A New Mindset Improving Higher Education Cybersecurity
In higher education, effective purple teaming may require a new mindset — and a cultural shift among IT stakeholders.
“If you look at higher ed, there are clearly many internal factions and adversarial dynamics. It may be IT versus security, or there may be departmental politics,” says Will Ash, senior director of U.S. public sector security at Cisco. “Purple teams introduce a culture with a more constant flow of information, with teamwork between these different factions.”
For that to happen, senior leadership must set the tone. The provost, dean and CISO should make clear that security is inherently a collaborative effort. “All the teams need to focus on the higher purpose. They need to understand that the overall goal is to improve the organization’s cybersecurity posture,” Ash says. “Having a purple team in place can help put the collective focus on that goal.”
The red team is often an outside contractor, brought in to investigate university defenses. When that is the case, it is important for leadership to make the purple approach explicit in vendor agreements.
“You need to write it into the scope of work,” EDUCAUSE’s Kelly says. “There needs to be a shared language, a shared terminology. These engagements typically have a lot of rules around what the work will include from the red team’s side. So you need to spell out: The red team is to loop back to the campus personnel to share what they did, to help the campus personnel grow their skills.”
MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.
This way, campus security and IT officials can get a greater return on their IT investments. They get more value out of their red team engagements and can build intrinsically stronger defenses around existing technology deployments.
Another approach is to crowdsource the attack, which offers a bounty for successful incursions against the system. “You can turn your user base — your students — into a purple team by incentivizing them to break the rules,” Fuller says. “You give them a $50 gift card if they can find a way around your security. But they have to communicate that back to the security team and show how they did it.”
A Game Changer for Higher Ed Security
Purple teaming can potentially help colleges and universities create a higher level of defense around their networks and digital assets.
“The old way showed you that you needed to fix something, but it didn’t change the way you think,” Kelly says.
“Purple teaming changes the way defenders approach their jobs. It helps them to think more like the adversary,” he says. “That learning is a game changer because that is what enables them to incorporate new ideas and new tactics.”
With new endpoints and end-user connections attaching to university systems at an unprecedented level, this new mindset arrives at a critical time in higher education.
“In higher ed today, you can have a wide array of devices and services and applications in production, with people sticking things online without going through proper channels,” says Sims, of the SANS Institute. “In these circumstances, you need a blue team that understands the offense. To get there, they need some immersion into how the red teams operate.”