Hotline: Cybersecurity and Privacy | August 2025

Direct Line or Dotted Line?

Dear Hotline: Does a CISO really need to report to a college president to be independent and effective? It seems like executive sprawl, and even I am not convinced that reporting directly to institutional senior leadership is the right structure.

Dotted Line Disaster

Dear DLD: "Even I am not convinced . . ."? You're either a tough cookie, or you're normally a pushover. Since I've recently spilled plenty of ink on this question, I thought I'd get input from a couple of others.^Footnote1 The first is a colleague who wishes to remain anonymous but has been the CISO at a large higher education institution. The second is Linda A. Hill, an expert in organizational questions.^Footnote2 I'll begin with my anonymous colleague.

Hotline: In your opinion, should a CISO report to the university's president, or perhaps another senior executive?

Anon: No.

Hotline: That's very succinct. Do you have any thoughts on why this issue keeps coming up?

Anon: I understand the seduction of reporting to a president or other senior leader. A CISO may think that this type of reporting structure will provide a host of benefits.

• Access to more funds and resources
• The ability to provide more or better unfiltered, frequent, risk-based input
• A seat at the table for broader institutional decisions that may affect cybersecurity
• Less potential conflict with IT wants versus security wants
• A better job title and higher pay (not to be crass) that is commensurate with the risk that goes with the job

Hotline: Those all sound reasonable. Have you ever wanted to report further up the chain of command?

Anon: As a former CISO, I never "aspired" to report to a president or other senior leader (provost, CFO) for a variety of reasons:

• Senior leaders often lack an understanding of the nuances of security and the challenges associated with securing a higher education institution. Most CIOs have a good grasp of how IT works in higher education and have an incentive (if not an understanding) to secure things as appropriately as possible.
• Senior leaders are WAY busier and have more distractions than a VPIT/CIO. To put it another way, unless it is a crisis, they likely won't have time for you.
• Being embedded under the VPIT/CIO gets you closer to the people who need to do the security work; i.e., other IT leaders and system owners.

Hotline: That's a lot of bullet points. Could you summarize this for our readers?

Anon: Bottom line, so long as CISOs are reasonably getting the resources they need, have access to decision-makers (or input into key decisions), and are able to regularly report to senior leadership in one form or another, then where they report is of far less importance (but I DO think CISOs absolutely need to be the second highest paid IT employee after the VPIT/CIO role and deserve salaries that are closer to that level than a "peer" in the VPIT/CIO's organization).

Anon makes a compelling case—one that I suspect is shared by many of our readers. Let's turn to Linda Hill's advice.

Linda Hill: I don't think it is necessary for the CISO to report to the president, assuming that the CIO is a member of the executive team. An effective CIO is perceived as a key "business partner" by the other members of the executive team. CIOs are the liaison between their executive teams and their own team of direct reports (including the CISO). CIOs should represent the interests of their direct reports to the executive team: communicating their priorities, constraints, and capabilities and ensuring team members have the necessary resources to deliver on the strategy of the organization.

Given the growing risks (think GenAI) and high stakes associated with security breaches, I suspect the CISO should hold regular meetings with the executive team to ensure they have an accurate assessment of security practices, risks, and outcomes, and to keep the team up-to-date on the evolution of best policies and practices. I suspect the CISO should meet with the executive team on an ad hoc basis to update them on additional budgetary needs or address any breach that has occurred, given the significant reputational and other costs associated with falling behind in security investments or poor crisis management.

What I find interesting is that both of my colleagues agree that the CIO may not be the last word in cybersecurity (that's reserved for the CISO, as the subject matter expert), but the CIO is the first word—the enabler of access to leadership for the CISO. This underscores the reality that the success of cybersecurity (and the CISO) at an institution is truly dependent on the CIO and CISO having a strong, constructive partnership.

Safety or Surveillance?

Dear Hotline: Where is the line between student success and student surveillance, and who decides when the line has been crossed?

Directory Information Available Upon Request

Dear Directory Information: "I long for the day when people embrace our common humanity and respect diversity," for your question surely will engender a diversity of opinion, not all of which will be respected.^Footnote3 I recall an instance when a large campus I worked for was planning an expansive deployment of security cameras, starting in the residence halls and extending across campus. In addition to the substantial costs, a variation of your question had delayed the project. Virtually everyone had a different opinion about what public safety was and what surveillance was. The faculty had pushed back, fearing that the recordings might be used as part of their teaching evaluation. Those of us working in privacy had concerns about the potential chilling effect thousands of cameras might have on free speech or behavior. Others hoped the cameras would have exactly that effect.

But then, something horrible happened. An assault on a student happened in the residence halls, and it was captured in its entirety by one of the few security cameras that had already been deployed. Following that incident, and after the footage was reviewed by law enforcement and a small, controlled group of campus personnel, dissent evaporated, funds for thousands of cameras were secured, and deployment proceeded quickly. It is tempting to see public safety and student surveillance as separate issues, but I see them as two sides of the same coin: monitoring used in the best interests of students. One can imagine any number of analogous use cases. Here are just a couple of hypotheticals: Alice's library records indicate that she has never visited the library (in person or digitally) and is struggling to get passing grades. Bob's network records show that he streams gaming sites for around twenty hours a day from his dorm room, and he is failing several classes. I've wondered about a hypothetical app that somehow anonymizes and aggregates this type of data but uses it to flag and alert at-risk students.

While I suspect (though I lack data) that parents might approve of this approach to student success, the students themselves—most of whom are legally adults—may beg to differ. Despite many students effectively engaging in self-surveillance by habitually posting their location and activity on social media, there's something disconcerting about this sort of surveillance when it's done by a third party. While I can imagine, in the abstract, building systems that leverage this kind of surveillance data, I worry about this on two fronts. First, there's the slippery slope argument in which seemingly innocent data is used with good intent but could open the door to less deliberated or ungoverned uses. Second, in an era where personal behavior is highly politicized, creating new and powerful data sources risks enabling abuse.

Of course, every institution should strike a balance between student success and surveillance, and I recommend doing so as transparently as possible and with full engagement from a broad swath of the affected population. As any privacy advocate will tell you, using data collected for one purpose for an entirely different one violates a privacy best practice and is fraught with risk.

Transparency or Consent?

Dear Hotline: How much transparency do institutions owe students and employees about how their data is collected, analyzed, and sold? Or is "informed consent" just fine print that no one reads?

The Privacy Notice Was Updated

Dear Updated: This question illustrates precisely why I plan to spend my retirement screaming into the void. The question has it backward. Why are we negotiating about how much transparency we're entitled to? The question should really be, "Is there any use of our data that we're not entitled to know about?" The answer is clearly "no," but, my dear Updated, remember this: "The wise person doesn't give the right answers, but poses the right questions," as you surely have.^Footnote4

I suspect the real challenge here isn't that your university or college is off selling student data to supervillains, but rather lies in your question: How should we inform people, and when is consent necessary? When we act in the spirit of our better natures and embrace transparency, what level of detail is necessary? Is it enough to say, "Your major is used to ensure your degree requirements are accurate," or do we need to say, "Your major is stored in the following databases and appears in the following reports. . ."? Of course, the data stored in your institution's data warehouse is used in any number of arbitrary ways to support campus operations and reporting. Yet no one wants to be told, "Your data is used on reports. Now go sit down and stop asking questions."

Developing an institutional posture toward the question you're asking could easily form a central tent post for the data governance program at your institution. I can imagine a comprehensive transparency report on data handling as a program output. Or perhaps including data handling details in your privacy notice may be best for your institution. It's likely that both can have a purpose. I don't think there's one answer that fits everyone. Fortunately, these sorts of questions are being actively discussed in the EDUCAUSE Community Groups (CGs). Both the privacy and data governance CGs are fertile grounds filled with bright and engaged individuals. The CGs are a terrific sounding board and a great place to learn how others have resolved these issues.

Of course, the data supports the conventional wisdom that privacy notices are largely ignored—and for good reason: they're rarely written as tools to inform, but rather as legal devices to stake out liability protection for the organization issuing them.^Footnote5 Somehow we've landed in a cultural place where if I tell you I'm going to take advantage of you, I'm somehow immune from accountability when I do.

I firmly advocate for what some call radical transparency and what others call common sense and respect for our community. If one element of higher education's mission is the normalization of thoughtful behavior, then I can't imagine why the development of expectations for data handling wouldn't be part of that mission. We are not just training scientists, humanists, or artists—we're helping shape attitudes toward civil engagement and the outlines of civic society.

Notes

1. See, Michael Corn: Society, Higher Education, Privacy (blog), Substack.Jump back to footnote 1 in the text.↩
2. Linda Hill is Donham Professor of Business Administration and Faculty Chair of the Leadership Initiative at Harvard Business School. She is the co-author of Genius at Scale: How Great Leaders Drive Innovation, forthcoming March 2026.Jump back to footnote 2 in the text.↩
3. Liza M. Wiemer, The Assignment (Delacorte Press, 2020).Jump back to footnote 3 in the text.↩
4. Claude Lévi-Strauss, Mythologiques, Vol. 1: Le Cru et le Cuit (Paris: Plon, 1964). Jump back to footnote 4 in the text.↩
5. Patrick O'Connell and Peter Church, "No One Reads Privacy Notices. So Why Do We Have Them?"Global Privacy Law Review 5, no. 4 (2024): 148–153.Jump back to footnote 5 in the text.↩

---

Michael Corn is an Executive Strategic Consultant at Vantage Technology Consulting Group.