Conventional wisdom says that the purpose of security in higher education is to support teaching, learning, research, and operational efficiencies. However, the purpose of security is beyond even these lofty objectives.
Security exists not for security's sake, but so the community can trust what our institution does and how we do it.
According to CIO.com, trust and transparency "are presenting as the new first-class differentiators, with experience, engagement, price, and quality all now settling in as second class."Footnote1 What does this look like in higher education?
- We are up-front about what data we collect, what we do with it, and how we keep it.
- We give our community of faculty, staff, and students as much control as possible over the technology they use and the data they manage while ensuring careful handling of other people's information.
- Our institutional review boards ensure that technology and data ethics and security are included in their considerations of appropriate research methodologies.
- Considerations of privacy, security, and data management are included in all business processes and operational expenditures.
Trusting Our Institutions
So how do we know when our institutions are trustworthy? It is the same as evaluating people. We trust people when they are honest, reliable, and accountable for their behavior. When we manage systems and information on behalf of an institution, the way we do it reflects on the values of the institution. Do we transparently share our data handling, privacy, and security policies? Do faculty and staff hold themselves and others accountable for doing their work well, maintaining confidentiality, and using data appropriately? Do they take ownership when things go wrong?
Trust is neither binary nor permanent. Who we trust and how much and for how long we trust them depends on context. Higher education institutions may want to be trusted, but it's easy for institutions to lose the trust of their communities if institutional systems fail or their information is incorrect. We may tolerate an institution having student-supported services with delayed response times, but logging into the learning management system must be immediate and reliable. It may be annoying if the bus schedule is wrong by five minutes, but it's really not OK if we're about to undergo surgery and our health record is incorrect. We trust proportionally to the level of risk we are willing to assume. The less we risk, the more likely we are to give the benefit of the doubt and trust.
What does lack of trust and transparency in technology and information look like in higher education?
- Faculty choose to use non-institutional systems because performance is unreliable, or confidentiality is not assumed.
- Students and faculty choose to attend a different institution because the institution does not handle their information ethically, efficiently, or with their best interests in mind.
- Granting agencies fail to award research and teaching grants because they are not assured that the institution or the researcher can manage the security and privacy of the information correctly.
Security and Trust
Traditionally, security programs manage trust using the CIA triad: confidentiality, integrity, and availability. Does the institution maintain confidentiality according to the expectations of the community? Are systems available when and where they are needed? Is the data accurate, and does it behave as expected?
Now, security leaders need to go further if they are to promote trustworthiness within and outside the institution. They need to do these things:
- Create partnerships: Security leaders must align themselves not only with the technology partners in an institution but also with academic and research leaders to understand how security can be used to improve academic outcomes. Additionally, security teams need to work with technology vendors and partners to ensure the entire ecosystem of technology and data is trustworthy, not just those systems created in-house by the institution.
- Educate stakeholders: Security leaders must help the entire community understand how having secure systems will support their efforts. This includes helping them know the information and technology risks they face and helping them devise strategies to address those concerns. These threats occur at home and at work, so awareness of issues needs to encompass their personal and professional lives.
- Demonstrate competency: Security leaders and their teams must be trusted for their expertise, so being accurate, responsive, and professional is important. When the inevitable errors occur, own the efforts to correct them, and change tools and processes to stop a repeat event. An untrusted security partner will be bypassed by the community, invalidating the security reason for existing.
Trust in Remote Working
As education institutions adjust to a post-pandemic teaching, learning, and working environment, the issue of trust is more important than ever. Many of us will return to our physical campuses, in-person teaching and research, and team collaboration spaces. Some, particularly in security and technology, will decide to work and learn from another place. Security and privacy leaders will need to provide a way of working that is trusted by workers, leaders, granting agencies, and regulators. To enable this, security leaders should consider doing the following things:
- Evaluate remote-working processes, cloud applications, and related analytics with a "private from the start" and "secure from the start" process. We know our institutions will want to analyze the impact of online learning and remote working to determine if they are performing as needed. These technologies are reaching into people's homes. They must adhere to privacy principles and be managed with appropriate security measures to support equity, privacy, and desired institutional outcomes.
- We can no longer secure the environment using on-premises networking solutions alone. We must ensure security tools are as close to the employee or student as possible—at login—on devices and in cloud applications. In order for the security function to be regarded as effective, threat detection and response tools must extend to wherever faculty, staff, and students are. It is not acceptable to provide security protections only to those on campus; the choice to work and learn remotely must not be a binary choice of "security versus no security." This raises questions of privacy. Communicating early and often about how these tools work and are used is critical. Partnering with faculty, staff, and students to implement a security technology stack that supports remote working is an important exercise in organizational partnership.
- Expand security training and awareness to focus on the individual in their hybrid work/home environment instead of focusing only on the needs of our institutions. Help them understand the personal and professional security threats and risks and give them the tools to manage risks.
Security doesn't exist for its own sake. It exists to ensure the institution is successful in delivering its mission. Security fosters trust, which allows the university or college community to live, work, and thrive. As we move past the pandemic and into a new way of working, security continues to play a pivotal role in ensuring our institutions navigate these challenges successfully. Security leaders must consider their role in supporting the institution to foster appropriate technology use and build trust.
An earlier version of this article was published as Helen Patton, "Trusting Remote Work Security in Higher Education," Industry News (blog), Duo, May 27, 2021.
- Richie Etwaru, "Chief Trust Officers: Why, Who and When," Dangerous Thinking (blog), CIO, October 29, 2019. Jump back to footnote 1 in the text.
Helen Patton is Advisory CISO at Duo Security.
© 2021 Duo Security.