As the executive director of REN-ISAC, Kim Milford has recommendations to build a better risk management strategy.

Q&A: REN-ISAC’s Kim Milford on How IT Leaders Can Adapt to Changing Security Landscapes

As cybersecurity technology and threats evolve, campus IT leaders will need to change their risk management strategies.

In part one of our interview with REN-ISAC Executive Director Kim Milford, she explained why higher education institutions should take a holistic approach to risk management and how they can be cyclical, rather than episodic, when it comes to cybersecurity. 

In part two, she shares three ways to improve risk management strategy and discusses two common challenges that security leaders face.

MORE FROM EDTECH: Read more on how campuses should take a multidisciplinary approach to IoT security!

EDTECH:  The risk landscape has always evolved, but the pace of change is now faster. How can institutions create an adaptable plan — in essence, a living strategy?

MILFORD: That’s the magic word: strategy. We all need to think more strategically. When I recommend certain best practices, people are often disappointed that they’re not technical enough. That tells you something right there: It’s not always the technical recommendations that are the most important.

The technical and operational protections are a tool that allow you to implement the strategy and the risk equation of your organization. Assessing your environment is the first step. Look at what you’ve got, very broadly. It’s the technical piece and your people, processes and policies. 

You should also encompass your region. Are you in Tornado Alley? Do you have to worry about hurricanes? Are you in a high theft area? Assess that environment annually. 

Kim Milford
Fear, uncertainty and doubt are the sensationalized side of risk management. "

Kim Milford Executive director, REN-ISAC

Then look at the safeguards and say, “Are they still managing these risks? Are they still mitigating them?” Suppose you have cyber insurance and you transferred that risk. Will that policy protect you if you have a breach that looks like X, Y or Z? 

Second, adopt a defense-in-depth approach. With these blended threats, you have to think bigger. What are the physical risks? What physical controls are in place? How do you build defense in depth? 

A lot of that comes down to people. We need people who understand the issues and aren’t swayed by the sensationalism of FUD. If they read about an incident on the internet, they should be able to say, “Here’s my plan of action. I’ve already got the steps that I need to take in this situation. I’m just going to follow those steps.” 

Third, we have to dismiss the “I am not a target” mentality. A malicious hacker can get into someone’s account and use that to escalate privileges, or they’ll scan the information and say, “This person has more access. Now I need to get into this person’s account, too.” The malicious hackers are very smart and very organized, so that “I’m not a target” mentality no longer applies. 

EDTECH:  Now that institutions can use advanced software solutions to better monitor their networks, do they struggle to find the best way to use this data?

MILFORD: People are certainly struggling with that. We tell people to collect their logs, but the second side of that, which, unfortunately, we don’t focus on as much, is they need to analyze those logs. If you’re a busy professional with a small team, you probably don’t have time to review those logs daily. So, you use automation to alert you to things that are concerning. 

We see people moving in that direction of using software and automation to help them. As data analytics as a field becomes richer, we have more opportunities than we did 10 years ago.

Right now, the mature shops and big universities are doing this best, because they have the money to spend and the people to develop it. These things don’t happen overnight. If you see a bad IP address, you have to develop the rules to tell your firewall or your control list to block that IP address. So even though you set up the automation, it does take people to think that through. 

MORE FROM EDTECH: Check out what experts are saying about the latest additions to the security landscape!

EDTECH:  IT leaders often struggle to engage senior-level support. What strategies can they use to elevate the security agenda?

MILFORD: This is a challenging one, and it raises questions about where the CISO should report. In an ideal world, should they report to a president? Most days, I say, “Yes, they should.” But every now and then, I’ll see something super technical that the CISO wouldn’t get if they didn’t report to the CIO, so sometimes I like that model too. Ultimately, it’s hard to get and keep the attention of high-level people, which is why we often resort to using FUD. 

We usually recommend that the CIO should, when he’s at the president’s cabinet, always say something about security — even if it’s just that phishing was really bad this month or self-phishing tests are starting to pay off — just to plant that seed and raise awareness. We also recommend general cybersecurity training for everyone, so it stays front and center. That often requires HR’s assistance, but it helps a lot.

I also find that metrics and money talk. If you can show, “We had to deal with X, Y, Z type of attack last year, and that used up half of my security engineer’s time, so it cost us $65,000. Is that okay with you or would you rather shift that?” That is a really good way to talk to management.

MORE FROM EDTECH: Read more about how IT teams can get the help they need to elevate the security agenda on your campus!

EDTECH:  What else should IT leaders be doing?

MILFORD: The higher education community is very cooperative, so take advantage of others’ expertise. Pick up the phone, call your neighbor, look at resources on EDUCAUSE and REN-ISAC and start leveraging those relationships.

Photography by Chris Bucher
Oct 18 2018

Sponsors