I recently returned from the 2016 EDUCAUSE Security Professionals Conference in Seattle. Besides feeling a little jet-lagged and wistful in remembering the beautiful views of the Puget Sound that have given way to the normal hustle and bustle of life in Tampa, I am struck by some of the stories I heard from new information security leaders at universities around the nation.
Their stories served as a painful reminder of how difficult it can be to start a brand-new information security program at a university. The challenge of getting institutional community buy-in and support, the feeling of being thrown into a firestorm of compliance challenges, the prospect of dealing with potentially thousands of security "unaware" or "disinterested" people, and the notion of information being handled in so many insecure ways — it's daunting, to say the least.
Ahhh…it brings back memories of my early experiences walking the city streets of Atlanta in 2000 visiting university departments at Georgia State University to talk to them about basic end-point protection (back then, desktop protection products such as antivirus software actually had a lot of value in reducing malware!) — and finding that they had removed or disabled them because they felt that information security stood in the way of progress or academic freedom. Then there was the person who purposefully refrained from updating his Windows computer for three years because of his dislike for Microsoft's updates (ah yes, the good old days). However, my persistence has paid off. Over the years, I've seen a lot of progress, and while at GSU I developed many close collaborations with campus leaders in internal audit, legal affairs, finance, and administration that paid dividends.
When I arrived at the University of Tampa in 2012, I was fortunate to report to the university's president and was able to present my ideas, goals, and objectives to senior leaders who were supportive and collaborative. Everywhere I went on campus, I encountered people who embraced change where it made good sense. Today I find there's still much progress to be made, but a culture of security awareness and data protection is self-evident across the institution.
As the information security leadership role has evolved so much in the past 15 years, I figured that newcomers in this role in higher education today (CISOs) would be embraced and supported in protecting all the valuable institutional information collected and handled at universities. But after listening to the stories of new CISOs (or those new to higher education) facing resistance from both IT staff and campus departments unwilling to change, I realized that although much progress has been made over the years, similar challenges to those I overcame at GSU still exist today at many universities across the nation.
So I'd like to give the following advice to new or experienced information security leaders breaking new ground at higher ed institutions.
- Ask a lot of questions and talk to IT and campus department staff to learn what their challenges are. You need to understand the history and the culture of your new institution. Why or how are campus organizations (including information technology) struggling with security awareness, data protection, and other key information security challenges? What are the obstacles and barriers to overcome? Where are the gaps?
- Develop an effective strategy across the institution with (three- to five-year) goals and objectives that are clearly aligned with the institutional mission. Share your vision with key constituents in campus departments. Build your program around established (risk management–based) frameworks that are chock full of effective practices, such as ISO/IEC 27001 and/or NIST. Develop a marketing campaign to "sell" your strategy across the institution to obtain buy-in. Ensure that institutional executives clearly see the benefits of your vision, goals, and objectives in their areas. (Also see the HEISC Information Security Guide based on ISO/IEC 27002 for “getting started” steps and advice.)
- Get out into the university community and shake hands with as many staff, faculty, and students as you can. While it may seem overwhelming at first, you need to gain the support and trust of the campus community to stand a chance of being successful in your new role. Develop some key questions to ask each department about its business processes and information-handling processes. Listen and observe — people are normally very happy to share their business challenges and constraints if they sense that you care and have good intentions — and this is how you begin to establish yourself as a partner and a trusted advisor.
- Come up with a list of prioritized objectives that you can realistically achieve in your first year. Ensure that you take into account the cost, time, and need for collaboration with key staff at the university who will assist with your progress. My first projects addressed key compliance issues that would alleviate risks I discovered, shortly followed by a number of other initiatives (e.g., risk management, incident response, security awareness, data protection, mobile, and network security). Update your plan each year with new goals and objectives.
- Perform a gap analysis of your information security controls and methods on a recurring basis. The results generated by performing risk assessments and vulnerability assessments and by examining trends highlighted in various information technology/security systems deployed at your university can help you identify critical or high priority-level gaps in coverage. Additionally, you may benefit from using the HEISC Information Security Program Assessment Tool, HIPAA Security Checklist, Department of Education’s PTAC Data Security Checklist, and other similar resources that will provide you with information you need to identify and prioritize areas of your information security program that require improvements or enhancements.
- Overcome resistance to change and continuously monitor your progress. You will encounter campus staff who refuse (at first) to change the ways they handle information or are apathetic about information security in general. These are the very people you need to spend focused time with to win their support, and afterwards, they may become vocal champions for the work you're doing. As you make improvements across the university, ensure that you publicize and celebrate your wins both small and large, as well as the effective collaborations that you've achieved.
Tammy L. Clark is the chief information officer at the University of Tampa and is a member of the president's executive cabinet. She also serves as the institution's chief information security officer. She has been actively involved in working to further effective IT and information security practices in higher education for over 15 years. Tammy is passionate in her desire to effectively partner with business and academic leaders across the academy to help them take advantage of disruptive technologies and innovative solutions that provide a competitive advantage and help them achieve strategic goals and objectives.
© 2016 Tammy L. Clark. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.