3 Key Solutions to Higher Education Cybersecurity Workforce Challenges

The EDUCAUSE Cybersecurity and Privacy Workforce in Higher Education, 2023, report confirms what we in cybersecurity know: significant gaps in cybersecurity staffing put higher education institutions at risk.^Footnote1 News headlines confirm that cyberthreats are increasingly impacting university operations—disrupting instruction, research, and student success.^Footnote2 Colleges and universities are under immense pressure, and staffing challenges contribute to a profound lack of resilience. The path forward requires an institutional commitment to a cybersecurity program that includes effective resourcing tailored to meet the specific needs of your institution.

Risks

Higher education has a target on its back. In September 2022, the U.S. Cybersecurity & Infrastructure Security Agency reported that Vice Society, a ransomware threat actor, was disproportionately targeting the education sector.^Footnote3 The data shows that ransomware is a serious threat. Nearly one-third of breaches in the educational services sector last year involved ransomware.^Footnote4

Higher education is also under a microscope, compounding these risks. This year, a college in New York came to an agreement with the Attorney General of New York to either invest $3.5 million in cybersecurity or face fines after a 2021 breach.^Footnote5 The threats are real, and the penalties for not addressing cybersecurity risk cannot be ignored by college and university leaders.

Regulatory pressures have also ratcheted up requirements for higher education. At the end of 2021, the Federal Trade Commission (FTC) updated its Safeguards Rule for Gramm-Leach-Bliley Act (GLBA) compliance. Most institutions must comply with the GLBA, and as many learned, the FTC requires more mature and strategic security programming. In fact, the EDUCAUSE Cybersecurity and Privacy Workforce report indicates that compliance is a real pain point, as 55 percent of respondents noted significant time demand increases related to compliance.^Footnote6

Challenges

Despite these rapidly escalating risks, only 46 percent of survey respondents indicated that the cybersecurity budgets at their institutions had increased in the past year. An almost equal number of respondents said their cybersecurity budgets either decreased or did not change.^Footnote7 Funding for cybersecurity continues to be a serious issue. As a result, there are fewer professional development opportunities, staffing remains flat (at best), and risk remediation efforts are on hold or delayed.

Cybersecurity staffing is a challenge across all industries. The 2023 ISC2 cybersecurity workforce study found a worldwide cybersecurity workforce gap of nearly four million workers.^Footnote8 Higher education competes in an aggressive market against organizations that pay higher salaries. If you are hoping for a zero-cost solution to these problems, there isn't one. Executive awareness and sufficient budgeting are necessary to address workforce challenges. Without executive support, you will have to make the case that the risk of inaction is much greater than the needed investments. Once you have attained sufficient support, three key practices can help your institution address cybersecurity workforce gaps: investing from within, leveraging outside expertise, and developing a future pipeline.

Retain, Upskill, Retool

If you have existing cybersecurity staff, investing in them should be central to your plan. Job satisfaction has various catalysts: stability, strong teams, good leadership, work/life balance, and compelling work. However, reasonably competitive salaries are still necessary to keep and attract viable candidates. Inflation and increased remote work opportunities have made this more important. The EDUCAUSE Cybersecurity and Privacy Workforce report suggests that non-competitive salaries are an issue at many higher education institutions. Overall, 85 percent of respondents said offering more competitive salaries would go a long way toward addressing staffing issues, and 96 percent of those in managerial roles agreed. Non-competitive salaries contribute significantly to the inability to fill job vacancies. More than half (64 percent) of respondents do not believe they can successfully hire into existing positions.^Footnote9 You may not need to offer the highest salary, but you need to be in the ballpark to hire and retain cybersecurity professionals. The data indicates that if you don't increase the salaries of your top performers, you will lose them (and they will be difficult to replace).

The key is to invest your time and institutional dollars in meaningful ways. Start with a detailed plan that effectively communicates your dedication to employees' well-being and professional development. Then, commit to their growth and success.

Supporting Professional Development and Mentoring Cybersecurity Staff

Higher education has traditionally supported professional development for staff, and the EDUCAUSE Cybersecurity and Privacy Workforce report supports that trend. However, only 37 percent of participating institutions provide mentorship opportunities, which shows room for growth.^Footnote10 Offering mentoring opportunities is a low-cost, high-impact investment. In addition to transferring knowledge and experience, it communicates to your staff that you care about their career trajectories. I benefited tremendously from a mentorship relationship facilitated by EDUCAUSE. As a new CISO, building an intentional relationship with an experienced CISO at another institution was invaluable. It allowed me to navigate difficult situations with wise advice and avoid dangerous pitfalls. Over a decade later, that relationship continues to be extremely valuable to me, both personally and professionally. If your institution does not have a mentoring program, consider starting one. If you cannot create a program internally, consider what other professional organizations—such as EDUCAUSE, ISC2, ISACA, and the Information Systems Security Association (ISSA)—offer.

Upskilling

Encouraging existing (non-cybersecurity) IT staff to move into open cybersecurity and privacy positions can be an excellent solution. Transitioning from within the IT organization can be easier, as many skills are transferable, and any skill gaps can be targeted with cybersecurity training. Upskilling an existing employee promotes professional growth and retention and fills critical gaps in the security team.

Retooling

A less common path is recruiting employees with non-IT backgrounds. These people represent an untapped talent pool, as most job postings tend to require previous experience or very specific skills. However, this practice is on the rise. According to the 2023 ISC2 cybersecurity workforce study, 39 percent of respondents worked in a non-IT role before entering cybersecurity (one year or less in the field).^Footnote11 Instead of looking for an exact match, hire based on competencies that will lead to a successful transition into cybersecurity and then assist with retooling. The EDUCAUSE Cybersecurity and Privacy Workforce report identifies several important competencies for a successful cybersecurity and privacy career.

1. Relationship building, communication, and networking skills
2. Continuous learning and adaptability
3. Analytical and problem-solving skills^Footnote12

Looking outside normal pathways is a great way to fill gaps, introduce diversity (in terms of background and thinking), and invest in the care and growth of your staff.

Leverage Outside Expertise

Your institution may have a skills gap, unfilled positions, or a project that requires special skills. If left unaddressed, these gaps can cause existing staff to feel overworked. According to the EDUCAUSE Cybersecurity and Privacy Workforce report, a majority (80 percent) of respondents stated that their workload is somewhat or very excessive. If these conditions continue, institutions face escalating issues related to retention, productivity, and missed deadlines. There may already be a retention crisis brewing, as 55 percent of respondents indicated that they will likely apply for another position in the next twelve months.^Footnote13 Hiring outside expertise can bring added value to your organization and reduce existing staff members' stress levels.

If you consider using outside experts, it is important to develop a resource plan that reflects the specific needs and priorities of your institution. You may know some key gaps but haven't had time to properly identify, document, and prioritize them. If this is the case, a professional cybersecurity program assessment and tailored guidance can set you on the right path and save you a lot of headaches. Start by identifying experienced cybersecurity firms that know higher education and can provide you with a tailored and actionable plan (i.e., not just a long list of impossible goals).

If you know where you are headed, cybersecurity consultants can bring the value of focused expertise and deep experience that institutions need today.

A virtual CISO (vCISO) has increasingly become necessary for many higher education institutions. Effective security programs require a sound security strategy and effective leadership. While there is strong demand for experienced security professionals with leadership skills, there aren't enough of them. A CISO requires significant cybersecurity knowledge, IT expertise, and an understanding of the business of higher education. Contracting with a vCISO is an opportunity for an institution to significantly increase its expertise and achieve its goals (often at a lower cost).

Increasingly, many higher education cybersecurity leaders view a managed security operations center (SOC) as a cost-effective means to dramatically increase capacity without increasing staff. Almost half (47 percent) of those who responded to the EDUCAUSE cybersecurity and privacy professionals survey reported measurable increases in time demands related to monitoring and detection activities.^Footnote14 A SOC addresses the problem of monitoring for threats around the clock. Many institutions have security operations staff but do not have 24/7 coverage. Others have no formal security staff and minimal monitoring activities. There are providers out there for each situation.

Hiring consultants and managed services providers fills gaps, propels the cybersecurity program forward, and relieves the pressure on your existing staff. Take the time to determine how this approach can help you develop a comprehensive strategy for managing institutional risk.

Developing a Future Pipeline

The opportunity to shape and invest in the next generation of cybersecurity professionals helps everyone. Institutions should offer or expand cybersecurity education and credentialing programs, including graduate, undergraduate, associate degree, non-degree, and certificate programs. These programs can support existing employees who need to retool their skills as well as future cybersecurity professionals.

Consider tapping current students to fill cybersecurity workforce gaps. This may require more time and involvement than typical IT student work opportunities; however, cybersecurity roles are a great way to add student workers to your team while preparing them to enter the workforce with desired skills. You don't have to (and perhaps can't) develop these programs alone, but you can leverage partnerships. Your student worker programs should be aligned with computer science and STEM programs, trusted vendors that offer cybersecurity internships, and opportunities provided by EDUCAUSE, Internet2/InCommon, and others.

Higher education has a unique and vital role to play in helping to address cybersecurity workforce gaps across all industries. Even if your institution does not offer cybersecurity educational programs, you can still leverage the students you have to enhance your team. The skills they are learning in the classroom can be applied to cybersecurity challenges on your team.

Conclusion

The EDUCAUSE Cybersecurity and Privacy Workforce in Higher Education, 2023 report documents concerning trends for security programs. Institutional leaders must take them seriously and address them strategically. There is no silver bullet. However, higher education has a strong network of institutional partners, vendors, and professional organizations, and we will all need to work together to address the gaps and overcome these challenges.

Notes

1. Nicole Muscanell, The Cybersecurity and Privacy Workforce in Higher Education, 2023, research report (Boulder, CO: EDUCAUSE, November 2023). Jump back to footnote 1 in the text.↩
2. Cynthia Brumfield, "Universities and Colleges Cope Silently with Ransomware Attack," CSO, March 14, 2023. Jump back to footnote 2 in the text.↩
3. Cybersecurity & Infrastructure Security Agency, "#StopRansomware: Vice Society," September 8, 2022. Jump back to footnote 3 in the text.↩
4. C. David Hylender, Philippe Langlos, Alex Pinto, and Suzanne Widup, 2023 Data Breach Investigations Report, research report, (Basking Ridge, NJ: Verizon, 2023). Jump back to footnote 4 in the text.↩
5. Jonathan Greig, "NY College Forced to Invest $3.5 Million in Cybersecurity After Breach Affecting 200,000," The Record, September 22, 2023. Jump back to footnote 5 in the text.↩
6. Muscanell, Cybersecurity and Privacy Workforce, November 2023. Jump back to footnote 6 in the text.↩
7. Ibid. Jump back to footnote 7 in the text.↩
8. How the Economy, Skills Gap and Artificial Intelligence Are Challenging the Global Cybersecurity Workforce, research report, (Alexandria, VA: ISC2, 2023). Jump back to footnote 8 in the text.↩
9. Muscanell, Cybersecurity and Privacy Workforce, November 2023. Jump back to footnote 9 in the text.↩
10. Ibid. Jump back to footnote 10 in the text.↩
11. Global Cybersecurity Workforce, ISC2, 2023. Jump back to footnote 11 in the text.↩
12. Muscanell, Cybersecurity and Privacy Workforce, November 2023. Jump back to footnote 12 in the text.↩
13. Ibid. Jump back to footnote 13 in the text.↩
14. Ibid. Jump back to footnote 14 in the text.↩

Adam Vedra is CISO and Senior Consultant at Moran Technology Consulting.