EDUCAUSE community members offer cybersecurity and privacy perspectives on the 2023 Top 10 IT Issues.
Since 2016, information security has been at the top of the annual EDUCAUSE Top 10 IT Issues lists. This year is no exception. The #2 issue is Privacy and Cybersecurity 101, defined as "Embedding privacy and cybersecurity education and awareness in the curriculum and in the workplace." Four members of the Higher Education Information Security Council (HEISC) Advisory Committee offer their perspectives on this issue, including its impact on the institutional culture and workforce and its possibility for success.
Cristina Blanton
Chief Privacy and Data Protection Officer, University of Texas System
Jay Gallman
Security IT Analyst, Duke University
Nick Lewis
Program Manager, Security and Identity, Internet2
Andy Weisskopf
Chief Information Security Officer, University of Delaware
What demands will privacy and cybersecurity education and awareness make on the institutional culture, and how might the culture need to change for this issue to be successful?
Blanton: Institutional cultures vary largely among one single campus and are typically long-standing cultures. To implement a successful and long-term cybersecurity and privacy education, an institution must include stakeholders who can effectuate change and understanding among varying cultures at the institution. A successful collaborative approach will do wonders for institution-wide buy-in and long-term program growth. But bringing necessary stakeholders together is a large demand for any institution and will take careful planning for, selection of, and education about the underlying issue. Support for embedding cybersecurity and privacy education should also be visible from the leaders of the institution. Cybersecurity and privacy concepts are not a new part of our day-to-day lives; educating and empowering the next generation for their own cybersecurity and privacy is vital and should be considered alongside any core offerings of the institution.
Lewis: Embedding privacy and cybersecurity education and awareness in the workplace demands engagement from all levels of the campus community, from the president to students. All constituents have a unique part to play in creating and maintaining a culture to successfully embed privacy and cybersecurity education in the workplace. Institutional change will be an evolution from the cybersecurity team chasing alerts to integrating privacy and cybersecurity into campus governance for risk-based decision-making and business operations. Cybersecurity and privacy teams will need to change to focus on enabling the campus, and campus constituents will need to change to focus on embedding cybersecurity and privacy risk into their decision-making. This need for change accelerated during the COVID-19 pandemic and is still working through many campuses as part of their digital transformation.
Gallman: It is beneficial for faculty, staff, and students to have a better awareness of why cybersecurity and privacy matters not only in their campus life but also in their personal life. We must get past a mindset of "compliance-based" training and advocate for better awareness options. To do that, the primary advocates for this effort must be as close to the top of the institutional leadership structure as possible, and the campus dialogue must extend beyond the campus cybersecurity and privacy offices and leaders. Since the privacy and cybersecurity landscapes are constantly changing, this effort should be ongoing and should evolve to benefit our communities.
Weisskopf: Every organization believes it has some unique feature that makes it different from others. However, the risks we face are not unique, and attacks are successful against a wide variety of targets. Our culture needs to accept that we are not unique. The problems we see in the news about other organizations can, and will, happen to us in higher education if we do not develop our capabilities.
What demands will privacy and cybersecurity education and awareness make on the institutional workforce (administrators, faculty, technology staff), and what supports, skills, and competencies will the workforce need in order to make this issue successful?
Lewis: This change will demand additional workforce training and responsibilities around cybersecurity and privacy so that the institutional workforce can be part of the extended team, creating a force-multiplying effect for the cybersecurity and privacy teams across campus. The institutional workforce could develop into the first point of engagement and reach out to the cybersecurity and privacy teams to support their efforts. The workforce would need to understand more about cybersecurity and privacy for this to work effectively, which could require more training, documentation, and policies to support the change. This could work in alignment with distributed enterprise risk management, where the appropriate data owner could manage risk with the support of the cybersecurity and privacy teams. This massive change will elevate the work of the cybersecurity and privacy teams to the board level, if it's not already part of that engagement.
Gallman: We are seeing increased requirements from governments, regulatory bodies, and data providers to require ubiquitous and ongoing cybersecurity and privacy training. Two challenges will be (1) developing and providing content that is interesting, is applicable to faculty, students, and staff, and is easily updated as issues evolve; and (2) developing and providing content-delivery and completion-tracking options that enable the community to access and complete training. Training content must emphasize what we need to know for the data that we handle in our day-to-day work. At each level of management, this will need to be a priority focus for teams and a metric of success, with accountability up to the next level. Having an understanding and knowledge of data privacy will benefit our communities and enable them to make good decisions for handling data.
Blanton: The knowledge, variety of experience, and forward-thinking ability of the workforce is the keystone to ensuring that a valuable, scalable, and realistic cybersecurity and privacy curriculum is implemented and maintained. The institutional workforce implementing the curriculum will need up-to-date, cutting-edge professional development, ongoing training, and on-the-ground experience in the relevant areas of cybersecurity and privacy. The maintenance of relevant experience and expertise requires a strong financial backing, which an institution may need to increase to support a well-rounded curriculum. Teaching the general concepts of such a dynamic area is no longer enough to truly provide the next generation with the skills necessary to approach cybersecurity and privacy in our data-driven world. We all need to acutely understand the future workforce that students will be walking into.
Weisskopf: The workforce is going to have to become accustomed to and accepting of change. Our processes, procedures, and technologies must be adapted to become fault-tolerant. Our biggest educational focus needs to be on adapting to processes that, when mistakes are made, are not disastrous on their own.
If you had a magic wand and could change just one thing—anything—about higher education or the world around us to make privacy and cybersecurity education and awareness succeed, what would it be?
Gallman: Instilling a culture of cybersecurity and privacy in an institution can be a daunting prospect. Success is predicated on a blend of technology (e.g., data tagging, DLP, secure storage, monitoring), awareness (e.g., classes, resources, training, and curriculum), and a strong culture led from the top (e.g., provost, president, faculty senate, deans). If we can change only one thing, we must have the commitment from leadership and our community to educate everyone about privacy and cybersecurity issues. This will require that topics be developed and integrated at all levels and in applicable existing curriculum, training, and awareness channels.
Blanton: Cybersecurity and privacy issues are at a very precarious place right now. Our society has suffered so many breaches that we have become desensitized, in a sense, to these events at a time when they should be top of mind and top of priority in our budgets, our ethos, our mission statements, and our commitments to the next generation. The danger of allowing a passive outlook on minding our own privacy and requiring more privacy protections and data minimization of our world is that doing so will lead to the erosion of our basic rights to privacy. I would love for there to be a sea change in higher education's approach to data in general and to identifiable data more specifically. I would like to see cybersecurity and privacy as core classes not only in higher education but also in secondary schools.
Weisskopf: The purpose of our education and awareness efforts is to reduce mistakes. A magic wand is a powerful item, which I would use to eliminate mistakes. No more mistyped email addresses, accidental attachments, or inadvertent clicks. No more configuration errors. No more accidental deletions or lost devices. No more use of products for purposes they are not suitable for.
Lewis: If I had a magic wand and could change just one thing about higher education and research institutional culture, I would change the campus IT organizational role. If the IT organization has only an operational role, I would change it to include a consultative and strategic role as part of its primary mission to advance digital transformation. This move could include the IT organization being integrated into the decision-making around technology, cybersecurity, and privacy; institutional culture could engage and prioritize cybersecurity and privacy the same as is done for other major projects that are part of the digital transformation on campus.
Nichole Arbino is Communities Program Manager for EDUCAUSE.
© 2022 Cristina Blanton, Jay Gallman, Nick Lewis, Andy Weisskopf, and Nichole Arbino. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.