In a recent Cybersecurity and Privacy Program evaluation survey, EDUCAUSE asked IT professionals whether cybersecurity and privacy functions should be integrated or kept separate.
Higher education institutions face the critical challenge of managing cybersecurity and privacy—two intertwined but distinct functions. Should these two functions be integrated or kept separate? Finding the right balance between collaboration and autonomy will be crucial for effective data protection and risk management.
Integration Versus Separation
The question of whether cybersecurity and privacy functions should be integrated or remain separate is a critical consideration for higher education institutions as they navigate complex data protection requirements and evolving cyberthreats. Our findings show that most respondents prefer them to be separate but interdependent, recognizing their distinct and specialized goals while highlighting the importance of collaboration on overlapping issues (see figure 1).Footnote1
Disparities in the extent to which both functions are regarded as critical to institutional success, along with challenges related to resource allocation and staffing, pose challenges to effective interdependence (see figure 2).Footnote
We asked respondents to describe why they would prefer integrating or separating the two functions. Some of their open-ended responses overlapped, particularly among those favoring one of the two separation options (see table 1).
Reasons Supporting Separate Functions (whether interdependent or autonomous) |
---|
Distinct Goals: Cybersecurity focuses on protecting systems and data, while privacy centers on regulatory compliance and protecting personal identifiable information (PII). Both areas require different skill sets, making separate functions essential for addressing their specific objectives. Separating the functions ensures that each area can prioritize its objectives without compromising the other. |
Checks and Balances: Keeping cybersecurity and privacy separate allows for unbiased decision-making and promotes healthy debate. Each function serves as a check on the other, ensuring that decisions are balanced and that neither function dominates, leading to a more comprehensive approach to data protection. |
Reasons Supporting Separate but Interdependent Functions |
Collaboration on Overlapping Issues: While distinct, cybersecurity and privacy must collaborate due to shared tools and overlapping regulations. Separation ensures specialization, while interdependency allows them to work together effectively when necessary, enhancing overall data protection and compliance efforts. |
Reasons Supporting a Single, Integrated Function |
Overlapping Roles and Goals: Cybersecurity and privacy often share similar objectives and roadmaps. Centralizing them under one function avoids conflicting priorities, improves collaboration, and ensures cohesive implementation of security controls and privacy measures. |
Unified Decision-Making: Separation can lead to indecision and increased risk, while integration ensures both areas are aligned in risk management efforts. A single leader for both areas helps balance priorities, reduce conflicts, and ensure smooth collaboration. |
Streamlined Efficiency: Integrating cybersecurity and privacy reduces delays, speeds up decision-making, and eliminates duplication of efforts, making better use of limited resources, especially in smaller institutions. |
The Bottom Line
Ultimately, integrating cybersecurity and privacy functions can streamline data protection efforts and foster cohesive strategies. However, integrating these functions may sacrifice the checks and balances provided by keeping them separate. Institutions must carefully balance the advantages of specialized focus with the benefits of unified risk management and streamlined collaboration.
Note
- Percentages in figure 1 and figure 1 have been rounded to the nearest whole number, occasionally resulting in sums just under or over 100%. Jump back to footnote 1 in the text.
Nicole Muscanell is a Researcher at EDUCAUSE.
© 2024 Nicole Muscanell. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.