Reevaluating the Mission of Higher Education: Meeting Our Cybersecurity Challenges Together

Historically, the primary mission of higher education has been to educate students. Today, that role has expanded to encompass information discovery and knowledge transfer. Institutions carry out these responsibilities through a variety of activities, such as research, extension, health and social services, and human and veterinary medicine. Each of these areas must have an individualized strategic focus and be managed intentionally. Innovation and adaptation are essential to long-term sustainability.

The need for an intentional, adaptive strategy applies to cybersecurity as well, but higher education institutions struggle to evolve in this area. Despite a rapidly evolving threat landscape, institutional practices often remain unchanged. That disconnect crystalized for me as I watched a 1983 NSA lecture by Grace Hopper, who said that the most dangerous words are, "We have always done it that way."^Footnote1

Across higher education, we need to do cybersecurity better. Cybersecurity professionals must help institutional leaders, and those who support them, identify cybersecurity practices that work for the specific business requirements of departments, units, and leadership functions. This work requires cybersecurity practitioners to better understand those goals and objectives and to recognize that there is no "one-size-fits-all" solution or textbook approach. Simply imitating peer institutions is no longer sufficient. Meaningful progress demands a greater willingness to innovate, adapt, and lead.

Many higher education institutions treat cybersecurity as an IT function rather than as a core business activity that is essential for safeguarding critical assets and supporting institutional success. Cybersecurity professionals must help institutional leaders understand the key aspects of cybersecurity (protecting ​information systems​ and data from unauthorized access and attacks, ensuring the confidentiality, integrity, and availability of information, and implementing a layered defense strategy that combines people, processes, and technology) and why all data assets require some level of protection. Determining the appropriate level of protection involves more than evaluating its sensitivity. It also depends on factors such as confidentiality, integrity, and availability. A common misconception is that if the data is not sensitive, no protection is needed. This misunderstanding can lead to inconsistent or insufficient protection measures across the institutional enterprise. Protecting data requires a well-designed, well-governed cybersecurity program.

Understanding the Cybersecurity Ecosystem

Cybersecurity is an ecosystem that touches every aspect of a college or university's structure and mission. Consequently, it cannot be relegated to a single institutional area or funded as a single line item in the budget. Cybersecurity must be a shared responsibility across the institution.

Cybersecurity programs cover three overlapping functional areas: business, technology, and risk and security.^Footnote2 Each area has its own governance, functions, and resourcing. The hub of the cybersecurity program lies at the intersection of these areas (see Figure 1). The cross-functional relationships and interactions among these areas are often poorly understood or documented within higher education institutions. As a result, integrating these three functional areas into the broader business fabric is difficult, which often leads to the perception that cybersecurity is an overhead cost rather than a source of organizational value. Understanding how these three areas interact is essential for designing a cybersecurity program that supports and serves the needs of the entire institution. The following sections outline the purpose and scope of each functional area.

Business Function

The business function of a college or university is typically governed by the provost and the chief financial officer (CFO) with support of the human resources administration. This function encompasses institutional operations that rely on shared processes, procedures, and enterprise data management and information systems. It includes a wide range of portfolios, such as research, professional programs, student instruction, extension services, external partnerships, institutional advancement, and athletics. Essential units such as procurement, human resources, student affairs, enrollment services, and financial aid are core components of the business function. Regardless of where they reside within the institution, all these units and their portfolios contribute significantly to the reputational and financial health of higher education institutions.

The business function defines institutional priorities and strategic goals, and cybersecurity is an integral part of those priorities. An effective cybersecurity program ultimately exists to ensure that the institution can meet its business requirements and fulfill its mission. Business leaders are typically responsible for defining institutional risk tolerance and strategies that guide protection, detection, response, and recovery planning, making their involvement essential to aligning cybersecurity with the core priorities of the institution.

Technology Function

The technology function of a college or university is governed by the chief information officer (CIO) and includes, but is not limited to, information technology, enterprise architecture, storage and processing infrastructure, centralized IT services, incident response, change management, and inventory management. Technology leaders must understand all institutional business requirements so they can meet them in an effective, efficient, and fiscally responsible manner. Technology departments and support services also must keep pace with the rapidly evolving IT landscape to meet institutional goals and objectives. Many institutions assign responsibility (both managerial and fiscal) for cybersecurity to the IT department. When cybersecurity is housed entirely within the IT organization, institutions may unintentionally reinforce the perception that security is a technical problem rather than a strategic, enterprise‑wide concern. This perception can contribute to siloed cybersecurity activities and undermine effective coordination, shared governance, and sound institutional risk management.

Risk and Security Functions

Institutional risk and security functions are often poorly defined or insufficiently understood. Separating these two functions is challenging because they have some overlap and similar dependencies, and because the security function relies heavily on risk methodology. In many institutions, elements of both functions are spread across multiple areas in a decentralized manner, making coordination difficult and increasing the likelihood that units will develop inconsistent or conflicting security practices. In particular, many institutions treat "security" as synonymous with IT and information security, leaving other essential domains disconnected from the broader cybersecurity ecosystem.

The risk and security function in higher education is quite diverse. It includes, but is not limited to, internal audit, legal, environmental health and safety, third-party risk management, physical security, personnel security, information security, IT security, public safety, incident response, business continuity, and, sometimes, sponsored research. However, many colleges and universities focus their cybersecurity programs on IT security and digital data protection, excluding or only lightly incorporating related areas such as research security, personnel security, physical and operational security, public safety, and business continuity. Security teams must work closely and build good relationships with people in other cross-functional areas to successfully identify, assess, and manage risk and security across their campuses. Failure to do so can lead to increased workloads from duplicated efforts, stovepipes, redundancy, and communication breakdowns. When these additional security areas are not connected to, or do not inform, the overall institutional cybersecurity program, significant risk and visibility gaps emerge that hinder the security team's ability to protect, detect, respond, and recover effectively to threats.

At many higher education institutions, security functions (including compliance activities) are housed within the IT organization. Security and risk practitioners often face resistance because they are perceived as part of (and therefore loyal to) the IT department rather than as partners supporting the broader institution. To be effective, they must overcome this mistrust and build strong, cooperative relationships across campus. It is important to remember that security and risk professionals approach their work from the perspective of what is best for the institution, not just the department in which they are placed.

This organizational setup can also create financial tension. Cybersecurity initiatives frequently compete with broader IT priorities for the same budget dollars. An unintended consequence of this funding structure may be slow investment in technology refreshes and service offerings, placing cybersecurity at odds with institutional IT priorities. These challenges can be further complicated when the chief information security officer (CISO) reports to the CIO.

In response, some higher education institutions are moving toward a governance model in which the CISO holds a role commensurate to the CIO and CFO. This shift can help alleviate conflicts, balance institutional IT and cybersecurity needs, more closely connect cybersecurity to core institutional business functions, and support a more equitable and sustainable funding model. Regardless of reporting structure, it is crucial for institutional leadership to understand that information technology, security, and risk management are distinct functions that collectively inform and impact the cybersecurity of an institution. Cybersecurity requires dedicated funding and shared responsibility.

Colleges and universities must align their critical functions in ways that ensure their digital ecosystems can operate safely and effectively within the broader cyber landscape. They must identify and understand the risks that could impact strategic goals and objectives. This work is increasingly important because meeting compliance requirements alone is no longer enough. Standards and laws are replacing traditional compliance models with more stringent risk-assurance requirements, making cross-functional collaboration and sustainable coordinated funding models essential.

Higher education institutions must identify their cybersecurity hubs and build cybersecurity programs that are grounded in solid business and risk management practices. By protecting institutional data and information, these programs enable colleges and universities to carry out their mission and safely transfer vital knowledge to society. Ensuring that all security domains—not only IT and information security that is focused on digital data protection—participate in and inform the cybersecurity program is critical to reducing institutional risk and strengthening overall resilience.

Transitioning from Organization Charts to Cross-Functional Teams

Thinking about cybersecurity in the context of the three functional areas of business, technology, and risk and security provides a clearer framework for understanding its breadth than relying on the organizational charts that exist today. Forcing these functional areas to fit neatly within traditional higher education organizational charts has created confusion for leaders and made it more difficult to solve current and future cybersecurity issues. Today, most modern organizational operations occur within cross-functional teams, and projects and initiatives can't succeed without collaboration across the different areas of the institution. That is why leadership must reexamine cybersecurity outside the existing organizational charts and focus instead on the functional areas that support institutional strategic goals.

Regardless of how an institution is organized and its functions are tied together, business, technology, and risk and security are all part of the cybersecurity ecosystem, and they support and inform the cybersecurity program.

Conclusion

Cybersecurity is essential in today's digital, interconnected, technology-driven world. It is an ecosystem that touches every aspect of the institution and should be integrated into all operations. To meet strategic goals and objectives and be successful in the 21st century and beyond, higher education institutions must become innovative and agile. They must be able to protect, detect, respond to, and recover from cybersecurity incidents and proactively prepare for potential attacks rather than assuming attacks will never occur. Strategic planning must begin now to define and integrate an institutional cybersecurity framework that supports the institutional mission and operational priorities and goals.

Author's Note

The views expressed in this article are those of the author and do not necessarily reflect the views of North Carolina State University.

Notes

1. National Security Agency, "NSA Releases Copy of Internal Lecture Delivered by Computing Giant Rear Adm. Grace Hopper,"August 26, 2024.Jump back to footnote 1 in the text.↩
2. Privacy is often underrepresented at many colleges and universities. This function focuses on risk to the individual, not the institution. Higher education has no standard placement for this function. Consequently, this article does not address privacy although it is part of the cybersecurity ecosystem.Jump back to footnote 2 in the text.↩

Elizabeth Cole-Walker is Information Security Specialist at North Carolina State University.