By Chato Hazelbaker
Chato Hazelbaker is the Chief Information and Communication Officer at Clark College.
At a recent meeting of higher education CIOs, there was broad agreement that we should all be somewhat grateful for the recent security breaches at Target, Home Depot, Sony, and other businesses. The feeling was that now executives would start paying attention to information security. I see the wisdom in this theory. However, on reflection, I think that these personal remote misses are actually the worst thing that can happen and might actually lead to people dismissing or ignoring security more than ever.
In David and Goliath: Underdogs, Misfits, and the Art of Battling Giants, Malcolm Gladwell introduced the idea of remote misses and how they affect our behavior.1 Essentially, he uses the bombing of London during World War Two to make the point that the Nazis thought that over the long term people in London would become terrified of the bombs falling and be paralyzed. The opposite turned out to be true. Repeated bombings, and the fact that people experienced so many remote misses, led to a feeling of exhilaration and encouraged people to take more risks. Every time a bomb fell not on their house but on the house next door, people thought the odds increased that it would never happen to them.
Target’s 2014 holiday season serves as an example of a remote miss for most consumers. In 2013, Target was in the news as having one of the largest and most devastating holiday data breaches ever. For those of us who were not inside Target and don’t know exactly whose heads rolled or what was changed, it appears that this security breach had no effect on their holiday season just a year later. In 2014, Target’s holiday sales were a bright spot as consumers seem to have largely forgiven, or forgotten, that last year many of them had to get new credit or debit cards for fear that their data had been compromised.
It might make logical sense that our executives are more aware and sympathetic to the idea of a world full of IT security threats because of what they read in the news, but in reality I think many of us are seeing that isn’t true. In order to engage executives in the security discussion CIOs and others may want to keep to keep the following things in mind:
Make the pieces smaller: Data security is too big a concept for most people to get their heads around, but anyone can relate to their individual credit card or academic record. When talking with executives, try to break data security into smaller, more accessible parts. For instance, “We want to make sure that we encrypt all our cell phones so that if one gets left in a cab, someone doesn’t have access to all your contacts and e-mail.” A real-life example a colleague shared with me that highlights the need for screen locks is that the custodial staff unlock and leave doors open to offices while cleaning in evenings. Employees who shut their doors when they leave in the evening but don’t properly secure or shut down their computer have just left a very tempting target. If you knew your office door was getting opened every night, you wouldn’t leave $20 sitting in the middle of your desk. But by leaving a computer on, you risk far more than that.
Take it easy on the security jargon: I have heard a fair number of IT professionals lament that their leader doesn’t understand how difficult it is going to be for colleges to become PCI compliant. My guess is, most presidents don’t know what PCI compliance is, and I know they don’t want to have to ask. It is a lot easier to say, “If we don’t do this, we can’t take credit card payments.” It sounds cool to say “two-factor authentication,” but it is far easier to explain, “You know when you sign onto a new computer to get banking information and they want both your regular password and another piece of I.D.? We should do that, because it provides an extra level of protection in knowing the right person has the data.”
When possible, show them: John Kotter said that change happens when people see something that makes them feel something.2 Data doesn’t make most executives feel anything other than a little sleepy. However, sometimes showing executives how vulnerable a system is leads to great change. Recently, our entire network was down for several hours because a contractor had severed our fiber optic connection into campus. When one executive saw how tiny the cable was that held our entire data backbone, he was shocked. When I talk about the need for redundant connections he is far more engaged, because he saw that tiny cable come out of the ground and felt how dependent we are on that.
Conclusion: Engaging campus executives in real-world understanding of information security is going to help make them advocates for it. There is no question that higher education is a target. We not only have valuable personal data, but some of us are housing research data, medical data, and more information that is highly sought after. The high-profile breaches of 2014 are a warning, but we can’t assume the executives we work alongside and for are hearing the alarms in the same way CIOs are. We need to help open their ears.
Notes
- Malcolm Gladwell, David and Goliath: Underdogs, Misfits, and the Art of Battling Giants, Little, Brown, and Company (2013)
- John P. Kotter and Dan Cohen, The Heart of Change: Real-Life Stories of How People Change Their Organizations, Harvard Business Review Press (2012).
© 2015 Chato Hazelbaker. The text of this EDUCAUSE Review online article is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 license.