Embedding Security in the Academy

The practice of managing the security of information has been around for a really long time. Julius Caesar created the Caesar cipher around 50 BC in an effort to protect the content of secret messages. In the 16th century, Mary, Queen of Scots, encrypted her messages with a cipher. Particularly during times of war, nations and their allies have devised systems to prevent enemies from obtaining important communications and to render those communications unreadable if they should fall into the wrong hands.

And yet, the information security we talk about today—the security of data and information in electronic formats—remains a relatively new industry. The opportunities introduced by information technology—to duplicate and distribute information very quickly, in virtually unlimited quantities, at relatively insignificant cost, to any place in the world—bring with them countless ways in which those information assets can be compromised, by accident or intent. Meanwhile, the stakes for the security of information and the systems that use that information have grown quite high.

As in any emergent industry, the roles for cybersecurity are evolving, as is the positioning of those roles in organizational structures. In higher education, 83% of information security teams report through the chief information officer (CIO) to college or university leadership, rather than reporting directly to the provost or other institutional leadership positions; in other industries, fewer than half of information security officers report to the CIO.

Of course, no organizational structure is the best fit for all colleges and universities. Although my inclination is to recommend that security teams always report directly to the highest leadership levels, the more pragmatic side of my brain suggests that the security team should report to whatever leadership structure makes cybersecurity issues and activities an effective and integral part of the institutional leadership. This could mean reporting directly to the president, the board, the provost, the CIO, or to another individual.

Regardless of organizational location, we need to stop thinking of information security as primarily an IT function and instead understand it as a strategic business function, supported by IT—just like every other activity on campus.

What Would "Security as a Strategic Business Function" Look Like?

If cybersecurity were fully integrated—structurally and culturally—as a strategic business function in higher education, it would embody a set of characteristics that would signal its importance to the campus community. Some of these may already exist in your institution, but many probably do not:

• The security executive is uniquely positioned to advise and guide the strategic planning of the institution. As the industry wrestles with the challenges of ethical data use, consideration is given to whether an institution can do something with data, whether the institutions should do that, and, if so, how it can be done securely and equitably. This extends to issues of data-driven research, student success analytics, learning technologies, and the like. Rather than expecting security to react once an institution's strategy is announced, security has a seat at the planning table.
• Costs of security are factored into all projects and major spending decisions and managed as strategic investments. As the number and complexity of cyber threats increase, from procedural accidents to nation-state attacks, the cost of securing the information and intellectual property of faculty, staff, and students increases as well. Commonly required security protections receive core funding. Key security vendors are called upon to invest in scholarships, chair sponsorships, and the like, as a strategic affiliate. Other vendors and partners are contractually and culturally expected to meet the security standards of the organization.
• Security tools and training are incorporated into every faculty and staff member's role as a condition of employment/appointment. Awareness of data protection protocols is valued as key to the core activities of the academy, rather than an administrative compliance burden. Institutional leaders receive regular, focused awareness training on current security issues and events.
• Security skills, the ethical use of data, and privacy protections are included in the core curriculum of every student. Classes are taught through a multidisciplinary lens, focusing not only on basic technology concepts but also on psychology, risk management, mathematics, languages, and public policy.

How Can We Get There?

The road to embedding information security in the academy is a long one. The following steps should be taken as part of an integrated security program:

• Ensure the institution has a security leader capable of working at the highest levels (i.e., a chief information security officer). Give that leader regular, operational access to the board, the president's cabinet, and all leadership groups. Ensure that the security leader has a voice in strategic planning committees and activities.
• Incorporate information security risk into all other risk management structures, including enterprise risk management or equivalent governance groups.
• Support sound security practices and policies through training, innovation, organizational change management, services, and, where necessary, disciplinary action.
• Provide financial support for security activities taking place across campus, not just for the security teams. Allocate funding to nontechnology processes to ensure data confidentiality, integrity, and availability protocols enable full adoption of security.

As higher education reimagines itself in this new century, the way we manage our information will be key to determining the value we provide to the larger community. Security is a building block for data stewardship, a concept and a practice the entire academy needs to embrace to fulfill our mission.

---

Helen Patton is Chief Information Security Officer at The Ohio State University.