To IT experts in higher education, the need to step up security efforts is clear. But that perception is not always shared by institutional leaders, particularly at colleges where CIOs and CISOs don’t have a seat at the senior leadership table and may lack opportunities to influence strategic investment. Research in CDW’s “The Cybersecurity Insight Report,” for example, indicates organizations that have a dedicated security expert are significantly more likely to see risk management budgets increase from year to year.
Any leader understands, the vital importance of a strong security stance. But in practice, a shift in mindset must occur to move leaders to action — to invest in necessary solutions to bolster a security posture or to incentivize desired user behaviors among staff. Too often, institutions wait until a breach hits either their systems or those of the neighbor institution down the road, at which point leaders may spring into action to craft a defense against that particular type of attack. The problem with this response, in addition to being purely reactive, is that it seeks to eliminate one specific risk rather than to assess and manage the institution’s entire risk landscape.
That’s why, for many organizations, it may be advantageous to have a dedicated senior security leader. Such a person can keep the risk management agenda continuously and appropriately on the radar. Research from CDW and IDG shows that, among organizations with a security function, 68 percent tend to see increases in the percentage of their budgets allotted to security. By contrast, when security falls under the IT umbrella, 66 percent of organizations report that allocation has stayed the same — “an indication that IT teams may lack the authority to influence budgetary decision-making,” according to the report.
That’s important because it means even as security threats are on the rise, institutional defenses may not be keeping pace. IDG’s survey shows that 43 percent of organizations are increasing the percentage of their IT budgets going toward security and risk mitigation. But 39 percent say their IT budget has stayed the same in the past two years. And, surprisingly, 18 percent have actually reduced the amount they are spending.
Better Visibility Means Better Risk Management
Changing the conversation on campus in order to build and support a more security-focused culture certainly requires a focus on preventing a breach. But staff also must focus on identifying and containing any breach that does slip through the defenses.
Two questions should drive these conversations: How can the institution manage risk by limiting the potential impact of a breach? And how can it shift the mindset from prevention to risk limitation? Answering these questions necessitates that IT staff understands exactly where the weaknesses are in a particular campus.
To know a weakness, staff has visibility into both on-premises networks and cloud applications. Such information can be invaluable in helping IT staff make a case for security investments come budget time. Yet achieving that level of insight may be easier said than done. Experts say that organizations commonly face one (or more) of the following challenges in their effort to improve visibility:
- Too much data: Information is king. But too much information can obscure the most valuable bits. As data has proliferated, organizations find themselves challenged to manage information in a way that supports the extraction of meaningful, actionable insights.
- The knowledge gap: Many organizations do not have employees who possess the necessary skills and experience to process data related to security events. Yet doing so is critical. Fortunately, AI and machine learning can help to plug those gaps.
- IT vendors: With effective technology solutions, leaders can pursue their organizational missions empowered and supported by actionable insights. Too often, however, security solutions are difficult to understand or to derive insights from. The right partner can ensure that solutions support IT staff, without making their jobs more difficult.
- Over-reliance on compliance: It’s not unusual for compliance requirements to lull IT staff into a false sense of security. Such protocols may be required, but that doesn’t mean the process should stop there. Rather, such requirements should be considered one part of a comprehensive strategy.
- Multiplying endpoints: Endpoints represent countless opportunities for attacks to slip through the unguarded cracks in an organization’s defenses. The increasing reliance on remote work makes it unlikely this trend will slow down. Hackers will continue to take advantage of the blurring between personal devices and professional work with all the weaknesses that can come with it.
A Shared Security Agenda Serves the Entire Campus Community
IT pros are well aware of security issues and what’s at stake, and they are doing their best to engage other senior leaders in the fight. The biggest factor in their favor may well be the fact that, ultimately, every campus leader shares the same goal.
Both inside and outside of IT, we all want to move from strategy to success, from conversation to culture, and from investment to impact. Achieving these goals absolutely requires that the cybersecurity agenda be recognized, at the very top of the organization, as a priority worthy of emphasis and investment.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.