Building a Security-Conscious Culture

IT security pros walk a fine line between conveying the realities of cyberspace and minimizing anxiety about potential threats from professional hackers, many of whom are out to steal information for profit. Today, where information is open and shared with ease, it's often difficult to know where to draw the line with protective measures.

There's little question that the threats are real, particularly with mobile and web apps. A recent report by Symantec found that web-based attacks increased by 36 percent last year, to more than 4,500 attacks each day; and mobile vulnerabilities continue to rise, with 315 discovered in 2011.

As a CIO, I keep my security awareness high and speak frequently with the university's top administrators about threats. Although constant communication is important, there's nothing quite like a security breach to grab people's ­attention.

We had a breach about five years ago at the University of Arizona. Hackers broke into our servers and disrupted our procurement system, university library services and a component of our payroll processing system.

Although no one wants to experience such incidents, they are inevitable. The breach forced us to shutdown key services, which meant we had to rebuild the affected underlying servers and reconfigure them in a way that integrated additional layers of security.

This was an extreme situation, but we learned a lot about how to improve our response procedures. We also learned about the full impact of certain threats and how to better defend ourselves against those threats. And we saw firsthand the critical role technology plays in service organizations.

Moving Forward

IT security professionals always try to stay one step ahead of hackers. I know we're doing much better than we were five years ago, but it's a constant challenge. Any money spent sending IT personnel to training on the most recent malware threats makes good sense compared with the cost of a single breach.

It's also important to educate the user community about the role they play in security. Each individual needs to be cautious about the e-mail messages they open and the websites they visit, and our software developers must structure software in such a way that security is built in.

The periods of quiet between incidents are often the most challenging. It's far more difficult to present "what if" scenarios than to offer a response to an incident. The CIO must fully explain how the loss of Social Security numbers or medical data will not only negatively impact an individual, but also tarnish the university's image. Don't be an alarmist. Point out that the threats are real, that breaches have happened in the past, and lay out a plan for keeping the university secure.

With so many high-profile hacking incidents today, leaders are far more aware of security issues. Work to create a culture in which people are open to receiving news about the most recent security incidents and, more important, are comfortable reporting suspicious e-mail or websites to the IT security office. Make it clear that reporting something suspicious won't get them in trouble. On the contrary, it will build a collaborative environment in which all stakeholders are willing to do their part to protect the institution's information assets.