The Power of Collaborative Cybersecurity

Sophie White: Hi everyone. This episode of EDUCAUSE Shop Talk is about collaborative cybersecurity and how higher education institutions can share the responsibility of cybersecurity across stakeholders and business units. We had a really great conversation with Isaac Galvan and Justin Gatewood about a number of things related to collaborative cybersecurity, how it's related to dialogue at the institution and changing user behaviors, how risk management is really the main goal of collaborative cybersecurity and how it's important to share the ownership of risk across business units, how we can work across departments that security becomes really foundational. People are asking questions about security in the same way they might ask about a budget and really how this all ties back to larger conversations about institutional mission and change management. It's a really great conversation. I hope you enjoy it. This is part of the EDUCAUSE Showcase series resources. We have a webpage and a series of other resources at EDUCAUSE as well related to collaborative cybersecurity. So check out the Shop Talk episode and go to the link in the show notes to experience the full showcase.

***

Sophie White: Hello everyone and welcome to EDUCAUSE Shop Talk. I'm Sophie White. I'm a content marketing and program manager here at EDUCAUSE, and I'm one of the hosts for today's discussion.

Jenay Robert: My name is Jenay Robert. I am a senior researcher at EDUCAUSE and I will be your co-host.

Sophie White: Fabulous, and we're really excited to have two special guests with us today. We'll be talking about collaborative cybersecurity in higher education, how institutions can collaborate across the institution to make sure that we are keeping cybersecurity top of mind. So I'll introduce our two guests and then we'll jump into it. First we have Dr. Justin Gatewood. Justin is a higher education technology and cybersecurity executive with more than twenty years of leadership experience across California's public higher education system. He has served as both CIO and CISO, including director of information systems for a statewide online college and interim chief information security officer for the California Community Colleges Technology Center, which supports more than one hundred colleges and 1.8 million learners. That is a lot of learners. Justin is currently an executive security and technology consultant and serves as an adjunct faculty member in cybersecurity and technology management at multiple universities.

His work focuses on enterprise risk management, zero trust architecture, threat detection and response, and aligning cybersecurity strategy with the institutional mission and student success. I'm excited to talk about that. We've been thinking a lot about institutional mission and how it aligns with our work, so that's a great fact. And finally, about Justin's certifications. He is a CISSP, PMP, multiple SANS GIAC Certification holder, has presented across the country for nearly two decades, including at the EDUCAUSE annual conference, EDUCAUSE Cybersecurity and Privacy Professionals Conference. And as a co-author of the 2026 EDUCAUSE Top 10 report contributing to issue number one, collaborative cybersecurity and issue number five, knowledge management for Safer AI. Thanks so much for being with us, Justin, and for contributing to all of the EDUCAUSE work that you've done.

Justin Gatewood: Absolutely, it's a lot of fun.

Sophie White: Great. Next up we have Isaac Galvan. Isaac is the community program director for cybersecurity and privacy here at EDUCAUSE. He leads programming resources and community engagement for cybersecurity and privacy professionals across higher education. Isaac has over twenty years of experience in higher ed cybersecurity and IT and oversees key initiatives including the Cybersecurity and Privacy Professionals Conference, the Cybersecurity and Privacy Guide and the HECVAT a we can talk about what the HECVAT is in a bit. Isaac holds a certified information systems security professional, CISSP certification and works daily with cybersecurity and privacy leaders at institutions of all sizes to address the sector's most pressing challenges. Thanks Isaac for being here.

Isaac Galvan: It's great to be here.

Sophie White: Great. All right, so let's kick it off. I'm really excited about this topic. This was the number one issue in our EDUCAUSE Top 10, which is where we look at the most pressing issues across higher education technology. This one was identified as number one by our community through interviews and survey results. So I think it's really interesting because in my perception, cybersecurity has maybe traditionally been seen as kind of a siloed operations in one department. If you're a cybersecurity professional with that title, you do cybersecurity. But this issue to me says cybersecurity is everyone's job across the institution and we need to collaborate in order to keep our institutions secure. So can you all talk about why you're excited to talk about collaborative cybersecurity and maybe how this has changed over time to be a more collaborative endeavor?

Isaac Galvan: Yeah, absolutely. So cybersecurity has been part of the EDUCAUSE's Top 10 for years. I mean, it's a regular reference and of importance to this community and privacy as well of all of the people who are members of our communities and their data. And so those two things go hand in hand. I think it's the right time for this conversation and it's evolving because we're learning more and more that you can't buy your way to a secure environment. Certainly there's a need for a lot of tools and there's a need for a lot of the right monitoring resources and things like that, but there's a human side to every interaction with the data and with the technology. And when you're able to cross that bridge and start speaking with people about how you can empower their work to be more secure and to be the best for the institution and the organizations that you're trying to help, they really understand that and they really want to contribute and be part of that secure mission and that secure message. So it's just such a nice sign of maturity of where we are as a sector, as a higher education sector for the way that we approach cybersecurity and we're really trying to at EDUCAUSE is spread the good word, that what people are doing and encourage others to pursue those same goals and through those practices and best practices. So I love this time right now in cybersecurity where there's a big focus on getting everybody involved and playing their part and really enabling their work.

Justin Gatewood: Yeah, that's an excellent point, Isaac. Something I'd like to share, just the only real control that's scalable is shared ownership across any organization, whether it's in our industry in higher education, whether it's in enterprise organizations, public or private sector. In California, public higher ed for example. I've seen that security really only scales when risk ownership sits with the business units that depend on the technology that's being used by the unit. I was doing some reading. In preparation for our discussion today, CDW did a report in 2024. SQ magazine also talked about this. About 88% of higher ed organizations have about a quarter of their apps in the cloud. About almost 60% have more than half of their apps in some context in the cloud. And then more than 78% use real time collaboration tools like Jenay was talking about Teams where there's some aspects of the communication going on hosted in some cloud service.

And about three quarters of us host our learning management system on either a public or a hybrid cloud infrastructure, whether it's Canvas, whether it was hosted Blackboard prior to that, whether it's D2L Brightspace,or whatever the company is. And about 70 percent use the cloud to post assignments for students. I use D2L Brightspace and a host of other platforms, Google Workspace and so on at Purdue Global University teaching cybersecurity to students as well as all sorts of other hosted learning platforms. So an actionable takeaway that I would recommend for those watching this to think about would assign risk owners for mission critical systems. So not just technical administrators, CIS admins, people like Isaac and I who have worked behind the scenes, been cognizant the machine for a lot of period of time solving problems and delivering results, but assign people that functionally need these systems to work.

The higher up the chain in that functional area, the risk owner is assigned and agree to be assigned to that position, the better the outcome is likely going to be. Because you're going to be collaborating with them as we talk about the topic of collaborative cybersecurity and be demonstrating to them the "so what?" So it's great to say, well, yeah, here's the NIST requirements or the CIS controls or the SANS incident response framework or whatever it is. You've already lost most of the people in the room when you mentioned those things. But if you say, well, here's the reason why we need to ensure the student and faculty data in the LMS are appropriately controlled and protected from those who shouldn't have access. And you can just talk about it in business terms rather than technical terms and that's when it becomes much more scalable and shared.

Isaac Galvan: I love something you said there, Justin, about controlling who has access. And I think that just extends the, as we look at how higher education works, our users typically have a lot of access. They have access to data, they have access to sharing, they have access to systems. And while we really try in cybersecurity to preach the minimum access, right? Like have the minimum necessary access for your role, your job and zero trust implementation, we're still working there. We're still working to that progress of having configured environments where users can't get themselves into trouble. But we live in this environment where you said shared ownership. Sometimes our users in higher education are working on devices that they personally own. It's their own device. And so how do we teach them that when you're using your institution's email on your device, you need to protect that in special ways and you need to protect any kind of report data you might be viewing on your personal device or not do it if that's your institution's IT policy. But be aware of those things because our users are so empowered in higher education to make those choices themselves.

Justin Gatewood: Well just if I could piggyback off what you just said, Isaac, about controlling access and about personal devices. I've been working in networking and technology for a long time and the perimeter that we used to have the edge of our network operationally that's been gone for a while. So students, faculty, our staff, our administrators, our other stakeholders, our partners, they're using, like Isaac said, exactly, personal devices, bring your own device type stuff. A lot of enterprise organizations have BYOD policies that are articulated to provide some governance and structural around it, but you need to arrive at those policies together with other business units and stakeholder groups at the institution. Depending on the institution you're working at, you may have bargaining units that need to be negotiated with what's the impact of this, what's the legal aspect, what part of it are they willing to take on as a unit?

And what part really stays with the IT security enterprise apps. But we're dealing with hosted technology and learning platforms, cloud environments, like I mentioned, people working in person, people working remotely like we all are right now. Security can't be a centralized governance or enforcement function. It has to be shared. So a takeaway that I would recommend people use would be take the top ten institutional systems that you have, which has to be a list you would arrive at collectively, which gives you the opportunity for a meeting and developing a relationship. And relationship is where you develop influence, which is where things happen. So map the top ten systems you have, identify which ones operate outside of your traditional network perimeter and just start with a list of ten. You likely have more than ten. I remember mapping inventory at one of the community college campuses I worked at just out of curiosity and we had 114 different systems and that's at a relatively rural California community college in the high desert of southern California. So imagine what it would be like at a bigger university and especially when you have large grant funded research operations going on, or you have a single academic area doing significant global research with millions or sometimes even billions of dollars in grant funds coming in from various sources in and of themselves. They likely have that much stuff going on. So it has to be a conversation.

Jenay Robert: I appreciate that lens of the evolution over time. We touched on this I think in a previous episode of shoptalk when we met with Mark McCormack and Crista Copp about Top 10 in general. And I had kind of made a little bad joke. All my jokes are bad, let's face it, but I had made a little joke about in the Top 10, we pretty much always see cybersecurity. I think Sophie had mentioned that. And so what if we all got together and said, look, we're going to concert our efforts. We're going to make sure that cybersecurity is not a Top 10 next year. We are going to solve all the problems. Could we do that? What would that look like? And I think it was Mark who made a great point about it'll always show up because it's always evolving and the technology's always evolving. And so even though we always see it in the Top 10, we always see it from a slightly different angle.

So that kind of evolution of cybersecurity over time is really helpful to think about. And then I think not surprising for all the reasons you mentioned that this year's angle or lens or view on it really is about that collaboration among the people, but I can imagine it makes your jobs so much harder in cybersecurity that it really depends on bringing people along and collaborating with them. But because it's this sort of ever present element to the work that we do, perhaps people kind of place it in the background noise of what's happening at the institution as opposed to centering it as something that's an essential element of daily work. Is that a challenge that plays out for you?

Isaac Galvan: I think there's two ways I've seen this approached in institutions. I mean there's probably lots of ways, but two that come immediately to mind and one is the security team, if that's the CISO or whoever's helping to design the standards and practices, they need to go meet with the people where they're working and see a bit about their desktop, see a bit about their environment, the kinds of papers and communications they have, and just learn and make sure that their security policies aren't impeding their work. So that's a huge part is being visible and present and able to answer questions. The CISOs that I talk to who have the best compliance and participation from their researchers are the ones who really take the time to walk around and just make themselves known. You don't have to buy everybody pizza, but you can just, if they know who you are, they're going to remember that.

I think another fantastic way to share some of this responsibility and concerns with more members of our academic community is a lot of institutions are implementing a cybersecurity champions program or a liaisons program where people who don't necessarily have an IT role but are still very interested in cybersecurity and online safety and sharing that message, get that opportunity to interact with their security leadership to maybe get some recognition for that, but also crucially to spread that message in their community and to be their office person that when a new security policy or something is coming down the line, they could be the question or the help to answer questions or to help their coworkers recognize the importance of what that is because it's not just an IT role anymore. So that's really what we hope through some of this communication and the evolution of how we treat higher ed cybersecurity and privacy.

Justin Gatewood: I completely agree with that, Isaac. I would like to frame it this way. Security is really a change management challenge, not a technical issue. I studied organizational change in leadership for my doctoral degree at USC, fight on everybody, and I've learned that security, I have to say that it's a requirement, very internal soldier thing. So I've learned that security does really fail if it's treated as a technical rollout, like I was saying, it's really a cultural and behavioral shift. So something that I've taken on for myself and that I would recommend others consider thinking about is before you launch any form of security initiative or something you identified needs to change, ask what the behavior is that's happening at the organization that likely needs to change. And that can be arrived at through discussion with stakeholder groups and should be, there should be agreement on, well, we should probably try together to change this behavior for our stakeholder groups because that's likely where much of the issue may be coming from. What system or process that we have supported or have internally is reinforcing that behavior.

Is there a way for us to address that in an institutional enterprise level way and can we put some policy around that and what should that policy look like? Because like Isaac said, going out and being visible, talking about the real impact to somebody's day, because if you implement something security related that's hard or makes someone's day worse, they're going to find a workaround. They're going to become unknowingly an internal threat without doing anything necessarily wrong, but just by, well, that made my day harder, so I'm going to go this other way and figure it out in some other and they're going to find a way around it still. I can't tell you how many times I found sticky notes under somebody's keyboard or a drawer. I was at Barnes and Noble years back and on the bargain shelf was internet password logbook. It was like a little Moleskin notebook, with the URL, username, password, date change. It's like,

Sophie White: Oh no. I think that's a great way to frame it is change management. And I'm curious, Justin, this is top of mind, our last Shop Talk episode, we were chatting with a couple of researchers from the University of Maryland about change fatigue and how the rate of change has been accelerating that teams are getting really exhausted at a systemic level. I'm curious, how do you manage in this really wild world that we find ourselves in when people are getting exhausted by all of this change, but managing that change is crucial to support cybersecurity operations. How do you work with people to make sure that the change is manageable in the midst of all of the other change that they have going on?

Justin Gatewood: That's a great question. I saw the discussion about that on the previous Shop Talk. Thank you for sending over some of those preparatory materials. That was helpful. I had a fabulous mentor and leader that I worked for earlier in my career, and anytime anyone would ask for some new thing to happen, it was basically a prioritization task. He would say, here's what we're doing for all of you, and here's the new thing you're asking about, which one of these should we pause or delay so we can introduce this one. So you have to understand capacity and workload is just a reality and change management, project management disciplines help focus on that and prioritization and communication, as Isaac was talking about, just being real saying, Hey, this is something that is maybe higher priority to some of the other stuff we've all been working on, and here's the reason why it's higher priority, kind of the, "so what? Why does that matter to me?"

And to your point, Sophie, is the change that we're talking about behavior, we're asking to be modified, the policy that we're asking to implement, whatever that is, is it important enough if successfully deployed to make a difference in everyone's day and improve efficiency to reduce some of that workload? And that should be something we also consider when considering change because we all get tired and exhausted and just kind of, oh, here comes another thing. Banks, like I don't have enough to do. That's just a reality. But if there's an important enough issue that's been identified to be a potential way for an adversary to compromise a system or a way for privacy violations or compliance related things, that could be a reputation hit for the institution to happen. Like I said before, if you're talking to some of these other folks around the organization around mission critical things, you've mapped maybe your top ten, you've assigned some of the people who really lead those things maybe over an instruction or academic affairs and they're leading the risk management approach.

And then you talk to 'em about, we're thinking about making this change to the way faculty and student data is accessed because we want to make sure we have no FERPA violations or any other issues there and we believe this is a way to do it. What do you think? And if they take ownership of that and start those conversations. So it has a lot more weight coming from like an associate Provost of instruction than it does from the CISO, even though they're literally very similar contexts. It's going to have a lot more weight coming from the place where that issue is actually being managed rather than from some technical person saying, you should do this.

Isaac Galvan: Yeah. Justin, I think you touched on bit two with the risk management approach. And I love that taking a risk-based approach admits that not all vulnerabilities or threats are equal. And so some things are going to need a little more priority or need a little more urgency in addressing in the organization. So as you're choosing, you can't fit everything through the hose in one go, but as you're choosing what topics you want to drip and approach and address with your community, really understanding not addressing those vulnerabilities, right? What's the harm of an unsuccessful change? What's the harm from that is also important for the security person to bring to the table when they're talking with their rest of their governance team or whoever's leading the change, whoever's leading the conversation on the change and why that's happening, I think that's really important to lend that lens through the cybersecurity eye.

Another great way to keep these topics from feeling like when you have a change from feeling overwhelming is just we see this in cybersecurity is to have a regular communication channel with your users. So that way when you say your approach to training, if you're doing one annual training for your users, when that annual training period comes around there and say, oh boy, here comes the annual training. But if you have it designed in a way that it's more frequent and part of their regular work and maybe there's some better incentive to participate and do it or more opportunity to complete it, than just that one two week period out of the year, people's attitudes will shift over time and they won't. And so when you do have something important that you need to communicate and train them on, they're already in that cadence. They're already in that mindset and they're already used to your trainer and they're already used to your delivery method. It's not taking them out of their regular work. So there's a couple fantastic ways to do that.

Justin Gatewood: Can I piggyback off that Isaac real quick? Because that's a great point. And you talked earlier, Isaac, in one of your responses about security champions, and when I went through the SANS security awareness professional certification program, which is really, it's taught by Lance Spitzner, it's something I made sure that we included in the Top 10 2026 report was a reference to his work. He's considered one of the global leaders. He's one of the most highly sought after folks, and the certification program revolves around his course material. He talks exactly about what Isaac was just saying, having an ambassador program or a security champion program where it moves beyond that annual compliance training. Because what happens when the annual compliance training comes up and you get a list of ten, fifteen, twenty things from HR in your email, you got to go to FERPA training, you got to go to all these other various ones.

And oh, and the security one has because a handful in there too, it does have to be more than annual because a lot of people that if they admit it, wouldn't want to protect the names of the guilty, they turn it on in the background and put it off on another monitor and then silence and mute while they are doing other things, said no one ever. And then they go back and answer 'em all because they know the answers because it's the same exact one from last year and it's never been updated usually. And that's not because the people who provide the compliance training are bad people. To Sophie's point, they have a lot to do and they're overloaded and there's just not enough time to be able to update a lot of this stuff. So having, it's this way to build relationship as Isaac said, to be seen, is to develop relationship with one person for each area, just like we do for any other participatory governance activity in higher education, get people to participate like a committee.

Yes, I know we don't want to hear that word, but that's how we govern in higher ed and bring people in from every functional area, maybe once a month for a half hour. It doesn't have to be a huge time commitment, but maybe when they come in for that once a month, you have each person prepare a little five minute discussion about a topic important to them that is security connected in their context, and then have a larger discussion, have the security team bring some specific topics to discuss that are more current as well, but change how you talk about it as a security team to the language of your stakeholders. It's like a know your audience marketing communications context. How can I frame this so it matters to someone else in a non-technical way? And that develops a skill that's really valuable for security professionals.

So having them come in once a month is a takeaway you could use, gain a centralized understanding of what's going on, and then that turns them into an ambassador from that central context to go speak. They already have the relationship over in that functional area that you don't have. They already have the understanding of the business process that you don't have. They're going to bring that to that room and help with the understanding from an enterprise perspective while also sharing the message of the security team in a more organic way in their area. It's just going to rising tide lifts all ships. I'm a former Navy, active duty Navy sailor, so for reference, but it does happen. It helps when you have someone communicating in the language of the department that you need to gain insights from.

Jenay Robert: I think sometimes those conversations have to be messy, right? And it's hard to make the space for those conversations when you work in a highly specialized area. And I've had experience of not working necessarily in cybersecurity, but other specialized units at an institution, people don't necessarily know or understand your job. And so when you ask to meet with them and you have to hear their story through that lens, you have to apply that professional lens instead of putting the onus on them to do that because they might have pain points in their job that they don't realize are cybersecurity issues. Until you're able to hear that messiness of, well, here are my biggest pain points in my job, here are the things that frustrate me. Here are the things I'm really struggling with. Here are the things I love doing and I'm excited about. And next thing you know, you've heard about five different ways that you can help them protect their data that you didn't think about before or they didn't think about at all.

Sophie White: So I'm curious, Justin, you mentioned this "so what?" a few times of how we frame the cybersecurity work we're doing in maybe larger terms. In your bio, you talked about connecting cybersecurity to the institutional and mission and to student success. Do you have any tips for how, maybe for someone who doesn't have a strong understanding of cybersecurity, you might talk to them about connecting to these larger institutional goals, student success? I feel like based on the work I've done, sometimes that can feel like more of a stretch if you're a career advisor, for example, doing your day-to-day work, helping students, advising them on what their next steps are after the institution. How do you connect cybersecurity to that larger mission?

Justin Gatewood: Well, when you're focusing on the mission, and thank you for the transition there, you have to start with what the outcomes are that you want to achieve. What are the things which is an organizational perspective, not a security or a technical discussion. What is the organization's goals? What are we trying to accomplish? What are the things we are measured against internally, externally, both. Not the tools that could potentially provide you better visibility into the activity in that part of the network. That's a security and technical function that's more for technical people to talk about in their internal department meeting. But what's the outcome you need to achieve? So you're talking about career services or your counseling guidance, then every college calls it something a little different, college and university. But you got to start with kind of a mission map, right? So what are the things that can't fail?

What are the most critical things that we have? And I talked about this at a poster session at EDUCAUSE's annual conference in 2023 in Chicago, was what are the things you want to protect? And the answer can't be everything. So you have to start with some form of an inventory. I mean, the answer is everything. It is. That's the reality. That's the "So what?" part of it that, to your point, Sophie, but in what order? What are the most critical data sets that we are stewards of? So then you have to look at which ones are classified in certain ways. Well, how sensitive are these data sets? Do we have payment card industry data, financial data? Do we have personally identifiable information in these PII do we have protected health information, which we may have depending on the program or what we're doing, what are the types of data that we have and then what can't fail?

So is it research continuity that can't fail because of our big grant programs and research R1 level stuff that we're doing at our university? Is it student services stuff? Stuff that we've, from a counseling or admissions or financial aid perspective, we're helping students navigate through that matriculation process. Is it our teaching and learning platforms? Is it the integrity of our accreditation that we need to be able to demonstrate so we can be reaffirmed every so often, which changes depending on how well we did last time. It's likely all of that. But then it's, okay, well which ones are the most important data sets? And then that's one list and that has to be decided upon collectively. And then what are the most critical business operational things that we have out there? Applications, platform systems, put those on a list in a priority. And then the key aspect is which one of these data sets uses which one is used by which one of these platforms, which lists that we have together marry those two lists together.

And you have a priority list of response for expenditures for discussions around priorities. And then now you can build a one page institutional mission to digital platform or system dependency matrix. Here are the things that are dependent on each other. And as you're talking about what is the mission, what are the outcomes, what are we trying to achieve? Each functional area, if you have a named and signed and degree, yes, I'll take it, risk owner from academic affairs, student affairs, technical side, legal compliance, HR, finance. If they agree to take on the risk for that, they already have it anyway. If they agree collectively, collaboratively to take ownership of that, then they're going to have a vested interest in ensuring that tools that are set up and the metrics that are being tracked helping deliver on those goals. So that's what I would recommend. Go through that inventory process. It's not fun. It's super tedious. It's boring and very dry, as you said. I need some sandwiches, some soda or something, and give people something to keep their mind going as they work through the process of that inventory is never fine, but it's a critical piece of due diligence to provide us visibility into what we have we can do with it.

Isaac Galvan: Yeah. One thing that really helps in that area too is considering if any of that data or systems you're trying to protect are regulated due to being part of a sponsored program or other compliance need that's involved. That certainly would shortcut conversations like, oh, we need to protect it to this level because the regulations says so that's really helpful. I wanted to think about the other side of student success too, because it's really important to protect the systems that hold the student datas, but the students are also wildly affected by some of the things going on in the cybersecurity realm. The students themselves, a lot of them by being enrolled at a university are sadly they're targeted as part of some of these wide campaigns to gain access to academic credentials, to gain access to academic resources that our institutions provide them. And I've heard dozens of interesting stories about ways that student credentials are compromised and used to cause business disruptions, both for the students and for the institution.

For example, I heard a story about a student credential was used to rack up hundreds of thousands of dollars in content charges for a library, and they used a stolen account to buy all sorts of content and the library using on-demand provisioning. And the library didn't have any recourse for that because it was done with a stolen credential. And there's just a very interesting, lots of stories out there about the ways that protecting the student accounts. And some of these students are also subject to identity theft or other different program or threats that really compromise their ability to participate in the academic side of life. So really important. And we're seeing a lot more programs reaching out to that community as well and reminding students to be informed about what's happening around them and how to keep themselves safe as well as the institution of course. And the data that they're working with.

Sophie White: I love that. I'm always harping on this, but institutions, our obligation is to train students so that they're successful outside of the institution too. Also making sure that they understand the cybersecurity frameworks and how to protect themselves and their future organizations, workplaces, families, after they leave the institution too. So I think that's a really important point, and thinking about how there are these specific threats that are targeted towards students and how we can protect the institution from those two.

Justin Gatewood: Well, and an important point on that too is we can't sacrifice capability for compliance. We can't because we have operational requirements and goals of things we're being measured against, as Isaac said, we have regulations, they're laws, they're legislated requirements at the state level, sometimes locally, oftentimes federal. And those things can change with policies change too. And so there's a lot of shifting sands there for some of the aspects of it. But for large grant funded research projects usually have articulated deliverable requirements and metrics that have to be met. And oftentimes you're seeing more and more often in those underwritten grant paperwork documents where the finances are being provided, we want you to meet the following compliance framework from a security perspective or a data privacy perspective is often or sometimes some of this research is happening in the European Union. So you have GDPR level requirement because of the context of the research.

Or maybe in California you have the California Consumer Protection Act, which is basically GDPR light and only being done in California. We have a tendency in California to try everything first, whether it's a good idea or not, but that's just kind of how we do it. So you may have a compliance requirement that you're not used to that pops up because of something like that. Or you have a partnership with maybe a business, a for-profit organization that's helping you bring students in for a particular internship or a trade or some other kind of apprenticeship program. And it's not uncommon for that data, that student data, to Isaac's point to be shared in some context with that organization. Is there an assessment being done of that third party? Is there a risk management eye looking at that? Is there someone higher up in the organization? So it's something I want to reference as well.

Governance needs to follow the mission. I talked about mission outcomes before instead of tools. So if it's a mission critical thing, something that is tied directly to a goal, whether it's grant funded, departmental institution-wide, you can't bury it in the IT budget as a line item. It's got to be aligned with the priorities of the institution. And that's one of the challenges that SANS has talked about this, people all over cybersecurity have talked about this. The CISO should not be a subordinate position because it has an additional letter to a CIO or a CTO. It's not subordinate to a CIO or CTO. It's a risk management and legal compliance function that should operate at that same level and should report directly to the top. The higher up the chain in any organization, the CISO or the chief security officer reports, the more likely that functional program will be successful and connected more to institution-wide priorities rather than getting pulled into enterprise applications or IT infrastructure or other operational DevOps related stuff.

So a way that, an actionable takeaway that I like to, I'm using that term on purpose to bring one leader of some part of the institution's mission, like a provost, the CFO, if that's what they're called, the vice president of research, bring them in to your quarterly security review. So not every month don't pull on their schedule a lot. They're busy people, but bring 'em in a few times a year to show them here's where we were. Here's where we have gotten to. Here's our linear trend in these areas. Here's the data points. And this is why, like I said before, this is why that matters for you and your team. This is the impact this can have if it goes wrong. This is what will happen if it continues to go well. Here's what we're able to provide that stability for you and your team.

Isaac Galvan: Yeah, Justin, one other strong indicator of how well the security team is integrated into their institution's businesses we find is how early security and privacy are involved in the procurement process and new technology acquisition. If security is brought in after the purchase is already made and after the services already being promised to users, it's not a great sign. But if security is involved in the pre-purchase conversations, if security and privacy are part of the table and part of the consideration when this technology is being developed and introduced along with other important things like accessibility and other very important compliance and needs, but the earlier, that's a great sign of how well an institution is aligning their security with their business needs. If they could do that before purchase, that's great.

Justin Gatewood: Just to piggyback off of that because that's an excellent point and that's a critical point. I developed a HECVAT policy process and procedure for the California Community Colleges Technology Center. Here are the things that we're procuring for our statewide 116 institution system, largest higher ed system in the us, and we need to use a community vendor assessment tool for higher ed HECVAT, what we use. And then, but I tied it to the underlying institution risk management, board policy and administrative procedure, just risk management. I didn't look for a security policy or an acceptable use or an electronic communications and record retention policy, which is what we always, we tend to live in those policy spaces as what security is a risk management and change management project management function and aligning it directly with those existing things. There's already risk management going on, make friends with most people.

But similar to what Isaac just said, in software development, a lot of our organizations have departments that write code that develop custom solutions for things in the cloud or on-prem or both. And the earlier in the software development process, you incorporate security, the less technical debt you produce, the less refactoring you have to do and the faster you can deliver the outputs that you're required to produce. So the earlier security is evolved in any conversation because it really is a risk management function as well as change management, like I said earlier, the better off the organization that's doing that will be.

Sophie White: That's a great point about aligning it to this larger concept of risk management. Just before we get too far, Isaac, can you just briefly define the HECVAT for folks who might not be familiar with it? As we talk about procurement, I think that's a really important tool for collaborative cybersecurity, not only across the institution but across our sector as higher ed in general.

Isaac Galvan: Absolutely the HECVAT is a toolkit that's been developed by the higher education community. So it's been informed over I think the last fifteen or twenty years by the community and their needs. So it's a well-positioned questionnaire that we share with people who want to provide IT solutions to higher education. And it gives them one place to address a great deal of the questions that a higher education institution is going to need to ask or should be asking related to cybersecurity, related to privacy, related to AI usage in the product related to accessibility of the product and digital accessibility. And so it's really a great tool for evaluating a service provider or a solution as part of the procurement process and ensuring that all the right voices are at the table from your institution to make sure that we're not integrating security and privacy too late in the conversation. And everybody's is aware of where we're at. So we like the HECVAT.

Justin Gatewood: Well, I don't want to piggyback on that just to kind of endorse and do a little plug for HECVAT. So the California Community College's Chancellor's Office in Sacramento made a decision as part of the work plan for the grant funded CCC tech center where I worked last year as the interim CISO, that the HECVAT was the way we were going to be leveraging a vendor assessment for system-wide purchase of platforms. And so when we renewed id.me as part of our student ID verification process as students apply for a college in their local area, which is colleges all over the state, just like every state. We assessed that platform, that service as it relates to the articulated elements of HECVAT. So the cool thing about HECVAT that demystification of that, and props to Nicole Arbino at the prior C Professionals Conference in Baltimore last May when I presented there on Threat Hunting, which was a great conference, everybody needs to go to Anaheim coming up here this year, definitely go.

It's a great conference because it's so focused and so beneficial and you got a lot of good EDUCAUSE folks there helping you. I was bending Nicole's ear at the conference last May about HECVAT because we were going to be doing that. We also used HECVAT to assess the security preparedness, the privacy accessibility of a new centralized application platform for the California Community College system because the state one in place for about twelve, thirteen years is it being adjusted to a vendor provided solution for a big portion of that architecture. And so we assessed that and went through all of it. So it's not just the internal security team doing red teaming penetration testing on the demo application, which we of course did, but it's also assessing all their policy documentation, all their compliance contexts, and seeing what kind of responses they provide about how they handle data and what they store it and how they push out updates and what kind of accessibility and price and stuff they have, how they use AI, if they do it in what way, and what does that introduce, what kind of risk might that introduce? So it's fascinating to dig into the level of detail that the HECVAT takes you through, but the cool thing about it is the vendor fills it out.

It is a heavy lift to analyze it, but the vendor is the one that has the lion's share of the requirement. They fill it out. Many of them already have filled out one and maybe version three, version four is the one that's out now, but many of them have already filled out one. And so it's not as big of a lift for them to move in the direction of filling out a new one. So if you're watching this and you're someone else out there and you haven't tried it before, a lot of the vendors already them them submitted before and it's not a huge lift for them to get one done for you. And then you just take what they provided and assess it. And it's really get a team, put 'em together, has another chance for you to have an internal relationship building exercise with the security team, get some visibility, bring in some senior leaders, but do the analysis first, dig into the details, and then produce some findings and dig into those as a team. It's hugely valuable exercise.

Isaac Galvan: Yeah, I love how you emphasize that it's easy for institutions. It is a solution that for service providers, they should have to fill it out once with HECVAT four and be able to share that with any institution and then the institution could tailor it to their own analytic need.

Sophie White: Yeah, I think that's a great example just about how sometimes these groups that maybe can be seen as antagonistic, you're complaining about a solution provider not being secure or complaining about somebody at your institution not bringing you in. This can be a great exercise to just bring all of those groups together for collaborative cybersecurity. The name of this conversation,

Jenay Robert: Well, we're getting close to the end of our time. I want to first point out that after forty-five almost minutes of recording, I don't think anyone said the words AI. So that is a record for sure on this podcast. And to close this out, Isaac and Justin would love to hear if someone has listened to this and you want to make sure they walk away with one action item, the next small thing that they can do to move collaborative cybersecurity forward, what is that one thing someone could take away?

Isaac Galvan: I think just important to remember that security has to be a conversation and that it's an ongoing initiative. It's not a one time in a checkbox and you can't firewall every issue away because people need to be able to communicate to do their job. So we need to have that ability to share with people the right way to do that and make sure that they don't have too many roadblocks and obstacles to do that in the way that we'd like them to.

Justin Gatewood: No, absolutely agree, Isaac. And so what really makes it last I would say, is that the amount of tools that you've deployed or dashboards you've spun up does not equal security maturity has been achieved. Sustained change of behavior is what actually makes the difference. So tracking observable behaviors rather than deployment of tools. So what's important about, and what makes this last longer too, is it becomes durable when your leaders around the institution start asking about your risk metrics as often as they're asking about the metrics for their own budgets. So adding security metrics, like I said, bringing them into quarterly reviews. And in my twenty years across California higher ed, the institutions that were maturing the fastest were the ones not asking who owns security, but shifting that to how do we share this? How do we make this a shared responsibility? How can we do this together?

And one just kind of last thought I would say is pick something cross-functional this next quarter somewhere where you've won, where you've collaborated, where you've achieved something together, A shared risk register could be one way of doing that, which is an approach, a joint tabletop exercise where you defined a scenario that what if this happened? What would we do? And bring other people into that conversation. A unified security intake process like the see something, say something we have for our unified emergency management systems, but take that same discipline we all have on campuses anyway, for all the various kinds of emergency situations that can happen around campus and incorporate that mindset of thinking into the way you approach security. If you see something weird, you get a weird goofy email in your student account or in your faculty account, let somebody know what's the intake process for that?

Is there a unified place for that to happen in one team, one ticketing queue? And then what happens with that when it disappears into the black hole of the ticket queue? Is there feedback? Is there accrediting bodies want to see that? Do we have a feedback loop? Do we have robust dialogue? We've seen that in all of our accreditation documents. And then turn that into reports that you can produce that solve problems and answer questions for stakeholders around your organization. So get people asking about risk and security as much as they ask about budget, and you're going to win the security maturity game.