"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about cybersecurity strategy, CMMC/CUI-compliant research computing and storage infrastructure, and the unchecked expansion of cybersecurity job responsibilities.
Swing Big, Lead Smart, and Scale Intentionally
Dear Hotline: What is the biggest blind spot for higher education in terms of its current cybersecurity strategy, and why does it persist?
The Ivory Firewall
Dear Firewall: Terrific question. There truly is no wrong answer. We could talk about funding, technology, or culture. There are so many blind spots, and there is an argument for the primacy of any of them. But I'll pick one that I've both observed and been guilty of myself: the failure to think big.
When developing our annual cybersecurity plans, too many of us think incrementally. We aim to reduce critical vulnerabilities by 10 percent or finally move alumni to multifactor authentication. Are these things important? Absolutely. Are they game-changing? Not in the least. We aim for these incremental improvements almost out of habit because we've always struggled with them. They're belt-tightening, completely defensible basic controls, but ask yourself this: If you achieve these goals, has the cybersecurity posture of your institution radically improved?
Of course, there are practical reasons for pursuing these improvements. They are easier to work into constrained budgets, they're not politically difficult, and the pushback tends to be minimal. In 2026, no one will argue against patching more aggressively or creating backups to mitigate ransomware attacks.
But I'd like to see more of us take bigger swings and advance strategic initiatives that fundamentally change the cybersecurity paradigm to enhance institutional resilience. What might those look like? While your institutional context (highly centralized versus decentralized, large R1 or nimble R2) will influence them, I'm thinking of moves that are truly metamorphic: full Zero Trust deployments, mandatory phishing-resistant MFA, or consistent, centralized management and patching for every workstation and laptop.Footnote1 Imagine if all your internet traffic were routed through a vended secure access service edge (SASE) solution. None of these shifts is fast, cheap, or easy. In fact, they are politically and operationally "loud." But at most schools, they'd be transformational.
Most of us have been trained to think within the boundaries of "what's likely," but this mindset throttles our imaginations and, thus, our aspirations. What's happening in cybersecurity is seismic in scope and pace, so worrying about a few weeds in the sidewalk won't lead to success.
Build, Buy, or Collaborate
Dear Hotline: With the ever-expanding demand for CMMC/CUI-compliant research computing and storage infrastructure, do you expect commercial offerings will meet these needs, or will the higher education community need to build bespoke solutions? If we do need to build them, how can we do that collaboratively?
Recovering CISO
Dear Recovering: As I've written elsewhere, I really value the absence of Cybersecurity Maturity Model Certification (CMMC) from my professional life.Footnote2 But your question is so timely and rich, it's worth diving into. I suspect many others are asking themselves the same thing. There are three dimensions that are worth unpacking.
First, are there (or will there be) commercial CMMC offerings that meet our needs? Absolutely. If there's a market, there's a service provider, and the CMMC market is large. While it may feel like every service provider has pivoted entirely to artificial intelligence (AI), the offerings for CMMC Level 2 enclaves—both cloud- and data-center-based—are expanding faster than most of us can track. There's also a more modest market of providers that offer email and lightweight file storage as almost entirely turnkey solutions, which may be sufficient for some use cases. One element to watch closely, however, is the "last-mile" problem. What does the endpoint for accessing these solutions look like, and how is it managed? With CMMC, there is no "good enough." Cybersecurity practitioners must understand, control by control, who is responsible and accountable (the vendor or the institution).
Second, let's consider "bespoke needs." While research environments often have some custom-made instrumentation, I suspect a highly regulated environment, such as a Level 2 enclave, will have some homogenizing effect on research infrastructure. Bespoke solutions may be necessary at times, but they are intrinsically more expensive. If those costs are not reflected in the grant, someone will be disappointed. Within the CMMC universe, researchers should aim to use supported infrastructure whenever possible and avoid making bespoke solutions the default.
Finally, let's talk about community resources and collaboration. Members of the higher education security community have been scratching their heads over this issue for years. If the largest colleges and universities struggle to build a compliant and expandable Level 2 enclave, what will smaller institutions, or those with only a few researchers, do? When my last institution was building its enclave, an explicit goal was to serve other colleges in the system that needed CMMC Level 2 resources. There are still some difficult questions to address around the last-mile issue, but I hope larger institutions with Level 2 enclaves are stepping up to this challenge. If we can't help one another in this space, we're doing a disservice to both higher education and the country's defense industrial base.
There are some terrific resources out there for collaborating and learning how others are tackling this issue. The EDUCAUSE Regulated Information Security Compliance Community Group and the Regulated Research Community of Practice (RRCOP) are full of friendly, experienced colleagues who are happy to share their experiences.
Run, Persuade, or Rise
Dear Hotline: I was hired to manage servers. Then I "volunteered" to help with policies. Now everyone calls me the CISO. I have no staff, no budget, and a job description that says nothing about security. How do I claw my way out of this without setting anything on fire?
No Good Deed
Dear No: I'm tempted to make a wisecrack about karma, but I don't know your background, and professional decorum doesn't permit it. So your employer is getting the minimum they need without incurring any of the associated costs, but you're tired of more work, no resources, all the responsibility and accountability, and no benefits, and you're still doing your "real job"? Yeah, your situation does sound a lot like karma.
Unfortunately, what you are experiencing is far too common in our community, though I usually see this challenge at smaller schools. Because you have demonstrated a high level of competence, and perhaps a modicum of inclination, you've been "voluntold" to take on additional security responsibilities. And because you've stepped into a vacuum, everything you do seems extraordinary, and the next thing you know, you're the go-to for cybersecurity. The challenge you face is difficult to solve; however, the options for how to proceed are pretty straightforward.
Option one: Run screaming. While the job market isn't great right now, there's no harm in casting around for something more aligned with your passions. Obviously, your circumstances may rule out this path, but I always like to remind people that looking out for themselves and their career is their prerogative.
Option two: Build the case for hiring a dedicated CISO or security team. Collect data on how much time you're spending on security, and detail what's not getting done. Develop a CISO job description tailored for your environment. Consider researching vCISO services or the market for security professionals in your area. The key to success with this option is having a mature enough relationship with your management so that you can have this conversation. They need to know whether you're happy, and if you're not, recognize that you're a flight risk.
Option three: Embrace the pain. This path looks a lot like option two, only your end goal is to elevate yourself into a CISO or CISO-like position and shed your non-security responsibilities. Your management could reassign those responsibilities or hire someone to backfill your current role. Cybersecurity is a terrific career, but it's much more difficult to break into today without the right background than it was when I started. Perhaps you've been building that experience and background, and this is your moment to flex.
Ultimately, you need to solve this on your own, which means doing some sincere soul-searching about what you want, where you want to be, and what you're prepared to do to achieve it. Taking ownership of your journey is a great way to build some truly positive karma.
Notes
- By full Zero Trust deployments, I mean ones that include policy and governance components, not merely micro segmentation. See "Zero Trust Architecture,"Wikipedia, last modified February 5, 2026; For more information about phishing-resistant MFA, see "Implementing Phishing-Resistant MFA," fact sheet from Cybersecurity & Infrastructure Security Agency (website), accessed February, 22, 2026.Jump back to footnote 1 in the text.
- Michael Corn, "To CMMC or Not to CMMC,"Michael Corn (blog), Substack, February 8, 2026. Jump back to footnote 2 in the text.
Have a cybersecurity or privacy dilemma you'd like Mike to unpack? Submit your question through our anonymous form.
Michael Corn is an Executive Strategic Consultant at Vantage Technology Consulting Group.
© 2026 Michael Corn. Michael Corn. The content of this work is licensed under a Creative Commons BY-NC-SA 4.0 International License.