Higher Education Cybersecurity: Challenges, Choices, and the Case for Training

Higher education is facing serious pressure—politically, financially, and operationally. For CISOs, that means juggling more responsibilities with fewer resources. At some point, tough decisions must be made about what matters most for the institution.

Unfortunately, cybersecurity training often ends up on the chopping block. It's not that CISOs don't value it, but when budgets are tight, core tools and infrastructure tend to take priority over "nice-to-haves" like staff development.

According to the 2025 EDUCAUSE Cybersecurity and Privacy Workforce in Higher Education report, cybersecurity teams are overwhelmed by excessive workloads, understaffing, and limited institutional support. At the same time, they're expected to keep pace with rapid technological changes and increasing demands for training in areas like compliance and artificial intelligence. All of this underscores the need for consistent, up-to-date cybersecurity training as a practical solution for managing limited resources and retaining staff. ^Footnote1

But here's the thing: cybersecurity training isn't an extra cost—it's a smart investment.

Training helps IT staff understand what to look for, how to respond to incidents, and how to work from a consistent playbook. It builds muscle memory for security routines and helps avoid one-off responses that leave gaps.

When everyone shares a clear framework for handling threats and data breaches, the institution saves time, reduces errors, and ultimately lowers its risk, all of which result in long-term cost savings.

What Training Should Focus On

Below are the two most critical professional development needs for higher education cybersecurity teams:

1. Complying with data security and privacy regulations
2. Running audits, vulnerability scans, and assessing third-party risks

Both are high-stakes areas. For institutions that receive federal research funding, any misstep could result in reputational damage, funding cuts, or legal trouble.

Why Data Awareness Is Essential

Academic freedom is a cornerstone of higher education; however, CISOs still need full visibility into how data moves across their environment. Whether it's a malicious actor or an accidental mistake, a breach of sensitive data can trigger serious consequences, including national security concerns.

That's why regular threat assessments—ideally involving trusted third-party partners—are so important. One smart approach is to implement a Data Security Posture Management (DSPM) strategy.

What DSPM Can Do

A solid DSPM framework can help institutions achieve the following outcomes:

• Discover and classify sensitive data across cloud and on-prem systems.
• Identify human-centric risks and attack vectors.
• Visualize who has access to what—and whether they should.
• Spot abandoned or overshared data.
• Fix misconfigurations, such as exposed cloud buckets.
• Connect remediation steps with IT ticketing tools.

This proactive approach to data risk gives institutions a better shot at long-term, comprehensive protection.

Don't Forget the Wins

It's easy to focus on the risks and challenges, but it's worth remembering how higher education cybersecurity teams rose to the occasion during the COVID-19 pandemic. They rapidly shifted technology environments to keep learning going and kept students and staff connected—often under enormous pressure.

That moment showed the resilience, creativity, and mission-driven spirit of the higher education IT community. And that same mindset will be critical for tackling the next wave of cybersecurity threats.

Notes

1. Nicole Muscanell, 2025 EDUCAUSE Cybersecurity and Privacy Workforce in Higher Education (EDUCAUSE, June 2025).Jump back to footnote 1 in the text.↩

---

Ryan Witt is Vice President, Industry Solutions, at Proofpoint.

© 2025 Proofpoint.