A decade, or even a few years ago, cyber security issues would not have been on most university and college presidents’ minds. In this new world, however, where major American political parties and government agencies are being compromised, these educational leaders must be focused on protecting their institutions from malicious actors.
Like leaders of large organizations in all competitive industries, presidents of higher education institutions face numerous other challenges and intense pressures. Every year these presidents must hit benchmarks for applications, enrollment, and tuition while simultaneously dealing with sensitive campus issues like student safety.
Whenever I speak with new presidents, I always ask about their top priorities. As recently as 5 years ago, cyber security may not even have been mentioned. Today, it’s always in their Top 5. In fact, cyber security is now a critical component of any president’s ability to meet the aforementioned challenges.
For instance, the reputational harm that often results from a data breach may lead to a decrease in the number of students applying for acceptance, which can negatively impact tuition revenue and the overall quality of the applicant pool. Furthermore, because colleges and universities maintain personally identifiable information (PII)—like Social Security Numbers or financial information—and medical data, they are potentially subject to heavy fines under privacy laws like the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act (HIPAA).
While many presidents may not think about cyber security on a day-to-day basis, IT teams at higher education institutions are especially focused on this area. In fact, a recent survey of IT leaders in higher education found that information security topped their list of priorities in 2016. When school administrators and IT leaders become distracted by competing priorities, the risk of a security breach can increase dramatically.
Alternatively, if IT leaders and administrators maintain open communication, the school’s security posture will be improved. It is incumbent upon presidents to engage directly with IT and be willing to listen and learn. And once the lines of communication are open, if IT leaders are able to clearly articulate the risks posed by cyber security threats, it is easier to achieve buy-in for security-related investments from presidents and university board members. As an example, IT leaders must be able to convey to school administrators that the traditional “moat-castle” approach to security—in which a perimeter firewall (the moat) keeps all threats out of the network (the castle)—is no longer an effective strategy.
Instead, IT must make the business case that institutions should consider investing in technologies like network traffic and analysis tools that increase network visibility, allowing for a faster and more proactive response to threats like botnets and vulnerabilities stemming from peer-to-peer sharing. College students now use an average of seven connected devices, making it nearly impossible to see everything happening in different network segments without these modern tools.
School administrators and IT should also work together on user education and the creation of robust security procedures. Today, phishing has become so sophisticated that even experienced professionals often can’t distinguish legitimate emails from these attacks. As such, ongoing training is necessary to help users recognize potential threats. Documented procedures—like ensuring that financial forms must be reviewed by at least two stakeholders—can also help drastically reduce risk. Again, presidents must empower IT leaders to design and implement these policies and procedures.
In many ways, IT leaders and school administrators are like two separate companies, with different mission statements, operating within one institution. With so many other responsibilities on their plates, college and university presidents typically cannot make cyber security a top priority day-in, day-out. But that does not have to create vulnerabilities, so long as administrators recognize the importance of supporting the IT leaders who are working every day to improve the school’s security posture. In uniting, these two entities can protect their networks and sensitive data – and the reputation of their school.
Featured Guest Blogger:
Anthony Cernera, PhD is a long-standing administrative leader and much sought-after consultant in the higher education space. After 30 years in university leadership roles, he is currently the President of the Center for Inter-Religious Understanding and serves on numerous boards of directors. For six years, Anthony was also the President of the International Federation of Catholic Universities. He uses his vast experience to help current college and university presidents shape their strategies around the intersection of people, processes, and technology.