Cybersecurity on a small-school budget: Two liberal arts colleges team up to share a CISO
Small colleges and universities face the same cybersecurity challenges as larger ones, but they typically don’t have the same resources to address the risks. Two Pennsylvania liberal arts schools have found a way to give more attention to the issue, though.
Susquehanna University, on the banks of the Susquehanna River in Selinsgrove, and Franklin & Marshall College in Lancaster have been teaming up since 2013 to share one chief information security officer who reports to each institution’s CIO.
“One of the realities of small campuses is that adding staff requires an act of Congress,” joked Mark Huber, CIO at Susquehanna. “Our university developed an enterprise risk management process that encompasses all risk across campus, not just cyber, [but] cyber was at the top of the list.”
The best way to mitigate that risk is to have on-staff expertise, but Susquehanna and F&M found that the cost of a full time professional was too high.
“We started talking about this with other CIOs” in the region, Huber said, and the discussion originally included five institutions. In the end, three schools — Bucknell, in Lewisburg, was the third — set up a consortium to hire a CISO they would share. The three-way partnership ended in 2016, but Susquehanna and F&M continued the arrangement.
Huber has a staff of 18 and a half positions, including himself and the part-time CISO, providing IT services and support to some 2,300 students — most of whom live on campus — and about 150 full-time faculty. F&M is about the same size, but with about double the IT staff.
The two schools are about 90 minutes apart. The shared CISO, Alan Bowen, works a couple of days each at F&M and Susquehanna, as well as one day remotely. Huber and his counterpart at F&M, Carrie Rampp, will confer, virtually or face to face, on a regular basis with the CISO regarding projects, broader priorities, and areas of shared concern or interest.
“If I have a CISO working on policies, [such as] how to secure data on a mobile device, every minute he’s working on it, it’s for both institutions,” Huber said. “Each institution vets it [but] it’s more efficient rather than have each institution writing their own.”
Bowen said the two schools pay for his accommodations on the first night he’s there. This makes it feasible for his family to live in Northeast Pennsylvania, two hours or more from F&M and Susquehanna, where his wife is the CIO at the University of Scranton. As for working remotely, it’s usually a good day to work “on long documentation or a narrative,” he said.
When a vulnerability is discovered or a breach happens elsewhere, Bowen ensures both schools are aware of whatever notifications he receives. He works with the IT staffs at both schools on mitigation and prevention strategies, technology assessments and coordination of penetration testing, for instance.
The two schools have very different computer environments. Susquehanna is “moving down the Microsoft path, [and] F&M is moving down the path of Google,” Huber said. “The only place where there’s a similar environment [is] the firewalls.”
Bowen sees the dissimilar environments as an advantage. “It’s broadened my experience … I have domain admin, I have root access, I have access to all the security devices, but I don’t have [their] care and feeding,” he said.
Huber said the big challenge the two schools face “is there are so many applications that are best of breed, no monolithic system that does it all … The integration efforts, whether on premises or in the cloud, is a huge investment of time.”
Another challenging area is aggregating log files so that, from a security standpoint, staff can identify what’s normal and what’s not normal. “There are solutions out there that are very expensive,” Huber said. He believes the advent of machine learning and artificial intelligence promises to automate the task. “If we can pass on what a highly developed human can do to a computer that can do it 24/7, that would be very helpful, particularly for a lean staff.”
The two institutions both seem pleased with how the shared arrangement is working out. “I’d say we’re on the cutting edge of how to mitigate security risk with a shared CISO when resources are tight,” Huber said. “As far as we know, there’s only five [similar arrangements] in the United States … There weren’t any memoranda of understanding or legal contracts our lawyers could look at.”
The key to success is finding a professional who can handle such an unconventional position, Huber said. “It’s hiring the right person, with the qualities we currently have with our CISO — technical skills, the ability to write policies, wanting to be involved in the industry, sitting on panels and such.”
“The two schools like the fact that it’s me, it’s not a company with a set of revolving faces,” Bowen said. “I’m an employee, not a contractor. All the costs are known. Not only can I be the information security [expert and] trainer, I can be another resource, another set of hands … It’s kind of like in-sourcing, but I have more ownership.”
Reach the reporter at firstname.lastname@example.org and follow her
on Twitter @WaitPatience and @edscoop_news.