The Association of Governing Boards offers questions to ensure your board is providing effective oversight of cybersecurity.
At this year's Association of Governing Boards (AGB) annual meeting, I was part of two conversations about sharing information on cybersecurity with boards. It was great to work with Robert Heinrich from Stockton University and Mike Cullen of Baker Tilly. Between the three of us, we led two interactive discussions to assist board professionals and board members in working with IT and security professionals, specifically to understand the pertinent aspects of cybersecurity programs and address cybersecurity risks in a collaborative fashion on campus.
In the first conversation, we talked about cybersecurity problems that keep you up at night. The most important point was that cybersecurity is not simply an IT problem, a management problem, or a personnel problem. Rather, every individual at the institution plays a supporting role, and board members need to set the tone that a communal effort is required to ensure the institution's information is safe from threats. We provided some of the fundamental elements of a successful cybersecurity program and discussed the tools and vocabulary needed to prepare for — and withstand — an attack on your campus. It seemed as though only about half of the attendees had regular meetings with their cybersecurity professionals, so if IT and the board staff haven't recently had a meaningful conversation about cybersecurity, I recommend that you set up a meeting as soon as you can.
In the second conversation, we talked to board members and campus presidents about what boards should know about cybersecurity before it's too late. The intention was not to scare board members by suggesting that a breach is inevitable. Rather, the goal was to point out that data breaches and cybersecurity threats are a major risk for many colleges and universities. Because research shows that higher education is one of the more susceptible environments to hacks, we discussed various threats and the ways in which higher education institutions are combatting possible breaches. I know that it is sometimes difficult to get a meeting with the president or the board of trustees; however, it is important that someone is helping the board compare the cybersecurity risks to all of the other institutional risks.
In both cases, the interaction with the audiences is what made the conversations relevant. As examples, we were asked "What if we have no cybersecurity expertise on the board?" and "How should the IT department be presenting the current risk profile and cybersecurity action plan to the board?" Although big breaches of social media companies and large corporations frequently dominate the conversation at conferences such as those held by EDUCAUSE and AGB, the concerns that we heard were about how to protect our institutions. That is, they wanted to discuss their own problems and not dwell on failures from the news.
At the nuts-and-bolts level, we discussed how topics such as business process improvements and data governance relate to cybersecurity. As with cybersecurity, those responsibilities are distributed to many people throughout the entire institution. The importance of social engineering and how to promote cybersecurity awareness at your institution also got some attention, as did regulatory compliance and disaster recovery. In the end, the most prominent topics were the tools, the processes, and the concept of cybersecurity as a team sport.
All of these discussions were based on a new book just released by AGB called What Board Members Need to Know About Cybersecurity that I coauthored with George Finney and Joseph D. Barnes. It's a short book and a quick read. Even if you have no interest in the book, there are five questions in the back that are posed for board members. I've reposted questions here because I think these are especially important when talking to your board about cybersecurity.
- Is your board providing effective oversight of cybersecurity? Does the board discuss cybersecurity regularly, only in response to incidents as they arise, or not at all?
- How is risk identified, assessed, managed, and reported at your institution? Are cybersecurity risks considered alongside other institutional risks? How is the board kept informed of significant cybersecurity risks and how they are being managed?
- What are the principal cybersecurity risks currently facing your institution, and what is the institution's strategy for addressing them?
- Is board members' collective understanding of cybersecurity sufficient to enable the board to ask questions that help ensure administrators are focusing on the right issues?
- How does the board signal its support for the institution's cybersecurity strategy to the administration and, more broadly, to the campus community?
Protecting institutional information and digital assets has become a vital concern for higher education. Cybersecurity is an institution-wide concern, and the role that boards can play in efforts to understand and respond to cyber threats should not be overlooked. Colleges and universities that communicate clearly and frequently with their governing boards will be well positioned in their cybersecurity initiatives.
About the Association of Governing Boards of Universities and Colleges
The Association of Governing Boards of Universities and Colleges is the premier organization centered on governance in higher education. It provides leadership and counsel to member boards, chief executives, organizational staff, policy makers, and other key industry leaders to help them navigate the changing education landscape. Its members are more than 1,300 boards, representing 1,900 colleges, universities, and institutionally related foundations.
Michael Hites is the Chief Information Officer at Southern Methodist University.
© 2018 Michael Hites. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.