Cybersecurity as a Core Competency is issue #1 in the 2024 EDUCAUSE Top 10.
"Upgrading our cybersecurity capabilities to make sure we secure our various different platforms and servers and so on against the potential cyberattack is an increased priority for us."
—S. David Wu, President, Baruch College, City University of New York
The importance of cybersecurity is unchanged. What keeps this topic consistently among the EDUCAUSE Top 10 every year is a continually evolving threat landscape and technological advancements that require institutions to stay proactive, agile, and adaptable in their cybersecurity practices. Higher education is not unique; cybersecurity is an ongoing threat across all domains and industries.
Several developments are worth paying attention to in 2024. Institutional systems and users handle larger volumes of data than ever before, and data continues to diffuse across solution providers and throughout end users' locations and devices. The COVID-19 pandemic began three years ago, yet many institutions are still struggling to incorporate and adapt to pandemic-era expansions of remote and online learning and working and to increased work schedule flexibility. The transformative impact of AI is only beginning. It has tremendous and still poorly understood potential, not only for operations, education, and research but also for cybercrime.
National and state government leaders are concerned about cyberthreats to assets and individuals and are introducing and expanding consequential regulations to help address them. That leaves higher education legal counsels and risk and cybersecurity leaders struggling to anticipate, adapt to, and afford the impact of such regulations. Cybersecurity and data privacy regulatory frameworks are often intermixed and interdependent, adding to the complexity of ensuring institutional compliance with either. Part of the struggle in the United States is that its "dual federalism" creates national laws and fifty separate state laws that sometimes compete when it comes to data privacy. In the United Kingdom, government agencies are struggling to develop the next stage of cyber accreditation and assurance. Despite this, strategically led institutions will treat cybersecurity as a core competency. They will ground decisions and investments in a risk management approach that fits institutional resources and values and ensure that policies, training, and practices keep up with changing threats and regulations.
Effective cybersecurity is necessary for access to research funding, recruitment of international students, and partnerships with commercial organizations. It also fosters students' privacy and a safe learning environment. Ongoing cybersecurity activities like audits or penetration tests can lead to a much better understanding of institutional assets and vulnerabilities before, not after, bad actors discover them. Cybersecurity practices are intertwined with general digital dexterity, and so investing in training can help students and staff improve their digital skills while also learning how to better protect data, devices, their identities, and the institution.
Ultimately, instilling cybersecurity as a core competency can build trust in the institution among students, alumni, funders, partners, staff, and the communities served.
This is a financial tsunami. Data breaches in "the higher education and training sector" cost an average of $3.7M in 2023.Footnote1 Even a medium-sized attack has the potential to cost millions of dollars in data protection, business resumption, and legal costs.
You don't have to do this alone. Institutions can and perhaps should work in partnership. They needn't run their own security operations center (SOC). Outsourcing and shared SOCs are both viable options.Footnote2
Silos hurt us all. Stakeholders include not just IT, privacy, and cybersecurity but also procurement, legal, and others. These groups need to work together when drafting agreements with cloud and software providers.
Keep cybersecurity on the agenda. Institutional leaders must have an ongoing understanding of the institutional cybersecurity risks. This effort will be most difficult—and most critical—at very decentralized and diverse institutions.
Beware of shadow IT. Faculty and administrators throughout the institution will acquire or even develop solutions without engaging the IT department. Technology and cybersecurity professionals need to initiate and encourage open and honest dialogue with faculty and departmental colleagues. This will give end users the opportunity to explain their needs and help technologists offer security- and privacy-focused solutions that protect data and the institution without hindering innovation, productivity, and creativity.
Understand the trade-offs. Institutions will be able to navigate this issue most effectively by adopting a risk management framework that fosters mature and informed conversations about risk and that helps leaders balance risk versus opportunity versus cost.
The Key to Progress
Treating cybersecurity as a core competency engrains the necessary activities and investments into the institutional operating model and culture. Protecting data and privacy is no longer seen as an occasional rush to remediate and comply but instead as an ongoing and continuously evolving practice.
From Strategy to Practice
What You're Saying
"Monitoring is key. Updates and controls are key. Software development and best practices are key."
"Balancing Cost and Risk = our current issue. The state system can't seem to understand that its security mandates require additional funds that institutions just don't have right now."
"Cybersecurity investments have been going on for some time. The posture is to invest only in proven technologies that are moderately priced."
"We're doing everything we can, but this seems to be a losing battle."
"Our ISO and CIO are phenomenal in this area. The investment is in doing meaningful work."
"Rockefeller University is treating cybersecurity as a counterintelligence problem and is leveraging intelligence analysis as part of risk analysis."
"Tampere University in Finland is changing the funding model for cyber: from projects to product, i.e., allocating a fixed pie from the budget to cyber on a continual basis."
"Missouri State University performed an enterprise risk assessment last year and identified cybersecurity as the #1 potential risk for the university. This allowed us to raise awareness for all employees and have conversations with our Board of Governors about potential threats that might impact the university. It also provided a catalyst to continue to make infrastructure improvements and partner with a third-party incident response team."
"Niagara College in Canada is participating with others in collaborative approaches where possible to share expertise in many areas of cybersecurity. We do this through our NRAN and local RAN for consistency. We have also been doing group training in cyber topics with other higher education institutes to save costs."
"The University of Arizona has a robust security assessment process that more than 90 percent of campus IT participates in. In the coming year we are adding security review processes and also beginning to roll out centralized secure services for infrastructure that presents the highest risks. Lanita Collette is both our CISO and Deputy CIO over foundational technologies. This combined role makes it much easier for the University of Arizona to align infrastructure efforts to address security concerns."
Darcy Van Patten
What You're Working On
Comments provided by Top 10 survey respondents who rated this issue as important
Data definitions, classification, management, and quality
- Created the university's first-ever Data Classification Policy.
- Having discussions surrounding this topic and practicing good communication. Ensuring Central IT obtains proper permissions before distributing data. Aiding in an institutional Data Dictionary to help high-level administrators understand the particularities of our data and the definition of data elements.
- At some universities, balancing cost and risk is crucial to cybersecurity strategies. Some have cybersecurity strategy and have deployed the National Institute of Standards and Technology (NIST) Cybersecurity Framework and ISO 27001 to guide their cybersecurity practices. These frameworks provide guidelines and best practices for assessing and improving the cybersecurity posture.
- Elevating information security to the institutional level, via a three-year ISMS project based on ISO 27000 and 27001.
- Moving to a new NIST framework.
- We have instituted the NIST framework to track our work in cybersecurity.
- Institutional effort to increase compliance with existing regulations and documenting data-security plans for each department.
Major priority / comprehensive initiative
- Major initiative to implement a five-year plan; currently in year two.
- Making all kinds of investments—by far the top priority. Big investments in border firewall, Microsoft A5, MFA, extensive mandatory employee cybersecurity awareness program, annual CSAT self-assessment and mitigation program.
- Employed SSL inspection, experienced rapid staff growth, and increased the number of audits to mitigate risks and penalties associated with noncompliance, effectively balancing the cost and risk of cybersecurity. These measures enable the university to proactively identify and address potential vulnerabilities, ensuring a robust cybersecurity framework while minimizing financial and reputational risks.
- One of our five strategic goals developed last year is "Secure, Private, and Accessible by Design." This encourages all efforts to consider these fundamental elements when implementing or building new technology. We have a rich product-evaluation process that leverages the EDUCAUSE HECVAT or our own assessment and is required in partnership with our Contracts and Procurement Department.
- Our Board of Regents and senior leadership identified cybersecurity as a major risk to the campus (in an institution-wide risk assessment). They have made a multimillion-dollar investment (recurring—not just one-time funds) to improve cybersecurity.
- Taking a multifaceted approach to continuously improve cybersecurity as a core competency. Security awareness campaigns, regular phishing campaigns, engagement with computer science faculty, partnering with faculty/student-managed SOC, align security practices and policies to cyber insurance providers and outside auditors, conduct independent audit every three years, implement the latest standards in identify and access control, threat detection, SIEM, firewall and network perimeter security, continuous communication with campus leaders and board of trustees on cybersecurity progress and areas of investment.
- We have made this a focus for improving our cybersecurity environment—numerous new activities including EDR/MDR, penetration tests, and statewide assessments to determine vulnerabilities and actively work on remediation.
- Our CIOs have prioritized cybersecurity as a key system-wide need. The goal is to identify a common baseline for all campuses and build from there with investment from the entire system.
- The CIO and ITS have made sure this is a top agenda item for the cabinet. There have been great discussions among leadership on the issue. And the campus is currently in the process of implementing managed, detect, and respond (MDR) tools. The cabinet decided the risk of an attack far outweighs the cost of an MDR.Hence, we are working with Arctic Wolf to help implement an MDR.
- This is the absolute top 1 priority right now. Money for this is available as much as we could ever wish. But money cannot buy us people who are able to do it all.
Risk assessment and management
- Developing institutional database of data, business processes, and partners to assess data-privacy risks.
- We launched our cybersecurity risk management team to begin to move our cybersecurity to a risk-based program that incentivizes non-IT ownership of cybersecurity risk.
- We take the approach of low tolerance for risk when possible. Redirecting savings to invest in cybersecurity.
- We use the FAIR (Factor Analysis of Information Risk) approach to risk assessment. Through that, we seek to achieve balance.
Staffing and outsourcing
- After an RFP search for proposals, we selected a company for an Information Security Ops Center (ISOC) to provide 24/7 alert monitoring, notifications, and immediate action, if needed, by a team of cybersecurity engineers.
- Partnered with Oculus IT to monitor our security environment 24X7. Very affordable and covers all risks on all services including hosted services such as M365, Google, AWS.
- Adoption of SOC services. Implementation of robust identity management capabilities.
- The college has made significant strides in cybersecurity and also has made solid investments. Most recently the college acquired vCISO services from a partner that will provide a number of services as part of this engagement.
- This continues to be a challenge that is a high priority. Having a virtual CISO from an outsourced company and their SOC services has elevated our own attention to detail to a level that is far better than before, and we have been working on remedying all identified issues.
- Creating additional IT positions and investing in vCISO services.
- Engaged an outside-the-organization virtual IT security officer. Conducts security assessments and guides the development of plans and processes.
- In an environment of cost-cutting and staff layoffs, ICT was restructured with a brief to cut costs and reduce headcount but to make some provision for strategic growth into the future. Cybersecurity was one of the few functions whose headcount increased, and the CIO became the CTO & CISO (joint role). So, we now have an executive whose role is (at least partly) focused on cybersecurity.My (also new) position includes risk, and I am working very closely with the director of cybersecurity to establish the policy and risk frameworks to align with our chosen cyber framework (NIST CSF).
- One of our IT divisions set up a CSIRT (Computer Security Incident Response Team) to respond to cybersecurity incidents and is starting an ISMS (information security management system) program.
- We've put in place a university-wide cybersecurity working team. This is important because we have five semi-autonomous campuses located in different countries. This cross-campus team is intended to work closely with our chief privacy officer (the university data protection officer) to address privacy issues, including those having to do with cybersecurity.
- Implementation of automated detections and actions to improve responsiveness of cybersecurity incidents without adding more staff.
- Increased investment in cybersecurity tools, especially tools to aid distributed IT units.
- Leveraging A5 Microsoft licensing to implement every tool possible that is included with our subscription.
- Massive security-improvement measures implemented: MFA, SIEM, security consultancy for pentests, ISO 27001
- Moving from a reactive to a more proactive posture, including the ongoing deployment of cybersecurity monitoring tools and methods.
- We are working toward a consolidated cybersecurity tooling strategy (away from best-of-breed) to provide better visibility and analytics while reducing system management effort.
- We have implemented a new MXDR (Managed Extended Detection and Response) environment with a trusted security vendor.
- We have really worked to get the most out of our MS tools, pushing our staff and faculty to be a bigger "fighter" in the fight, and provided free tools to protect home and provided equipment.
Training and awareness
- We will be working on ways to increase security training and awareness this year.
- Improvement in securing the human using a vigorous information security awareness training program.
- We are actively promoting cybersecurity awareness in our campus community by exploring a promising platform that creates short, five-minute videos on the subject. These videos are more effective than the longer, thirty-minute videos found on other platforms.
- Training, awareness, and constant vigilance by our InfoSec group—and then sharing the information and the impacts and risks with the population really drives the point home! We employ quarterly phishing tests, and we're constantly hardening and improving our security standards, practices, and implementations.
Zero trust architecture
- Evaluating zero trust architecture with an eye toward implementation.
- Moving to zero trust model.
- Zero trust architecture roadmap; board-level security group.
- We will be holding a ransomware tabletop exercise and expanding our use of MFA toward a zero trust model.
- Security-as-a-Service offering providing "full stack" cybersecurity services to any interested campus in the system. Security services include, cyber-defense, GRC, and awareness.
- A dashboard for all forty IT units with up-to-date security metrics to include security software deployment and vulnerabilities.
- Using risk-based strategies to get the best improvement for reasonable costs. (Hence, not buying every gadget, tool, or system but critically evaluating the approach, improvement, etc.).
- We try to improve our security posture each year. For the size of our budget and institution, we are limited financially on what we can afford so we try to promote awareness as much as possible and tackle small improvements as best we can.
- We now have cybersecurity insurance, which required us to further strengthen our security processes.
- Creating ransomware playbooks.
- Cybersecurity remains the number-one enterprise risk for the university, so following up on strengthening our defenses (i.e., continuing to deliver projects on the cyber-roadmap) and educating our community will be top priorities in the coming year.
- Building a secure research environment with Microsoft Azure and enhancing endpoint security with Azure Virtual Desktop.
- Partnering with the academic side to help our students develop experience with real data by working in our security team and doing capstone projects. Enable industry certifications for our student workers.
- Natalie Schwartz, "Data Breaches Cost Higher Education and Training Organizations $3.7M on Average in 2023," Higher Ed Dive, August 1, 2023. Jump back to footnote 1 in the text.
- Security Operations Center (SOC) Case Study, HEISC Working Group Paper (EDUCAUSE, June 2019). Jump back to footnote 2 in the text.
Vipin Ahlawat is Director of IT Services, Loughborough University, United Kingdom.
Brian Henderson is CIO, Director of Digital and Information Services, University of Aberdeen, United Kingdom.
Ioannis Salmatzidis is Director of IT, Aristotle University of Thessaloniki, Greece.
Standish Stewart is Vice President and CIO, ITS, Cuyahoga Community College.
© 2023 Susan Grajek and the 2023–2024 EDUCAUSE Top 10 Panel. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.