Higher Ed Needs a Cybersecurity Intervention

Mimicking business-oriented security management strategies at colleges and universities is a recipe for disaster.

Higher education faces complex cybersecurity challenges that overwhelm effective business practices. Photo by Michael Figueroa.

Colleges and universities collectively represent a worst case scenario in cyber defense. Security professionals charged with protecting schools must often account for vast financial assets, large databases of personal information, and unrestrained usage of untested technology and services. They also contend with high annual user turnover, historically limited operating budgets, and national security concerns related to government funding.

Higher education user expectations further complicate cyber defenses. Students and faculty demand extraordinary openness, demonizing just about any control that might constrain information flow. More than just an opportunity to flaunt independence, academic research often requires collaboration across institutional and international boundaries, including sensitive data such as emerging intellectual property related to technology innovation and software code that may contain advanced proprietary algorithms.

While most businesses operate in the same global threat environment, very few are subject to the adversity that higher education institutions face. Rather, businesses can better restrict what services users can access, constrain where information can flow, and disallow internal connections from unapproved devices. Effective cyber defense practices in business are thus characterized by barriers and choke points that an organization can internally control.

Because of those fundamental operational differences, higher education institutions fail to protect themselves against advanced threats when they try to mimic business cyber defenses. Quite simply, schools have to defend more with less. To continue modeling their security functions on business practices reflects a denial that most schools are incapable of doing so effectively.

Comparing higher education institutions against like-sized businesses exposes severe cyber resource deficiencies. Starting at the executive level, I found in my interactions with New England companies that businesses typically hire a chief information security officer (CISO), a security executive specifically charged with strategically planning cyber defenses for the…