your institution has been making increased investments in IT security, a breach is going to happen. As Agent Smith said in The Matrix (1999): "Do you hear that . . . ? That is the sound of inevitability."
Your institution's Chief Risk Officer (CRO) or Chief Risk Management Officer (CRMO), along with the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO)—assuming you have all of them in place!—are undoubtedly aware of this inevitability and are deeply concerned. They likely have been working hard, even without your knowledge (or support) to try to address risks that threaten the integrity of your IT environment and information, the menace of which imperils the reputation and assets of your institution. As a campus executive, you must not be lulled into thinking this is not your problem. Because when this inevitability comes to pass, it will land right at your feet. Or, perhaps a better way for you to envision this is that it will land right on top of your head.
Data breaches have been in the news for more than a decade. They're not going away. In fact, they are getting bigger and impacting more people. What that should tell you is that Nichols is correct: it is not a matter of "if" but a matter of "when" this will happen to you.
In a piece I wrote for EDUCAUSE Review as part of a blog series ("Got a Minute?") on leadership challenges facing CIOs, I talked about being hoisted by my own petard. I had written previously about the need to pay attention to risk and compliance and about the potential cost of "mission not accomplished" with regard to that topic.1 Oops. I was pontificating about what we needed to do while I was, metaphorically, sitting on top of a volcano.
But enough with the doom and gloom. What can you do? Primarily, you can become educated. In April 2018 the Association of Governing Boards of Universities and Colleges (AGB) published What Board Members Need to Know About Cybersecurity. Southern Methodist University CIO Michael Hites co-authored that primer and wrote about it for EDUCAUSE Review as well. This a very useful document to read cover to cover. Doing so will help you understand the challenges your institution faces in this day of open warfare on the security and integrity of our information and IT infrastructure.2
It is likely that your institution has already implemented a program of enterprise risk management (ERM); this is wise, and if your institution has done so, congratulations. But remember: Data breaches and other risk failures are inevitable; it's not a matter of if, but when. I'm being redundant, I know, but that's because I am trying to ensure you get the message! If your institution has not already implemented an ERM program, consider advancing such an initiative. Read the AGB primer, get informed, and start a program or increase your involvement if one already exists.
Let me briefly touch on a few other relevant issues for your consideration:
- Regarding the involvement of the IT organization in these processes, pay attention to another lesson that CIO Nichols notes below: close ranks. Today technology is pervasive in everything your institution does. Everything. To view information technology simply as a subset of your risks is taking a myopic approach. Tightly integrate all facets of your ERM efforts. There must be a cohesive relationship among all departments: audit, finance, student services, academics, athletics, etc. The IT department must be the glue that binds all.
- Don't go it alone. As Nichols points out, the more eyes you have on the "jewels," the better. Even if you've made significant investments in IT security resources—human and capital—your institution is not an island unto itself. It is connected to all other colleges and universities via not just the commodity internet but also the advanced research and education networks offered regionally and nationally (such as Internet2). Take advantage of the strength-in-numbers aspect offered by EDUCAUSE's extensive Cybersecurity Program, which includes the Higher Education Information Security Council (HEISC), and by the Research and Education Network Information Sharing and Analysis Center (REN-ISAC). The real strength of EDUCAUSE and the REN-ISAC is how they are pulling together the broader community of CIOs and CISOs from over hundreds of institutions and enterprises. This strength further leverages your local investments and makes your overall approach that much stronger.
- Keep in mind that risks are changing all the time and that they will always exist. I've heard this idea referred to as an arms race—a Kubrickian "mineshaft gap." That's why a breach is inevitable; just when you think you've got every hole covered, new ones appear. If you want to be really scared, take the time to read "Everything Is Broken," by the journalist/anarchist/hacker Quinn Norton.3 Writing four years ago, Norton describes why we were, and still are, in the mess we're in.
To repeat myself: We live in an age of data and IT infrastructure vulnerability. Pay attention to the volcanoes beneath you—especially the cybersecurity volcano. When the inevitable happens, you will be able to recover more quickly if you're prepared. And you'll be able to say that you took all the measures you could possibly think to take. Any failure was due simply to what could not be imagined.
Cybersecurity, Risk Management, and the CIO
Voss: Brian, you've come to the CIO ranks by an interesting (and unusual) path: auditor, CISO, and head of the risk management function at a large research university. Can you talk about that path?
Nichols: After starting my career in the IT support organization, I had an opportunity to move into the role of an auditor. I was drawn to looking at "risk"—not only from an IT perspective but globally across all areas of risk impacting the institution. After a few years of this work and with the proper certifications (e.g., CISSP), I was offered the opportunity to become LSU's first CISO. I thought that would be a great career step. I was charged to build an IT security function from the ground up, bringing my audit/risk perspective with me to this challenge. Later, I was asked to take over the institution's risk management portfolio, including Environmental Health & Safety (EHS), and this further deepened my understanding of the broad nature of risk. Finally, at LSU, the CIO position was vacated, and I was offered an "interim" position. After a year, leadership gave me the job permanently, and it was exactly where I wanted to be career-wise. I'd become a CIO, but one with deep awareness of the risk aspects of this key position to a 21st-century university.
Voss: Please elaborate on that point. How has this background impacted how you, as a CIO, strategically view the risks presented by IT infrastructure and information security?
Nichols: I have a more global and holistic view of the nature of risks associated with IT infrastructure, information, and services. I take a "big picture" view of these risks to the institution, and this has greatly influenced my approach to the role of the CIO. I look at all sides of what we do, focusing not only on providing the best services we can but also on ensuring that we're fully aware of the risks posed by everything we provide and on being aware of how everything we provide is being used by the campus community. Addressing IT risk in this way was one of the top four categories of my job description when I was hired at UK in 2016—doing so represented approximately 25 percent of my responsibilities as CIO. This was the first time I'd seen that level of specified risk engagement in a CIO position description.
Voss: You've been a CIO now at two places: LSU, where you helped found the IT security function, and now at UK, where you came in as an "outsider." What did you find at UK that you wanted to change in regard to risk management and IT security, and how are you going about it?
Nichols: At UK the campus executive leadership team already had in place an enterprise risk management (ERM) approach and strategy that emphasized the importance of assessing and addressing all manners of institutional risk. However, the IT organization itself was not as tightly involved as I felt it should be. With my background and approach, I have been focusing on improving the IT organization's relationship with audit and risk management. One example is UK's cyberinsurance program; in the past, the IT organization had not been intimately involved in the negotiation and selection of vendors and products. But through this process of building a "working as one" model, we were able to get directly involved. I believe we added value to the process. We helped the institution get a more valuable set of products for less money, and that really was a pay-off for UK.
I also felt UK needed to invest more in IT security. So we have been moving to address that strategically through partnerships and other means. For example, we are working to employ a more strategic, campus-wide active directory, focusing on a system approach to security and other system updates and building a stronger collaboration with local IT staff in units to ensure the integrity of all parts of the university environment.
Voss: There's that famous saying "It takes a village." In higher education, more than in any other "business sector," there is a sense of common purpose, collegiality, and collaboration. What resources do you and your IT security team leverage to help extend your abilities to secure your institution?
Nichols: This is a key point. In college and university environments, which are so interconnected in today's world, it does take more than just an isolated approach to one's own institution. The great advantage we have in higher education is the strength of our community!
To start, there are the rich resources and community engagement established by EDUCAUSE and Internet2—specifically HEISC. Community member volunteers lead HEISC; these engaged professional CIOs and CISOs give it instant credibility with peers. The EDUCAUSE Cybersecurity Program adds tremendous leverage to what we do on campus. A community of colleagues and peers, all facing the same challenges and sharing their experience and wisdom, backs us up. When I first started out as a CISO, it was this community with which I first engaged. Over the years, EDUCAUSE has built a tremendous program, featuring ongoing face-to-face and virtual security events, resources for our use (including security awareness programs we can offer on our own campuses), and a rich array of tools via their Higher Ed Information Security Guide.
And then there is the REN-ISAC. This additional resource complements the work of EDUCAUSE and gives us more direct information about and involvement with security challenges.
Voss: Indeed, the REN-ISAC is an organization that links up IT security professionals from over 600 institutions. How do you leverage that "village" at UK, and why is having the village important?
Nichols: It's rather simple: the more eyes you have on the jewels, the better. Throughout my career, I have found the REN-ISAC to be extremely valuable in enhancing our view beyond our own campus. The REN-ISAC gives UK information that it otherwise couldn't see. And UK adds value by sharing what we see that could help others. This truly gives us a chance to receive, benefit, and contribute to the village of the higher education IT security society.
Additionally, the REN-ISAC offers a peer-assessment service that brings "boots on the ground" to our specific local environment. Beyond the things I previously mentioned regarding a more risk-centric view of information technology, I pushed for the use of an external review, using this REN-ISAC service, of the "good/bad/ugly" of what UK was doing with regard to IT security and risk. I used the REN-ISAC peer assessment rather than a commercial firm for two reasons: (1) they're 100 percent experienced in higher education environments; and (2) they do the job for much, much less than commercial firms charge, offering a far better cost-benefit proposition.
Voss: Why do you think these outside assessments are the way to go?
Nichols: What these assessments do best is provide an independent, objective, "local-politics-free" view of the environment. Inside the institution, we aren't always able to see, or report, our own faults; an external reviewer can do that. The results of such a review give us a roadmap so that we know where we need to make investments and changes. But this shouldn't be done just once. Assessments should be conducted periodically in order to track progress over time. This is a key point, because risks are changing all the time, so having an ongoing assessment program, and not just a "one-shot deal," is a wise approach.
Voss: Some IT security professionals (and CIOs) are going to be a bit concerned about "opening the kimono" to a view of their environments from the outside. We all have heard that people fear auditors. Why is that not a good perspective for these folks to have?
Nichols: The idea of an external review was foisted on me when I was a CISO. Although I understood the need and value (as it was explained to me by my CIO), I admit that I was initially a bit concerned professionally about this outside view "inside my kimono." CIOs have to help their CISOs understand the fundamental premise I mentioned earlier: the more eyes on the jewels, the better!
I believe it is critical that we not be parochial and isolated. We all—CISO, CIO, Risk Management—need to have a shared view of what's going on. Finding challenges is not a threat to a given individual or particular organization within the institution; these challenges are threats to the entire institution that we all serve! So we have to get everyone focused on that bigger picture and out of the mode of worrying about how one of us might look in a given situation. In this way, we can be proactive in protecting the integrity of our institution.
We all know that data breaches or other risk failures are inevitable; it's not a matter of if, but when. When a breach occurs, an earlier outside review provides proof that you took measures to try to mitigate the risk. It's an "insurance" view, demonstrating that you didn't rely only on your own perspectives and skills. Checking this box is a part of mitigating risk. It's all goodness—if you can get past those initial fearful sentiments!
Voss: In some cases, CISOs and CIOs are not on the same page when it comes to how to approach securing their institution's environment. Why do you think this occurs?
Nichols: As a CISO, I didn't have to deal with this problem, since my first CIO viewed me as a key partner in what he was doing and engaged me in developing not only our IT security and policy strategy but the broader IT strategic plan. But yes, some CISOs do not have the political savvy to explain the strategic importance of IT security; they tend to be gate-keepers and thus are seen as "the purveyors of NO." Because of this, tension can develop between a CIO who is trying to "get to yes" from a broader perspective and a CISO who is looking down only his/her own responsibility corridor. But it's not always the CISO's fault. Sometimes CIOs don't want to hear the negatives when they're being pushed by leadership to get things done. Thus the tension!
I believe that to overcome this problem, the CIO must commit to having regular meetings and developing a good personal relationship with the CISO. As a CIO, you should think of the CISO as the one who watches over you while you sleep! CISOs need to have CIOs who help them realize a broader view of the overall challenges, but they must also be willing to break out of their "just say no" attitudes and find ways to help the CIO get to yes.
Voss: Given your answer to that last question, what do you think are some steps that CIOs and enterprise risk managers can take to close ranks and work together? Are linked/direct organizational structures the way to address this?
Nichols: One of the great things at UK when I arrived two years ago was that an ERM model was already in place, along with a more global perspective about risk. Not having to develop that perspective among leaders and colleagues was a real plus for me. This engagement with and understanding of the role of information technology made my life easier. I believe that being a part of a designated ERM project group and reporting to executive leadership as a team is how to do this well.
Regarding hard organizational structure lines, this really depends on the culture of the institution. At LSU, having a combined organization worked well. But this structure is not necessary at UK because we work so collaboratively to solve issues as partners. Of course, at UK we all report to the same boss (Executive VP for Finance and Administration), so that's a big advantage. Whether that same boss is an executive VP, the provost, or the president/chancellor, at the end of the day, you all are working toward the benefit of the institution.
Voss: What advice do you have for CISOs and CIOs to help other campus executives understand the risks—specifically the IT-related risks—faced by their institutions?
Nichols: Campus leaders need to be provided with the hard facts about things like security incidents and also business continuity (resulting from disaster recovery). For example, one could cite the news of recent security events (e.g., Facebook, the Equifax breach, or other significant data breaches in higher education). Let leaders see that the institution could be hugely impacted by a failure to address risks related to information technology. And at this point everything we do is IT-enabled and thus subject to IT risk. Don't go into details—just show the "things" that are out there. And the more you can do with simple graphics rather than wordy reports, the better will be the results. Pictures truly are worth a thousand words.
These leaders are very concerned. What you're doing is informing them and enlightening them about the risks that are of critical importance to their institutions.
Notes
- Brian D. Voss: "Hoisted by My Own Petard," EDUCAUSE Review, July 16, 2014, and "Risk and Compliance: The Threat of Mission Not Accomplished," EDUCAUSE Review, December 6, 2013. ↩
- Michael Hites, George Finney, and Joseph D. Barnes, What Board Members Need to Know About Cybersecurity (Washington, DC: AGB, 2018); Michael Hites, "Talking to Your Board About Cybersecurity," EDUCAUSE Review, June 11, 2018. ↩
- Quinn Norton, "Everything Is Broken," The Message, May 20, 2014. ↩
Brian D. Voss consults on leadership and information technology in higher education. He served as CIO at LSU and the University of Maryland and held interim CIO positions at Case Western Reserve University and Clemson University.
Brian T. Nichols is the CIO at the University of Kentucky (UK) in Lexington.
© 2018 Brian D. Voss and Brian T. Nichols