Report: Infosec top priority for higher ed IT pros, but it needs more attention


From Russian hacking of political targets to last year’s massive Equifax data breach, Americans are becoming increasingly aware of the dangers of poor cybersecurity. Those concerns are even more heightened among IT professionals in higher education.

For the third year in a row, they have identified information security as No. 1 on the EDUCAUSE Top 10 IT Issues list. Yet higher education leaders in general continue to give the topic short shrift, according to a new report released jointly by EDUCAUSE and Deloitte’s Center for Higher Education Excellence.

Information held by institutions of higher education is attractive to cybercriminals: There’s a wealth of personal data, intellectual property and cutting-edge research — all of which are worth billions of dollars to criminals and nation-states alike.

The very structure of higher education contributes to be the problem. Its “open-access culture, decentralized departmental or unit-level control, as well as federated access to data and information makes it a particularly vulnerable target for unauthorized access, unsafe internet usage, and malware,” the report points out.

According to the report, there are three structural reasons academic leaders have failed to prioritize improving IT security:

  • University leaders usually come from academia, which means they have limited familiarity with cybersecurity issues.
  • University presidents have little bandwidth available to deal with such a complex issue.
  • CIOs often are not members of a university president’s Cabinet.

Addressing these is not as easy as elevating the CIO to a Cabinet position — but that is one recommendation.

By realigning the leadership hierarchy to include the CIO, “institutional leaders tend to have greater exposure to an issue set that may otherwise be confined to the technology shop,” the report states. It cites American University’s experience, where Dave Swartz now serves as vice president and CIO, providing “better alignment between responsibility and authority and accountability.”

The report’s second recommendation is to frame the topic of cybersecurity around enterprise risk management — financial, operational and reputational.

The report references research by the Ponemon Institute, which estimates the average data breach cost institutions of higher education about $260 per record lost. Breaches and cyberattacks can interrupt operations, from shutting down business operations to preventing students from accessing online learning systems. As colleges and universities integrate technology into their offerings, the cost of this kind of loss only grows. And damage to an institution’s brand because of a breach can make corporations less interested in partnerships — hurting both enrollments and donations.

The report recommends communicating that business risk to everyone associated with the institution, from board members to academics to students. One university has actually created a “cybersecurity charter to communicate to the institution writ large that cybersecurity is not an IT domain but rather an enterprise risk,” the report notes.

Finally, raising awareness is a necessary first step, but it also means taking steps to ensure resiliency in the event of a breach: “While resilience requires investment in traditional technology-based redundancy and disaster recovery capabilities, the bigger picture includes a complete set of crisis management capabilities.”