Highlights from the 2016 Security Professionals Conference

A recent ECAR (EDUCAUSE Center for Analysis and Research) study showed that attending a conference focused on higher education IT is consistently listed in the top 4 professional development activities for CIOs, managers, and IT staff.¹ That's no surprise, as higher education–specific conferences offer our community of IT practitioners an opportunity to swap war stories and share tips, techniques, and tools that help guide program improvement at our institutions.

For higher ed security professionals, it would be hard to find a better place to share ideas than the annual Security Professionals Conference. This year's conference was held April 18–20 in Seattle, Washington. The conference was favored with record-high attendance, excellent content for both the novice and seasoned information security practitioner, and remarkably good weather. What more could a conference attendee ask for?

Memorable Moments

Highlights from this year's conference include the following.

Participation

• Nearly 600 attendees on-site in Seattle
• Over 100 virtual conference attendees

Program

• 10 preconference seminars and over 40 track sessions featuring awareness, career development, cyberintelligence, risk, privacy, and technical security themes
• 11 technical track presentations, ranging in complexity from introductory to advanced and deeply technical material
• A preconference law enforcement classified threat briefing
• Two relevant keynote addresses by respected security practitioners

Networking

• Formal and informal gatherings, including a first-time attendee session, birds-of-a-feather sessions, lunchtime roundtable discussions, a PGP key signing activity, and the popular "hallway track" for meet-ups in between conference presentations
• Social events, including a morning fun run and photo walk, game and trivia night events, and a charity donation drive
• The opportunity throughout to rekindle professional contacts and develop new ones

Future Trends

At this year's conference, "Data, Intelligence, Risk, and Value: Security and Privacy in Higher Ed," attendees discussed actionable solutions, tools, and approaches with their peers to improve current institutional programs and identified topics that will impact higher ed infosec programs in the fast-approaching future—next year marks the 15th anniversary of this conference.

We asked conference attendees to tell us the trends that will most significantly influence the direction of their institutional security programs in the next five years. The top 5 topics they identified are:

1. Budget and funding models (18% of responses)
2. Governance, compliance, and regulatory influences (15% of responses)
3. Cloud services (12% of responses)
4. Threat detection, analysis, and response (10% of responses)
5. IT and enterprise risk management (9% of responses)

Curiously enough, these trends largely mirror the issues we are seeing in higher education IT overall. For example, IT funding models is a perennial entry on the EDUCAUSE Top 10 IT Issues list.² Service delivery strategy, such as managing the transition to cloud-based services, is also a current hot topic for higher ed IT shops.

Readying the Golden Shovel

Security threat detection and response is a popular trend cited by conference attendees, likely because a failure in threat detection and response capabilities can lead to every information security leader's living nightmare: a security breach that exposes the institution's sensitive data. As one conference attendee noted, "The only driver that produces the political and financial backing to make significant reduction in risk is a data breach."

However, a preconference seminar took a different position. In "What Do You Wish for When the Genie Appears? (aka the Lesson of the Golden Shovel)," a team of four CISOs provided real-life experiences in the aftermath of a breach, along with the thinking required to receive resources necessary before a breach occurs. Using presentations of actual events, panel discussions, and group table exercises, the attendees worked through documenting and preparing for the moment when your university asks, "What do we need to do to reduce the possibility of an incident on our campus?" The attendees left not only with valuable resources but also with a golden shovel lapel pin, which sparked a great deal of discussion throughout the conference.

No information security leader would wish a data breach on any organization or institution, but planning for and preparing to handle such events is crucial. To do that, information security practitioners can rely on the combined power of the higher education community. For instance, consider reviewing the Incident Checklist and Data Incident Notification Toolkit in the HEISC Information Security Guide and sharing your own experiences by presenting at a higher education IT conference. You may also want to attend the 2017 Security Professionals Conference to see how the trends are changing—we hope to see you there!

The 2017 EDUCAUSE Security Professionals Conference will be held May 1–3, 2017, in Denver, Colorado. The call for proposals for the 2017 conference will be released this fall.

Notes

1. Jeffrey Pomerantz and D. Christopher Brooks, The Higher Education IT Workforce Landscape, 2016, research report (Louisville, CO: ECAR, April 2016).
2. EDUCAUSE interactive graphic, Top 10 IT Issues: 2000–2016.

---

David Sherry is the chief information security officer at Princeton University and the program chair for the 2016 Security Professionals Conference.

Lanita Collette is the university information security officer at Northern Arizona University and the program chair for the 2017 Security Professionals Conference.