Security is hard.
Any security practitioner will tell you that, although almost everyone will have a different reason why. Some will say a lack of budget, while others will cite people resources. A few say a lack of respect for the cybersecurity role, or where it is placed in the org chart. You will also find articles and research that indicate the trials of managing security in higher education versus other verticals.
I’ve experienced leading security in several types of organizations, including a quasi-government agency, a managed security start-up, financial services, and now at my second institution of higher education.
There are differences in leading security in higher education than all other verticals. Some of these differences include openness, the need for collaboration, academic freedom, and the ability for just about any member of the community to stand up a system and connect it to the Internet. There are library and medical journals that are prized targets, and research that is coveted. There is also simply the availability of very large and fast access points that make us a desirable target.
We have students, faculty, and staff. We have visiting scholars, adjuncts, parents, alumni, donors, sports fans, and general visitors. We have housing, food locations, recreation, libraries, athletics, police departments, health centers, and rescue vehicles. In each of these areas, there are security aspects.
The complexity is why I love my job, and why I’ll choose higher education any day.
Of course, just like in other verticals, there are still pressures and long days, but the stress and pressure are different. Every day can be a challenge, but when your focus is providing service to teaching, learning, and research, and assisting the academy and students in preparing to change the world, your role becomes a humbling one.
Leading security in higher ed is a challenge, but the opportunities abound, and many of those are not because of one’s technical chops. Each day is an opportunity to work on one’s strengths of influence, persuasion, teaching and business acumen. There are opportunities to speak in the languages of risk and privacy with those who are on the cutting edge of their use or research, and opportunities to provide value at all layers of the stack (including the people layer or “layer eight”).
I have found that the greatest opportunity, and the one that can drive the most success, is collaboration. In the open environment of a university campus, this ingredient is critical. Fortunately, the atmosphere of higher ed also fosters collaboration. Recognizing its power can be transformational to a security role and mission, and assist in achieving success.
This collaboration is not just within IT, but in all areas of the campus, and between institutions in broader higher ed communities, often with nationwide impact.
At its core, the mission of my security group is to make information security programmatic and cultural throughout the university. A lofty and worthy goal, and one that we take to heart. Just think of the impact to your mission if security is baked into all decisions, processes, and policies, and if you had every member of your community taking on the awesome responsibility of cultivating a security mindset. I don’t consider my end user community to be “the weakest link” (can we please stop using that?); I believe that they are on the front lines of my defenses, and should be commended for the role that they play.
Collaboration drives this! Let me give you a few examples.
We’ve created a process that assesses new technologies or partners before a solution goes live or is even purchased. Through this “architecture and security review,” we provide our community with an opportunity to have their technology assessed by over a dozen areas, all who provide value and expertise. This process covers everything from the contract, user experience, architecture, database, security, integration, customization, audit and compliance, and more. This process is led by the security office, which has created this collaborative effort to become both “programmatic and cultural.” The number of reviews is doubling year to year, and the customers appreciate the expertise, buy-in, recommendation, and commitment early in the process, eliminating “11th hour” fire drills for all. The value to both the community and IT is apparent, and the numbers prove it. Demand is outpacing supply at this point!
Outside of reviewing technology projects, there is also collaboration with researchers for their emerging needs. Using both the campus and the network as a lab, security can play a role in expanding knowledge in many areas of computer science and engineering. Our willingness to think outside the box to support the faculty and research community is assisting to change the future, while also providing us with insight into improving our network and security posture.
Security also plays a key role in supporting research grants through writing and validating security plans, as well as assuring the privacy and security of human subjects through university Institutional Research Boards.
We also collaborate with the campus technical community by providing security “position papers as a service” on difficult subjects, using focus groups to receive feedback on security areas that will affect them, providing professional security classes that lead to certifications, and support their staff and department efforts on reducing risk.
Collaboration with other universities on current and future posture is also prevalent. Just this month I was in our nation’s capital with several other institutions from across the country. We were convened to assist in the development of a student intern training program that will not only assist us with our day to day needs but also prepare the interns for careers in cybersecurity. We’re excited to participate and excited to see the value this will provide as the program develops.
Security as a profession has matured. There is no disputing that. Gone are the days of just installing a firewall, hoping for the best, and responding to incidents as they arise. It is now a critical part of enterprise success, and that is especially true in higher education.
But the security team can’t do it alone. Collaboration is key, can be achieved, and is a critical factor in the ultimate success of the security mission. By establishing a culture of collaborative security, the goals of programmatic and cultural security are within reach.
Increase your collaboration, as it will increase your influence, and it will surely increase your security.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Katelyn Ilkani, Vice President, Client Services and Cybersecurity Research, The Tambellini Group.
© Copyright 2023, The Tambellini Group. All Rights Reserved.