Accumulating pressures on higher education have created an inflection point requiring two new cybersecurity operating models.
I can't claim that I was "there" when cybersecurity was finally recognized as a discrete branch of higher education operations. I have, however, been involved in cybersecurity in the higher education and health care fields for about fifteen years—long enough to have witnessed some evolutionary changes. Recently, I have been particularly interested in understanding the different elements that contribute to the current situation in higher education: a sense that colleges and universities aren't making much progress in their quest to improve their cybersecurity postures. Of course, the journey, budget, size, and complexity of every institution is different, and some institutions have surely improved their positions. But the conversations I have had at nearly every cybersecurity conference, panel discussion, and social event lead me to believe that, overall, things are not getting better. In fact, I sense that higher education is losing ground. Below are some observations that led me to frame new operating models to help colleges and universities pedal once again on more solid ground.
Current Realities and Pressures
Myriad elements have contributed to the current situation, but the following set of realities—and their corresponding pressures—are having the greatest impact on the cybersecurity posture of higher education institutions:
Attack Landscape: News stories about cybersecurity attacks, incidents, and breaches bombard our email inboxes daily—and sometimes hourly. A recent survey conducted by Sophos revealed that ransomware hit 64 percent of higher education institutions globally in 2021, and that percentage is expected to continue to trend upward.Footnote1 A survey conducted by CrowdStrike tracked the effect of these attacks. The survey identified 2,686 data leaks related to ransomware attacks reported in 2021, compared to 1,474 the year prior, a staggering 82 percent increase.Footnote2 The attack landscape is expanding, and it is becoming more sophisticated.
Talent Gap: By many accounts, "the great resignation" was a result of the COVID-19 pandemic; however, a talent gap in the cybersecurity sector (in all IT-related jobs, really) manifested much earlier. The pandemic exacerbated the magnitude of this gap. In 2018, Cybersecurity Ventures, which tracks the cybersecurity job market, projected a 350 percent increase in the number of unfilled positions globally by 2025. That translates to a staggering 3.5 million jobs, with around 465,000 in the United States alone.Footnote3 According to more recent data from Cyber Seek, there were 714,000 cybersecurity job openings in the United States in July 2022—30 percent more than the Cybersecurity Ventures prediction for 2025. California, Texas, Virginia, and Florida have the highest number of openings.Footnote4 The message is clear: Every able or available cybersecurity professional is wanted, and there are not enough of them to cover all available posts. The massive disparity between talent supply and demand has caused wages to increase exponentially, leaving the education sector vulnerable to a mass exodus of tenured, qualified staff to other industries that may be able to offer improved working conditions and compensation.Footnote5
The talent gap pressure seems to be the most influential element in motivating organizations to find more efficient ways to operate their cybersecurity units.
Cyber Insurance: Cyber insurance, or cyber liability insurance, protects institutions from the impact of a cybercrime but not from the crime itself. Over the last fifteen years, cyber insurance policies have evolved to include both first- and third-party coverage. First-party coverage relates to the direct costs of responding to the attack: forensic fees, legal fees, customer notification fees, PR fees, etc. Third-party coverage relates to the costs associated with lawsuits. As with all types of insurance, the cost of underwriting a policy is directly tied to the insured party's risk exposure.
However, the cyber insurance industry has recently been adapting to a new set of conditions. For example, insurers' payouts are "rising faster than the income from premiums: the industry's loss ratio has risen for the last three consecutive years, rising to 72.8% in 2020*. (Loss ratio is insurance costs divided by total earned premiums. For example, if a company pays $80 in claims for every $160 in collected premiums, the loss ratio would be 50%)." The increase in loss ratio is due to the cost of remediating a ransomware attack.Footnote6 These costs increased 140 percent from 2020 to 2021 (from $0.76 million to $1.85 million). Of all the industries surveyed, higher education has the highest ransomware recovery cost: $2.73 million.
The insurance industry has reacted to this revenue loss trend in several ways. Carriers are exiting the market, rates are increasing, and requirements are becoming more stringent.Footnote7 In its 2022 Cyber Market Conditions Report, Gallagher projected that policy premiums would increase between 100 percent and 300 percent for organizations that do not have "best-in-class" security controls in place.Footnote8 And if those controls are not in place, insurance carriers may decide not to underwrite the policy at all.
Colleges and universities are taking different paths to address the challenges associated with these three pressures. For some institutions, the paths are independent, while for others, the paths intertwine or overlap. The cumulative pressures of the attack landscape, the talent gap, and cyber insurance rates are constant and crushing and, when combined with other circumstances, can force a college or university to close its doors permanently.Footnote9
New Operating Models
The accumulated pressure described above is the result of a traditional cybersecurity approach. This pressure has created an inflection point that requires changes to both the organizational structures and the technical architectures of higher education cybersecurity operations. These changes can be accomplished through two new cybersecurity operating models.
The Utility Model: Consider electricity, water, sewer, and gas. We typically rely on others to deliver these critical services because they can do so better than we could. "Better" includes continuity of service, efficacy, efficiency, consistency, predictability, and cost.
Now consider a single functional area of a cybersecurity practice, such as detection and response—a cornerstone of a healthy cybersecurity operation. A typical detection and response operation will, for many organizations, direct logs from various tools to security information and event management (SIEM) software so that an operator can read telemetry from the SIEM and act. In many cases, this is not a 24/7/365 operation; not all logs make it to the SIEM all the time, and not all logs from all possible sources are correlated.
By leveraging a utility model instead, an organization can assess all functional areas of its cybersecurity practice. In a utility model, an organization would identify the functional areas that lack available qualified staff and transfer responsibility for those areas to others who can perform this work "better" (as defined above) than the internal team. When those criteria are met, the functional areas in need can be turned over to external partners or providers.
The utility model has the following benefits:
- Obviates the struggle to find qualified staff in an overly strained job market
- Removes significant risk associated with operating functional areas at less-than-minimally optimal levels (e.g., only during business hours or only using telemetry from some tools)
- Allows for some risk-sharing associated with operating a functional area with the chosen (and properly vetted) partner or provider
Monitoring and detection are perhaps the most natural functional areas to turn into a utility, but others, such as response and compliance, would also work well.
The Cybersecurity Fabric Model: Cybersecurity is best instantiated using a layered model; some practitioners even use the analogy of a multilayer cake to illustrate this point of view. Over time, however, an increasing set of acronyms for new technologies are added to the cake: EDR, XDR, CASB, SIEM, PAM, NAC, and so many more. The added layers beg a few simple, foundational questions:
- How many layers are too few or too many?
- How do the layers work? Are they independent, or do they work together cohesively?
- Are there enough eyes to monitor every layer?
- Is there some "icing" keeping the layers together? What makes the cake look unified?
To me, the last question is the most provocative and has the greatest potential impact on higher education cybersecurity operations. What if the icing is—potentially—more important than the layers of the cake? And what if the way the parts fit together is more critical than any one specific part? A "fabric" like this could describe how the different parts of a system work together to form a single entity. From an architectural perspective, then, the number of layers would matter less, and how the layers are integrated and connected to give the sense of being a single entity would matter more. This concept can be made less elusive and more practical by considering the following characteristics, which must be present for a "fabric" to be formed:
- Elasticity: the ability to expand or contract in size and scope
- Extensibility: the ability to add capabilities as they become available
- Interoperability: the ability to interconnect dissimilar capabilities
- Transactional speed: the ability to produce actionable telemetry in near real time or real time
- Unified manageability: the ability to monitor telemetry sent by the many layers from a single point
- Automation/orchestration: the ability to define and execute reflexive action automatically
A "cybersecurity fabric" could be formed using an existing platform at the core, where the platform supports the characteristics outlined above.
The Path Forward
Cyberattacks are coming fast and furious, and they will not stop. Cybersecurity departments will keep getting slimmer as the education sector, unable to compete in flexibility and compensation, continues to lose qualified talent to other industries. Cyber insurance costs are growing exponentially year over year, and carriers are simultaneously exerting pressure on colleges and universities to spend more money and put more effort into improving their security posture. But without these improvements, policies may not be issued, and higher education institutions will be exposed to the full cost of remediating cybersecurity incidents, which is currently around $2.7 million per incident.
If these pressures are a natural result of the traditional higher education cybersecurity operating model, what would change look like, and how will it happen? By identifying opportunities to shift toward the utility model for certain functional cybersecurity elements, an organization can intrinsically improve its security posture through a shared risk model with external providers. And by redefining its cybersecurity architecture and adopting a cybersecurity fabric model, an organization can unify operations to resemble a single cybersecurity entity instead of many disconnected and dysfunctional layers.
Except for the talent gap, all of the elements described in this article can be as easily applied to the education sector and almost any other industry. Few sectors have the financial means and flexibility to create the conditions to attract (and maybe extract) talent from other industries. For those that don't have the means, the utility model and the cybersecurity fabric model can be used to respond to the inflection point affecting all industries.
Notes
- The State of Ransomware in Education 2021, white paper, (Abingdon, UK: Sophos, July 2021). Jump back to footnote 1 in the text.
- Kristal Kuykendall, "CrowdStrike Report Shows 2021 Ransomware Data Leaks Doubled in Education Sector," THE Journal, February 15, 2022. Jump back to footnote 2 in the text.
- Cybersecurity Ventures, "Cybersecurity Jobs Report: 3.5 Million Openings Through 2025," news release, November 11, 2021. Jump back to footnote 3 in the text.
- Cyber Seek, Cybersecurity Supply/Demand Heatmap, web page, July 2022. Jump back to footnote 4 in the text.
- Jim A. Jorstad, "The Great Exodus: Is IT Talent Leaving Higher Ed?" Government Technology, September 20, 2021. Jump back to footnote 5 in the text.
- Sophos Guide to Cyber Insurance, white paper, (Abingdon, UK: Sophos, September 2021); *Calvin Trice and Kris Elaine Figuracion, "Cyber Insurers Hike Rates, Tweak Coverage as Loss Ratio Rises Again in '20," S&P Global, June 1, 2021. Jump back to footnote 6 in the text.
- Guy Simkin, "Here Is Why Cyber Insurance Premiums Will Increase in 2021," Cyber Insurance Academy (website), May 10, 2021. Jump back to footnote 7 in the text.
- John Farley, 2022 Cyber Insurance Market Conditions Report, research report (Rolling Meadows, IL: Gallagher, January 2022). Jump back to footnote 8 in the text.
- See, for example, Kris Holt, "A U.S. College Is Shutting Down for Good Following a Ransomware Attack," Yahoo Finance (website), May 9, 2022. Jump back to footnote 9 in the text.
Hernán Londoño is Senior Strategist, Higher Education at Dell Technologies.
© 2022 Hernán Londoño. The text of this work is licensed under a Creative Commons BY 4.0 International License.