Elevating cybersecurity on the higher education leadership agenda Increasing executive fluency and engagement in cyber risk

Introduction

With election hacking and large-scale consumer data breaches frequently in the national headlines, far less attention has been paid to an industry increasingly under attack by hackers and cybercriminals: higher education.

From ransomware attacks and breaches compromising the personal information of students, faculty, and staff to denial-of-service attacks that render learning-management and other systems unavailable during important times, cybersecurity threats pose an increasingly common business risk to colleges and universities.¹

Institutions of higher education are attractive targets for two reasons. First, like health care organizations and financial institutions, colleges and universities house a wide variety of sensitive and lucrative data, including social security numbers, financial information, medical records, intellectual property, and cutting-edge research. And second, higher education’s open-access culture, decentralized departmental or unit-level control, as well as federated access to data and information makes it a particularly vulnerable target for unauthorized access, unsafe Internet usage, and malware. (For more on this, see the sidebar, “What makes higher education a prime target for cybercriminals?”).

This hasn’t escaped the attention of the higher education information technology (IT) community. For the third year in a row, information security is the top issue identified by IT professionals on the EDUCAUSE 2018 top 10 IT issues list, and its impact on the academy has not abated.²

The cyber disconnect between IT professionals and institutional leaders

Yet there remains a disconnect between IT professionals and institutional leaders. At many institutions across the country, executive engagement and board-level attention haven’t yet caught up with the escalating cyber risks to which institutions are exposed. The reasons for this are threefold.

• The traditional academic pathway to the university leadership often precludes exposure to, and experience with, cybersecurity issues: The majority of college and university presidents and chancellors ascend to positions of institutional leadership through the ranks of academia.³ Often this means that many college and university presidents have limited exposure to and fluency in cyber issues and their potential business impact on an institution. Boards of trustees, depending on their composition and how trustees are appointed, may or may not bring relevant experience and fluency on issues of cybersecurity to their respective institutions. Too often, it takes a major breach to escalate cybersecurity matters to the executive- and board-level agenda.
• A president’s wide-ranging scope of responsibilities leaves little bandwidth: The demands on a president’s time are many: fundraising, alumni, and donor relations, strategic planning (goal-setting and visioning), enrollment management, trustee relations, budgeting, academic affairs, community relations, federal and state relations, student life/engagement, and athletics, among others. With so many responsibilities competing for a president’s time and attention, cyber discussions, which are often cast in inaccessible and technical jargon, often get sidelined by more familiar and seemingly important matters.
• CIOs are often not members of the president’s cabinet: There’s frequently a structural disconnect between an institution’s highest-ranking IT official and senior leadership. Fifty-six percent of the higher education institutions surveyed by EDUCAUSE have a chief information officer (CIO) or equivalent role that is part of the president’s cabinet.⁴ In other words, the highest-ranking IT official has the ear of leadership at just over half of the institutions included in the survey. EDUCAUSE’s higher education IT workforce study found that CIOs who serve on the cabinet are significantly more likely to discuss the IT implications of institutional decisions with campus executives.⁵
  

  Often this means that important conversations about cybersecurity don’t make it beyond an institution’s IT shop to the top of the house. As Georgia State University’s (GSU’s) chief innovation officer Phil Ventimiglia explains, “If you really believe in cybersecurity and the importance of technology to the operation and future of the campus, then the CIO or whatever role is leading technology for the institution should be at the cabinet level.”⁶ It’s not imperative that the CIO report to the president, but having a seat at the senior leadership table to elevate the discussion around these risks is important. For institutions where the CIO reports to an executive vice president or provost, it’s important that these most senior officers regularly bring predigested, cogently argued, and succinctly written issues to the president and trustees.

Drawing on conversations with college and university presidents and IT leaders who have elevated cyber issues to the executive agenda, this article looks at what effective executive engagement looks like in practice and explores considerations for building a more resilient institution that’s capable of bouncing back from cyber events quickly, recognizing that it’s no longer a matter of if they will occur, but when.

Routine exposure: Ensuring structural alignment

CIOs who are cabinet members are generally in a better position to raise strategic IT issues, including cybersecurity risks to the institution, presidents, and boards of trustees.

By virtue of this structural alignment, institutional leaders tend to have greater exposure to an issue set that may otherwise be confined to the technology shop. The direct reporting relationship to the president serves as “a way of keeping the lines of communication open, so that when we have situations like a distributed denial of service attack or something that’s highly disruptive, I don’t have to build the foundation. It’s already in place and it’s just a matter of zeroing in on a particular direction,” says Rutgers University’s senior vice president and CIO Michele Norin.

As GSU president Mark Becker explains, “The chief information officer (or equivalent) has to be at a high level in the organization; they can't be buried away from the president. At Georgia State, they report directly to me and sit on my cabinet, as well as on the administrative council [which allows us] to have direct conversations. Our offices are on the same floor.”⁸ This kind of routine exposure and access typically facilitates greater understanding of the cybersecurity issues facing the institution.

For American University (AU), the elevation of the CIO role to the vice president level and appointment to the president’s cabinet began with the recognition that the CIO is an institutional actor and therefore required to understand all the major features of the institution. As AU president emeritus Neil Kerwin recounts, “With a seat on the cabinet, the vice president of information technology educates colleagues on the senior management team and is educated by them. That works its way ultimately up to the board of trustees, which now has a fixed expectation of IT being an agenda item for every board meeting.” Dave Swartz, AU’s vice president and CIO observes, “At most universities, what CIOs struggle with is having the authority to be able to put in place the controls that are needed to be sure that risks are mitigated.” The result of AU’s change in organizational structure was “better alignment between responsibility and authority and accountability.”

Right framing: Lingua franca for communicating cyber risk to institutional leaders

Too often, overly technical and esoteric cyberspeak obscures the bigger picture issues of concern for institutional leaders. To gain traction with presidents and boards of trustees, the conversation around cybersecurity should be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out. As GSU president Mark Becker puts it, “What I want to know is where our greatest vulnerabilities are and what are we doing to minimize those in a cost-efficient manner.”

GSU has gone so far as to put in place a cybersecurity charter to communicate to the institution writ large that cybersecurity is not an IT domain but rather an enterprise risk. “In today’s world, where information storage and processes like monetary transactions are increasingly carried out digitally, we all see instances in the news where unauthorized data access has put large numbers of people’s personal information at risk. As a large organization, we are stewards of a variety of sensitive data, so solid information security practices are vital to protecting our students, faculty, and staff, as well as all those who conduct business and research in partnership with the university,” explains Ren Flot, GSU’s chief information security officer and director of cybersecurity services.

The business risks associated with a breach can range from financial and reputational impact to the ability of an institution to carry out its mission.

• Financial impact: The sheer financial cost of a breach can be significant. Research at the Ponemon Institute suggests that when factoring in all the different costs (including customer loss, the time to detect a breach, the costs of fixing identified vulnerabilities, the costs of compensating victims, public relations, and so on), the average data breach cost institutions of higher learning about $260 per record seized in the incidents they analyzed over the past four years.⁹
• Impact on operations: Because virtually every facet of the modern university depends to some extent on properly functioning technology, a significant data breach can be crippling to the daily operations of a university. For example, a large-scale breach at one major university recently prevented students from being able to access their learning management system for several hours during finals week. As AU president emeritus Neil Kerwin points out, “The kind of damage a breach can cause at a university is not confined to access to information in a narrow sense but literally affects the ability of the institution to conduct its mission.”
  

  As the reliance on technology at institutions of higher learning grows year over year, the magnitude of potential disruptions to daily business operations will likely only increase. As GSU’s Mark Becker observes, “The future in higher education is how to leverage technology to deliver a better education at a lower cost. The integration of the technology is going to happen. We have to do that in a secure environment.”

• Reputational damage with consumers, corporate partners, and government agencies: Corporations are less likely to be interested in partnerships with universities whose research data has been breached or with institutions that seem to lack a clear, strong resilience plan and set of processes for dealing with cyber threats. In addition to the concerns they share with corporations, universities often need to comply with strict regulatory considerations (such as NIST 800-177) for government grants and contracts.
  

  Finally, if important student, parent, or alumni data is seized in a breach, the university’s reputation with potential enrollees may suffer, especially if a robust response plan with a strong public relations element is not in place.
  

Resilience mind-set: It’s no longer a matter of if, but when

Yesterday’s relatively isolated malicious activity has given way to well-organized cybercrime enterprises and networks of politically motivated, and sometimes state-sponsored, attackers. Verizon’s 2017 data breach investigations report found that state-affiliated actors and organized criminal groups were behind an increasing number of breaches targeting the education sector.¹⁰ Against this backdrop, it seems inevitable that some cyber incidents may occur.

While an institution’s technical team handles many day-to-day, routine security events, some incidents may become more serious business crises that can affect an institution’s broader mission. In more serious events, it is imperative that the business closely collaborates with IT to maintain effective resiliency. As GSU’s Ventimiglia observes, “We’re in a day and age that if a network goes down for an hour, you can’t teach.”¹¹

Being resilient means having the capacity to rapidly contain the damage and mobilize the diverse resources needed to reduce impact—including direct costs and operational disruption, as well as damage to reputation.

Effectively developing this capability generally requires executive- and board-level engagement.

Every institution should realistically assess its changing risk profile and determine what levels and types of cyber risk they consider acceptable. Just three-quarters of higher education institutions surveyed by EDUCAUSE have conducted any sort of security risk assessment.¹² This is a business challenge, not just a technical one. Presidents and trustees need enough understanding of the threat landscape to provide cyber risk guidance. It’s then the job of the technical team to translate this into effective operational capabilities.

While resilience requires investment in traditional technology-based redundancy and disaster recovery capabilities, the bigger picture includes a complete set of crisis management capabilities. It involves IT, as well as leaders across the institution, and decision-makers from legal, risk, human relations, and communications functions. It typically requires a playbook across all these entities, designed in advance by considering how threat scenarios impacting critical assets and processes could play out.

Beyond playbooks, developing a robust resilience capability can be supported through cyber wargaming and simulations. Staging simulations can create better organizational awareness and understanding of threats, improve cyber judgment, and facilitate the development of “muscle memory” that helps teams respond flexibly and instinctively to both the simulation scenarios, as well as situations that cannot be foreseen.

Many higher education institutions apply a different philosophy to wargaming and security. As Virginia Tech’s information technology security officer Randy Marchany explains, “This is the difference between a ‘keep them out’ versus ‘we assume they’re in’ approach. This viewpoint changes how institutions respond to a wargame scenario. If it is assumed that attackers are already in the system, it’s a matter of ‘how do I hunt them down’ as opposed to ‘how do I keep them out.’”

Users are inevitably going to make mistakes. The question is how to reduce the damage once a mistake is made. For its part, GSU is using outside companies to monitor the traffic into and out of the university 24/7. The university is also virtualizing its entire network, which will enable it to see any rogue activity in the network and isolate the source and quickly reduce the risk.

Looking ahead

Until recently, it has frequently taken a major cyber incident to elevate cybersecurity to the executive agenda. But with the increasing digitization of the academic enterprise, growing regulatory pressure to improve an institution’s information security posture, and a fast-evolving cyber threat landscape, the stakes are higher than ever for institutions that don’t treat cybersecurity matters as serious enterprise risks with the attendant executive- and board-level attention they warrant.

Increasing executive- and board-level fluency in cyber issues is part and parcel of responsibly overseeing and governing an institution, given the reality of today’s growing cyber threats. Developing such fluency often requires getting the structural alignment in place (to the extent it’s not already there), reframing the issue as one of enterprise risk management, and developing institutional resiliency so that colleges and universities are in a position to bounce back quickly if an incident occurs.