This four-part series will explore some common information security governance mistakes seen at higher education institutions and tips on how to avoid them.
- Creating data security silos
- Treating cybersecurity as a compliance mandate
- Approaching each new data security requirement as a separate project
- Framing cybersecurity regulations as an aspirational goal
Information security governance is a hot topic for many university chief information security officers (CISOs). Higher education leaders and boards often worry about data security and how well their institution manages cybersecurity risks. Each week, they see fresh headlines about data breaches and other security threats affecting higher education institutions.
Securing data has become an important due diligence activity shared by senior management, information technology (IT) leaders, and even faculty and researchers. Despite this increased attention on data security, it’s common for a higher education CISO to have a hard time securing funding for new security tools to manage security risks and protect sensitive data.
The difference between a successful and an ineffective cybersecurity program often comes down to having effective governance and oversight. CISOs and CIOs must work with senior management to help prioritize the security program goals among the many competing institutional investment decisions.
While there is no “easy button” to make higher education cybersecurity effective, institutions can improve information security governance and avoid making a common mistake.
Avoid creating data security silos
Even though most colleges and universities have established a central CISO role, larger research institutions often establish additional security teams outside the central CISO organization.
Sometimes these other security teams support decentralized IT groups. In larger institutions, it’s common for as much as 50% of the technology staff to be outside the central IT group. At these scenarios, some of the distributed IT groups may have personnel who focus on information security just within that individual college, department, or research center.
Colleges and universities also create separate project teams to comply with specific security standards. Over the past few years, many research sponsors began requiring higher education institutions to protect sensitive research data.
- Research with data classified as Controlled Unclassified Information (CUI) must protect that data using NIST Special Publication 800-171 security controls.
- Research programs funded by the Department of Defense must prepare to follow the Cybersecurity Maturity Model Certification (CMMC) requirements.
In response to these mandates from research sponsors, many institutions created teams focused on protecting sensitive research data. Some institutions aligned their research data security program under their CISO. Other schools established research data protection roles reporting into the research organization rather than the CISO.
Fragmented data security programs increase both cost and risk
When universities allow a siloed approach to information security, they increase the risk of a data breach and reduce cyber risk mitigation effectiveness across the entire institution.
Increased risk of a data breach
Cyber attackers don’t limit their methods based on internal political boundaries or whether data is owned by “research” or “administrative” units.
Attackers don’t stop just because they cross an internal boundary while attempting to complete security breaches. Allowing multiple independent teams works in the attackers’ favor.
In old car chase movies, criminals try to outrun law enforcement by crossing a border to escape. Similarly, when schools have multiple security teams, cyber attackers can move across different segments of the campus network to continue their attack unabated.
Increased cost of information security
A fragmented approach to information security is less effective at preventing and mitigating attacks when they occur. Distributed teams often work in isolation because of conflicting business objectives and funding priorities. This creates an “us versus them” mentality between units when sharing threat intelligence, reporting incidents, preventing attacks in real-time, implementing vulnerability management, and enabling other information security controls.
Decentralized teams are also more expensive to support. Often, each team adopts different tools, manages them using different processes, and develops different strategies. Departmental security solutions cannot achieve the same economies of scale and operating efficiencies as a central solution. Allowing multiple solutions to be deployed increases the cost of information security and makes it more difficult for CISOs to secure adequate resources.
Establish a unified information security governance framework
Higher education institutions should build a unified information security governance framework, managed by the CISO, with university-wide scope and authority.
All information security activities across the campus should fall under this central security governance framework. By doing this, campus leadership can prioritize IT risk management and cybersecurity investment in ways that promote collaboration instead of creating competing priorities between different IT and security groups.
For a unified governance framework to be effective, the CISO should:
- Establish formal risk management processes.
- Implement institution-wide information security policies.
- Develop centralized incident management processes.
- Share threat intelligence data across the distributed IT organizations.
- Report on key IT risk and program performance metrics for both IT and non-IT leaders.
This does not mean the CISO should make decisions unilaterally, however. Universities have a strong tradition of consensus-based decision making. CISOs need to embrace philosophy and create collaborative governance processes across the university to be successful.
CISOs should include a wide range of stakeholders from across the campus, including finance, legal, research, faculty, compliance, audit, and IT leaders.
Some key considerations for successfully breaking down organizational silos with shared governance include:
- Executive leadership (including the president, provost, VP for research, CFO, and CIO) should be actively involved in establishing the governance framework and should guide and shape the IT risk management decision-making process.
- The CISO should steer the strategic direction of the overall program. However, CISOs need input and support from individuals responsible for other functions across campus, including research leadership, faculty, risk management, legal counsel, and distributed IT leaders.
- Distributed IT groups should manage cybersecurity under this broader governance framework. They do this by designating individuals to handle IT security within their departments in a manner that supports the CISO’s strategic program.
Overcome security governance mistakes by avoiding silos
Establishing an information security governance framework that can support a decentralized environment takes time and effort. The benefits are significant, though, and worth the additional time and effort required to build the governance processes.
Doing so will help institutions mitigate risks to information assets more effectively and economically. It will also strengthen the ability of distributed IT groups to implement the technical solutions they need without introducing unnecessary cyber risks to the institution.
In the next article of this series, learn why institutions should avoid treating cybersecurity as a compliance mandate.