2025 EDUCAUSE Top 10
#4: A Matter of Trust

Back to main article

Regulations are increasing. Adversaries, both individual and state sponsored, want to steal research data and other academic intellectual property, as well as institutional constituents' personal information. Institutions have legal, reputational, operational, and ethical reasons to protect students, faculty, staff, alumni, and others. Protecting data is protecting people. But openness, sharing, and collaboration are bedrock values of higher education. Not all data needs to be protected with equal stringency, and faculty and administrators very much want data to be as accessible as possible to students, the public, and other stakeholders. We build trust as much by the information and knowledge we share with others as by the data and information we protect and withhold.

The Promise

Focusing on trust. The use of the word "trust" opens up the opportunity to have important and difficult conversations with outside parties that move beyond individual cybersecurity and privacy tactics. Those tactics are critical, but there's a larger concern about whether institutions are trustworthy. The world is experiencing a crisis of trust. Public trust in higher education used to be very high, but it's slipped along with almost every other sector.^Footnote1 Reframing the work around cybersecurity and privacy to be a matter of trust provides an opportunity to demonstrate institutions' understanding that by protecting privacy and safeguarding data, they are protecting and valuing people. That, along with affordability and attainment reforms, can help institutions regain people's trust.

Building trust by valuing privacy. Other industries have invested far more in analytics resources and data infrastructure than higher education has. They are using customer and constituent data to persistently and aggressively promote, price, and improve goods and services. Although limited resources are a big reason higher education is behind in leveraging data, another contributing factor is that higher education places a higher value on privacy than the business world does.

Building trust by safeguarding data. Higher education is a source of valuable data—from research data to individuals' financial and personal information. Institutions that can keep pace with threat vectors by protecting digital assets, ensuring constituents have the knowledge and resources to avoid hacking, and responding quickly and thoroughly to inevitable breaches will not just be protecting data. They will be increasing and preserving the community's trust.

Maintaining and getting federal funding. For institutions to continue to receive research funding from federal agencies, the U.S. government requires that they handle that data appropriately, including—for some types of funding—implementing a cybersecurity program consistent with the appropriate federal cybersecurity framework, such as the NIST 800-171 .

Attracting and retaining students. Students need confidence that their institution cares about them. Protecting students' privacy is one way to demonstrate that. Consequently, faculty and administrators need to be able to show that they're managing students' data and their privacy effectively.

Improving institutional services. The work of auditing and improving data flows, access, and storage can be paired with efforts to improve business processes and user experiences. An end result of this broad rethinking of how institutions do business will be increased cybersecurity, more privacy, and a better experience for faculty, staff, and students.

The Key to Progress

Common ground across our industry could make all the difference. Common ground would consist of a common means of expressing the degree to which higher education institutions are trustworthy; a common understanding of the importance of data, information, security, and privacy; and shared solutions. The Higher Education Community Vendor Assessment Toolkit (HECVAT) has become a useful common tool to evaluate solution providers' cybersecurity (and soon privacy) practices against multiple standards and regulatory requirements. Having some counterpart that is framework agnostic (or inclusive) that institutions could use to express their trustworthiness to external parties could prevent each individual institution from having to figure out how to do this on its own. This would also give presidents and boards a comparative standard to help them make better decisions about funding privacy and security programs. Shared solutions are another form of common ground. Shared solutions are more affordable, especially for smaller institutions with limited ability to fund cybersecurity sufficiently. They also enable institutions to respond to threats more rapidly, which can make all the difference. Smaller institutions can also share staff to ensure 24/7 coverage and gain access to specialized expertise.

QuickTakes

Don't fall off the mountain. Under protecting data exposes institutions to potential theft and to legal and reputational risk. But overprotecting data can stymie research, teaching and learning, and even business processes. It also costs more in terms of time and money. Try to stay on top of the security and privacy mountain by focusing on the most critical, sensitive data and the protections that will help the most.

Balance infrastructure protection with policy enforcement. Cybersecurity professionals need to translate compliance frameworks into technical protections and policies and procedures. They also need to help the institutional community understand and do their part to comply with policies. Protections, policies, incident management, and training are all important. But they collectively take more time than staff actually have, so cybersecurity leaders have to ensure that their staff carefully balance each of these needs.

Hire or develop staff. Cybersecurity and privacy skills are highly sought after, and most institutions can't match the pay of other industries. Training up staff internally can help expand the talent pipeline. Hiring managers should emphasize the satisfaction of working in an industry with a noble mission and play to the strengths of their institutions, which might include retirement benefits, paid time off, location, job security, flexibility, and a community of learning and caring.

Mature the decision-making culture. Decision-makers in highly decentralized institutions may use their authority to make risk-based decisions about security and privacy that conflict in ways that increase institutional risk and inhibit enterprise-wide data sharing. Even in cultures where decentralization is prized for good reasons, institutional leaders must work to ensure that unit leaders and IT staff make decisions consistently and in a reasonable amount of time.

Major research universities are major targets. Although these universities have larger staff, they also have more complex organizational structures, more diverse and distributed data, and more research activities and external connections. Research universities with health systems have an added layer of complexity, compliance requirements, and risk. All this makes these institutions much more lucrative targets—and much more challenging to safeguard.

Take a risk management approach. Everything is growing: data, its uses, its users, locations of use, hacking techniques, tools to safeguard data, and compliance requirements. This is making the cost and complexity of cybersecurity and privacy programs unaffordable. Leaders should take a risk management approach to cybersecurity and privacy investments: quantifying the impact and likelihood of risks, determining costs of preventing them, and funding the solutions that will most help protect the institution and community.

Overtrain and overcommunicate. Individual users are the weak link. A single mistake by a single person is often the vector for a major data breach. Training and communication sound like meager methods compared to technology solutions, but they are essential.

Ask Yourself

How can higher education develop a unified, trust-centric approach to data management that balances protection and accessibility, addresses resource disparities, and positions the sector as a leader in ethical data practices?

The Bottom Line

By framing data privacy and security challenges around trust, institutions can move beyond mere compliance to create a culture that values and protects data while fostering innovation and knowledge sharing.

Data Point

The results of a McKinsey survey of more than 1,300 business leaders and 3,000 consumers globally suggest that "establishing trust in products and experiences that leverage AI, digital technologies, and data not only meets consumer expectations but also could promote growth." In addition, "forty percent of all respondents report that they have pulled their business from a company after learning that the company was not protective of its customers' data. This rate increases among . . . Gen Z respondents."^Footnote2

From Strategy to Practice

What You're Saying

"Our state has an additional requirement to FERPA/HIPAA, and we can't really flub privacy on anything."

"Security . . . security . . . security. This will always be first and foremost. We remain vigilant in our efforts to educate staff and students. We feel we are hitting a point of diminishing returns when it comes to training, and we continue to invest in the RIGHT technology to augment our strategy."

"Perhaps this is our top focus in this ever-increasingly dangerous world. Bad actors are constantly attempting to gain access to PII for misuse. We have invested heavily the last two years in bolstering our ISO function with personnel and tools. But it is an arms race to be sure, and we will never get ahead. We are also preparing for an eventual incident, as such is inevitable. We must understand how to react and deal with such when the inevitable happens."

"This issue should read institutional and research data. They are not the same. We need to standardize on a framework that all can use to secure and demonstrate they have secured infrastructure. Then we can "vet" the infrastructure as trusted. This is one of my major areas of focus. It isn't new. I would say the top U.S. universities are already doing this, but what about the others?"

Solution Spotlights

"An expanded Privacy office under the chief data privacy officer."

Jeff Hollingsworth, University of Maryland

---

"Aligning initiatives with networking, endpoint management, information security, identity, and data access under a single "trusted access strategy."

Michele Decker, University of Notre Dame

---

"WCU shifted operational security from the CISO to our applications and systems department so the CISO could create an information privacy program that meshes with the information security program. Now the 'CISPO' handles GRC for both security and privacy with oversight of operational security."

Joel McKenzie, Western Carolina University

What You're Working On

Comments provided by Top 10 survey respondents who rated this issue as important

AI prep

• Looking to adopt better labeling for documents so that we can leverage our data for AI consumption.
• We are generating institutional guidelines for teachers, students, and the university community on the use of AI.
• Rethinking data governance while considering the great potential of AI has brought the need to formalize privacy as a campus capability while exploring ways to evolve IT security beyond compliance.

Assessment

• We performed a system-wide assessment of security and are revamping our security program and practices.
• We recently completed a third-party security assessment. We'll enhance our security awareness programming and automate many of our system updates.

Centralization

• A strengthened connection between our distributed unit and central infosec department to assess data and technologies.

Compliance

• Similar to the AI topic and based on key legislative obligations we have to meet.
• Implement BSI IT security standards.
• Working with global students has challenged IT to practice not only U.S. laws but also GDPR.
• Implemented required FERPA, information security, data management, retention, and other topics.

Continuous improvement

• Security policy review/update, policy changes/updates, communication training.
• Continue implementing processes, procedures, and products to support effective cyber and information security.
• We use a continuous improvement methodology to improve upon privacy and security, both of which are evolving fields that require significant resources.

Culture

• Focusing on our staff and students as key partners in security. Our technical walls and moats will not protect us alone.
• Developing a security culture with faculty, staff, and students puts safeguarding data at the forefront of all we do. This is embedded in orientation, ongoing training, and data access/sharing privileges.
• Continue to educate our people on why safeguarding data is important to the institution.
• More awareness about security issues; implementing changes to resolve potential issues.
  • Privacy and secure data are at the forefront of all of our technology initiatives. AI literacy and policy initiatives are underway.
• We are increasing our emphasis on security and have performed a user and cloud-based audit to help us achieve that goal.
• Trust continues to be at the forefront of all we do and ensuring that at all levels, individuals are thinking about how, where, as well as when sharing data is appropriate and when it's not. This will be done through continual communication via information updates, access, and policies.
• Established governance structures and communities of practice.

Data governance

• Cybersecurity and data governance are still top of mind.
• Data governance everywhere.
• Data governance is one of the most important pillars for us. Once we consolidate and secure, however, many other opportunities open to the institution.
• Moving toward MS Purview for data governance and privacy protection.
• Institutional data is always at the forefront of our planning process.
• Reducing unmanaged data silos and working with dedicated third-party trust actuators.
• We are using tools like Collibra and creating a systematized data governance structure that is institutionalized within the greater university along with its schools.

Falling behind

• Data security is crucial but under-resourced. We can't seem to move fast enough to keep up with government policies (NIST 800-171, NSPM-33, etc.), current and supported operating systems, as well as new technological threats.

Frameworks

• Implementing NIST 800-171 framework on all university IT systems to ensure compliance with IT security standards.
• We are implementing the HI-TRUST framework.
• We have completed the certification of our data centers based on information security and business continuity standards. Now our CISO is focusing on training users in critical information management points (e.g., e-student information system users) to leverage two-factor authentication and detect security vulnerabilities.

Identity management

• Increased emphasis on identity as foundational to security and privacy; development and implementation of a long-term cybersecurity improvement initiative that starts with protecting the desktop, data, and identity credentials of end users.

Investment

• Funding for improved cybersecurity and new risk management plans.
• Investing time and money in updating critical infrastructure, training, and monitoring to ensure a safe and productive environment.

Policies and principles

• Implemented a set of privacy principles, which are being used to guide decisions around data use on campus.
• Work with faculty, staff, and students to implement policies that ensure privacy is safeguarded and sensitive institutional data is secured and protected.
• Implementing least privileged access.
• Systemwide focus on implementation of policy related to information technology recovery.
• We are developing guidance on the best practices.
• Updating policies.

Priority focus

• We have a program we call PrISM, which oversees cybersecurity, risk management, and privacy.
• With a Zero Trust culture that we have instituted, we partnered with external consultants who can support privacy and, using their SOC (security operations center), we allow them to partner with us to ensure we exceed industry standards.
• A recent cybersecurity incident has resulted in new strategies around data storage and personally identifiable information being secured in new ways.
• Safeguarding student, faculty, and staff privacy, as well as securing our institutional data, is a top priority. Trust is the foundation of a thriving academic community, and trust relies heavily on how we handle information. The digital landscape is constantly evolving, presenting new opportunities and challenges. We leverage a wealth of data to personalize learning experiences, improve operational efficiency, and conduct vital research. However, this data also requires robust protection.
• Privacy and security of institutional data and university personnel's personal data is one of the top priorities for the university. Multiple initiatives and technologies are being implemented to ensure the security of the data. A comprehensive strategic plan has been devised and is being worked on.
• Campus-wide prioritization of cybersecurity and data privacy safeguards.
• Cybersecurity is our top priority and is foundational to any priorities we advance.
• Cybersecurity remains a top priority at our institution. Cybersecurity attacks have the potential to severely disrupt our mission and can have substantial costs to the institution. Our institution has a SafeIT group that brings cybersecurity projects under a single umbrella to make sure that we are focusing our efforts and dollars in the right areas—good account hygiene, utilization of new tools (endpoint detection and response), firewalls, 24/7 SOC, enterprise password management, and others—to understand and limit risk.
• Security is also extremely important. We are building a comprehensive risk-based security program that focuses on minimizing sensitive data, training employees, and outsourcing certain aspects of security so we have very good 24/7 coverage.

Procurement management

• We are moving discussions of data sharing with third-party vendors into the beginning of the purchase process so that privacy and security are considered before a system is actually purchased.
• Improving our information technology procurement process to ensure all systems that collect, process, store, or transmit sensitive information undergo regular data security and privacy reviews.

Roadmap

• Built a multiyear cybersecurity plan based on findings from the EDUCAUSE Information Security Program Assessment tool.

Staffing

• Hiring two security officers and developing a more extensive data stewardship plan.
• By bringing on board a partner in the cybersecurity space, we were able to quantitatively create a full cybersecurity department. The partner produces monthly data showing cyber tasks completed and a full schedule for the future.
• A new CISO, multifaceted external audits, and a redesign of our security team, policies, and practices.

Technology investments

• Investment in cybersecurity and platforms that can identify what data people are putting into websites and online systems that are not supported by central IT.
• Investing in ITAM (IT asset management) solutions with included data security.
• Considering the acquisition of a piece of software to allow real-time security monitoring of infrastructure.
• Our cybersecurity program started in earnest last year. All areas of the college are affected as we increase safeguards with things such as removing admin rights on local computers, getting a mandatory cybersecurity training policy in place, and deploying Sentinel One for endpoint device protection.
• Ongoing cybersecurity threat detection and management.
• Build a case for security layering and advanced systems.
• Full subscription to Microsoft A5 is approved for this year along with implementation of all security features.
• Authentication resiliency by moving to cloud. Moving infrastructure to cloud like AWS.
• Building off the Zero Trust model, all employees and students now have to use multifactor authentication (MFA) to access the network. Remote workers connect to the network via virtual desktop infrastructure (VDI) that allows us to manage the north/south and east/west traffic based on their role (using role-based access control). All remote third-party service providers connect through this VDI interface and have restricted access to their specific servers/applications.
• We are constantly implementing new technology to protect the institution. That includes network segmentation, new software, and additional SECaaS (security as a service) resources.

Multiple approaches

• The university employs various cybersecurity measures, such as encryption, authentication, firewalls, and antivirus software, to protect its data and systems from unauthorized access, misuse, or damage. The university educates its staff and students on the best practices and policies for data security and privacy, along with conducting regular audits and assessments to monitor and improve its performance. The institution also mandates cybersecurity training for all employees.
• Implemented numerous tools and practices. Some of these include EDR/MDR, a PAM tool, and many additional layers of security. We reorganized the IT department to ensure we had staff with appropriate skills to assist with building, progressing, and maintaining our security posture.
• Implemented SIEM (security information and event management) in 2023. Working to formalize a risk management policy with executive-level input and support. Working on formalizing data classification and labeling and enhancing privileged identity management, just to name a few.
• Cataloging data, implementing new security tools (CrowdStrike Falcon), and promoting employee security awareness.

Notes

1. Lydia Saad, "Historically Low Faith in U.S. Institutions Continues," Gallup News, July 6, 2023. Jump back to footnote 1 in the text.↩
2. Jim Boehm et al., "Why Digital Trust Truly Matters," McKinsey & Company, September 22, 2022. Jump back to footnote 2 in the text.↩

---

Lois Brooks is Chief Information Officer and Vice Provost for Information Technology at University of Wisconsin-Madison.

David Escalante is Director of Computer Security at Boston College.

Marc Hoit is Vice Chancellor and Chief Information Officer at NC State University.

Don Welch is Vice President for IT and Global University Chief Information Officer at New York University.