EDUCAUSE QuickPoll FastFact: Should Cybersecurity and Privacy Functions Be Integrated?

Authors:
Nicole Muscanell
Published:
Wednesday, November 6, 2024
Columns:
Cybersecurity and Privacy EDUCAUSE Research Notes
min read

In a recent Cybersecurity and Privacy Program evaluation survey, EDUCAUSE asked IT professionals whether cybersecurity and privacy functions should be integrated or kept separate.

Exit polling icon
Credit: Erta © 2024

Higher education institutions face the critical challenge of managing cybersecurity and privacy—two intertwined but distinct functions. Should these two functions be integrated or kept separate? Finding the right balance between collaboration and autonomy will be crucial for effective data protection and risk management.

Integration Versus Separation

The question of whether cybersecurity and privacy functions should be integrated or remain separate is a critical consideration for higher education institutions as they navigate complex data protection requirements and evolving cyberthreats. Our findings show that most respondents prefer them to be separate but interdependent, recognizing their distinct and specialized goals while highlighting the importance of collaboration on overlapping issues (see figure 1).Footnote1

Figure 1. Ideal Relationship Between Cybersecurity and Privacy Functions
Icons showing the ideal relationship between cybersecurity and privacy functions: cybersecurity and privacy should be separate but interdependent functions (64%); cybersecurity and privacy should be one single integrated function (19%); cybersecurity and privacy should be completely separate and autonomous functions (12%); don't know or other (6%).

Disparities in the extent to which both functions are regarded as critical to institutional success, along with challenges related to resource allocation and staffing, pose challenges to effective interdependence (see figure 2).Footnote

Figure 2. Perceptions of Cybersecurity and Privacy Functions
Stacked bar chart showing the perceptions of cybersecurity and privacy functions. Both functions have the resources and staffing needed to be effective: don't know (2%); disagree (65%); neutral (20%); agree (14%). Both functions are equally viewed as critical to the institution's success: don't know (5%); disagree (35%); neutral (15%); agree (46%). Both functions collaborate together smoothly and effectively: don't know (8%); disagree (11%); neutral (21%); agree (60%). Both functions are mutually supportive of one another's goals: don't know (7%); disagree (6%); neutral (14%); agree (73%).

We asked respondents to describe why they would prefer integrating or separating the two functions. Some of their open-ended responses overlapped, particularly among those favoring one of the two separation options (see table 1).

Table 1. Reasons for Integrating or Keeping Cybersecurity and Privacy Functions Separate
Reasons Supporting Separate Functions (whether interdependent or autonomous)

Distinct Goals: Cybersecurity focuses on protecting systems and data, while privacy centers on regulatory compliance and protecting personal identifiable information (PII). Both areas require different skill sets, making separate functions essential for addressing their specific objectives. Separating the functions ensures that each area can prioritize its objectives without compromising the other.

Checks and Balances: Keeping cybersecurity and privacy separate allows for unbiased decision-making and promotes healthy debate. Each function serves as a check on the other, ensuring that decisions are balanced and that neither function dominates, leading to a more comprehensive approach to data protection.
Reasons Supporting Separate but Interdependent Functions

Collaboration on Overlapping Issues: While distinct, cybersecurity and privacy must collaborate due to shared tools and overlapping regulations. Separation ensures specialization, while interdependency allows them to work together effectively when necessary, enhancing overall data protection and compliance efforts.
Reasons Supporting a Single, Integrated Function

Overlapping Roles and Goals: Cybersecurity and privacy often share similar objectives and roadmaps. Centralizing them under one function avoids conflicting priorities, improves collaboration, and ensures cohesive implementation of security controls and privacy measures.

Unified Decision-Making: Separation can lead to indecision and increased risk, while integration ensures both areas are aligned in risk management efforts. A single leader for both areas helps balance priorities, reduce conflicts, and ensure smooth collaboration.

Streamlined Efficiency: Integrating cybersecurity and privacy reduces delays, speeds up decision-making, and eliminates duplication of efforts, making better use of limited resources, especially in smaller institutions.

The Bottom Line

Ultimately, integrating cybersecurity and privacy functions can streamline data protection efforts and foster cohesive strategies. However, integrating these functions may sacrifice the checks and balances provided by keeping them separate. Institutions must carefully balance the advantages of specialized focus with the benefits of unified risk management and streamlined collaboration.

Note

  1. Percentages in figure 1 and figure 1 have been rounded to the nearest whole number, occasionally resulting in sums just under or over 100%. Jump back to footnote 1 in the text.

Nicole Muscanell is a Researcher at EDUCAUSE.

© 2024 Nicole Muscanell. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.