REN-ISAC, the Research and Education Networking Information Sharing and Analysis Center at Indiana University, serves more than 540 member institutions and supports the entire higher education community as a computer security incident response team.
As the executive director, Kim Milford has insight into their shared challenges, along with recommendations to build a better risk management strategy. One step that IT leaders don’t take often enough, she says, is to reach out to peers.
This year, REN-ISAC is working to close that gap with a new series of workshops. Milford discussed this initiative and other topics with EdTech.
EDTECH: REN-ISAC is taking a more holistic approach to risk management. What does that look like for higher education?
MILFORD: Traditionally, REN-ISAC has focused on cyber risks and cyber operational protection. But in this new world we’re in, the threat is not physical or cyber — it’s both, most of the time.
Let’s say there’s a physical threat on campus, like a hurricane. Because of the physical, all sorts of cyber ramifications happen. All those parents of those students are dying to find out what’s happening to their kids.
They could be hitting university resources and inadvertently causing a denial of service, so people in the university can’t get to the resources they need. If there’s a really big cyber event, like a breach, there will be physical ramifications. We’re going to get a lot of press and a lot of calls and have to deal with that. The divide is no longer clear.
We started wondering if REN-ISAC could take our expertise in the cyber world and help people who are more focused on physical threats. We’re doing a series of blended threat workshops to get those people together. What we’ve found so far is that cybersecurity people were getting together with their physical counterparts for the first time ever, or they were getting together with people they knew, but they didn’t really understand their roles.
The physical infrastructure is more community-based, which makes sense — if there’s a tornado, everyone in the region needs to think about that. They’ve learned to be in touch with each other a little better than their cyber peers.
EDTECH: This blending also applies to the Internet of Things. I know of one university that did not have their IT-enabled security set up properly during an active shooter incident. After that event, they realized their IT and physical security needed to work together more.
MILFORD: That’s a good example. We do see that on the IoT side. That’s a blended environment where the device is controlling the physical side of things: door locks or refrigeration in certain buildings. If that’s being controlled through the internet, and there is an internet outage or those devices aren’t patched on time, that’s a big deal for the physical environment.
EDTECH: How do tabletop exercises fit in to incident response planning? Are institutions using these enough?
The U.S. Department of Homeland Security and the Federal Emergency Management Agency partner every year on a tabletop event for higher ed. It’s very well attended by people from universities across the U.S. You sit together in a room with everyone from your institution who’s there and you say, “You’re the facilities people. What do you do? You’re the communications people. What do you do? You’re the cyber people. What do you do?” Our workshop series is meant to complement that. We found that a lot of people weren’t attending the DHS/FEMA event because they didn’t feel they were ready for a tabletop exercise.
EDTECH: It sounds like more institutions should put that in their arsenal.
MILFORD: Yes. Mature organizations would do their own tabletop exercise every six or 12 months. When I worked at the University of Rochester, we had a data center in a challenging location, so we did tabletop exercises every three or four months. We had really high risk, and that’s how we addressed it.
EDTECH: At this year’s EDUCAUSE conference, you and an FBI expert will discuss the threat landscape and ways to cut through “FUD”: fear, uncertainty and doubt. How does FUD affect risk management efforts?
MILFORD: Fear, uncertainty and doubt are the sensationalized side of risk management. They tend to be episodic. Suppose a large university is compromised; the vice president at another university may go to her cybersecurity people and say, “What are we doing about this? What do we have in place?” She’s being responsive to that incident.
That can be helpful, but there’s also an urgency to it, and sometimes you don’t make clear decisions when you feel an urgency. Also, it’s very incident-specific, and it’s specific to what happened to someone else. I always laugh when I read a policy at a university and I can tell exactly what incident led to that policy.
True risk management is not sensationalized. It’s more cyclical than episodic and can help an institution look at the risks and make conscious decisions. Are we going to accept the risk, mitigate the risk or transfer the risk? Universities usually take action in all three of those directions at some point or another. Often, they do it unconsciously. True risk management allows them to document that, so the whole organization knows what to do and can prioritize resources.
Learn about key risk management strategies for a changing cybersecurity landscape in part two of Edtech's interview here.