Higher education governing boards should stay appraised of rising cybersecurity threats and fund efforts to address them, according to guidance published Thursday by a leading professional organization.
Governing boards are typically in charge of approving budgets and staffing, so board members — known as trustees, regents, governors or other titles depending on the state or institution — need to see cybersecurity as a crucial business matter, Merrill Schwartz, a senior vice president for the Association of Governing Boards of Universities and Colleges, told EdScoop. Amid continued ransomware attacks against higher education institutions, the association developed recommendations for board members on how to communicate with their information security teams, including questions to ask about cybersecurity and suggested cybersecurity frameworks for their institutions.
“Part of making budget decisions is that cost-benefit analysis,” Schwartz said. “Like risk management, it’s important to look at what risks you’re going to accept, what you’re going to mitigate, what you’re going to transfer through insurance. You try to eliminate risk or mitigate risks so that you aren’t paying out for losses, and that requires an investment of resources. So being clear about what the risks are is extremely important.”
When board members approve purchasing new technology or enter a partnership with a company or organization, any additional cyber risk needs to be part of the conversation, Schwartz said. This is supported by the group’s guidance, which urges boards to take cybersecurity into account when making decisions on mergers and affiliations. Managed service providers can pose potential cybersecurity threats to institutions, as highlighted by recent attacks on SolarWinds and Atlassian.
Schwartz said that understanding ongoing cybersecurity threats also helps board members understand the IT security department’s financial needs. The association’s guidance recommends regular feedback from cybersecurity staff at board meetings and for board members to independently educate themselves on cybersecurity risk. She said implementing some of the advice in the document, such as that on how to use cybersecurity metrics when making business decisions, will help board members familiarize themselves with the landscape.
“Board members learn a lot about what they should be thinking about by coming to agreement on what they will be monitoring, how often and in what format, so that’s a great place to start,” Schwartz said. “This is going to vary depending on the type of institution. A small private college still has cyber risks and must monitor them, but it’s different than a large research university with an academic medical center, or a large hospital with patients.”