Information security strategy is one of the top 10 IT issues facing educational institutes today. Find out how Cybriant can help simplify 5 of the top 10 IT issues facing colleges today.
In an effort to improve student experiences and outcomes, EDUCAUSE gathered the 2019 Top 10 IT Issues list and dubbed it, “The Student Genome Project.” Find out more about the research here.
Half of the Top 10 IT Issues directly involve data, along with the many challenges and opportunities it affords:
#1. Information Security Strategy: Developing a risk-based security strategy that effectively detects, responds to, and prevents security threats and challenges
#3. Privacy: Safeguarding institutional constituents’ privacy rights and maintaining accountability for protecting all types of restricted data
#5. Digital Integrations: Ensuring system interoperability, scalability, and extensibility, as well as data integrity, security, standards, and governance, across multiple applications and platforms
#6. Data-Enabled Institution: Taking a service-based approach to data and analytics to reskill, retool, and reshape a culture to be adept at data-enabled decision-making
#8. Data Management and Governance: Implementing effective institutional data-governance practices and organizational structures
We must map the student genome. We must trust and understand our data to apply it, for without data, we are blind.
Some of the work is tactical and technical. Projects are under way to develop shared, consistent data definitions and sources and to integrate those sources across many systems and, often, across competing versions. Much of the work is strategic and political. Technical silos are easier to bridge than organizational silos. Stakeholders must agree on data definitions and definitive, trusted sources. They must acknowledge the precedence of the institution over the department if the goal is to become a data-enabled institution.
The most difficult work is cultural. Cultures are social constructs that link, transcend, and outlast individuals. People are difficult to change, cultures even more so. Applying data to decision-making requires entirely new ways of making decisions, of working, of thinking. Doing so requires culture change, and that calls for leadership, a coalition, empathy, and grit.
Data privacy is newly on the list, and no wonder. Institutions are scrambling to interpret and comply with the European Union’s General Data Protection Regulation (GDPR), which contains new requirements for data collection, processing, and use. The state of California quickly followed with its California Consumer Privacy Act (CCPA), and support for a comprehensive US federal privacy law appears to be gaining traction. Millions of people have been appalled by revelations of exactly how much end-user data Facebook collects, how it has used this data to manipulate online experiences, and how it has exposed this data to third parties. This type of data use is not new, but it is newly salient. Privacy vulnerability is the dark side of collecting and using the increasing types and amounts of student data.
And then there is the issue of security. Again. Still. For several years, security has been not just on the EDUCAUSE Top 10 IT Issues list but has topped the list. Data can be trusted only if it is secured. Security threats adapt to and overcome existing protections, requiring continual monitoring and ongoing investments. Security is a risk that will never be fully prevented, but it can be managed.
Cybriant offers solutions for all five of those IT issues that fall under the trusted data scenario. Continue reading to find out more.
1. IT ISSUES: Information Security Strategy
Developing a risk-based security strategy that effectively detects security threats and challenges respond to them and prevent them
It is an extremely high priority to secure our institutional data and systems. Threats are on the increase. We must speed up our efforts to integrate security into all aspects of our IT strategy and activities. An effective strategy for information security will use a risk-focused, multi-layered strategy to secure the institution. This takes a village – everyone has to participate. It is not the task of only the IT organization or the Chief Security Officer for Information (CISO). If we do our part, we can make much more progress in securing our institutions.
Risk is the most important word. These are not small risks. Information security is often ranked on institutional risk maps in the upper right quadrant. A major breach can seriously damage the reputation and financial health of the institution.
“Far too often, security is perceived as an IT problem. It truly is not. If we look at information security as an enterprise-wide risk, then we must have other stakeholders (outside of the IT organization) sitting around the table to determine how best to manage security-related risks. These stakeholders also need to determine how much risk the institution can accept. IT leaders cannot make this decision alone.”
—Cheryl Washington, Chief Information Security Officer, University of California, Davis
Start with a Strategy
We can’t stress this enough, strategy and framework are the keys to a successful security plan. By having a strong information security strategy in place, every decision around IT issues will be easier.
We prefer NIST CSF and recommend this to our clients. What is the NIST Cybersecurity Framework?
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which calls for “a set of industry standards and best practices to help organizations manage cybersecurity risks.”
Organizations can use the CSF to take a risk-based approach to align their security processes with business requirements. Because the CSF is not intended to be a “one size fits all” approach, Cybriant’s solution is scalable across all organizational sizes and can be adapted for specific use across multiple industries.
Institutions that can best maintain an effective risk-based security strategy will prevent significant damage to their finances, financing, and reputation. They’re more reliable. This trust benefits alumni, donors, parents, students and granting agencies. These institutions have a competitive advantage in terms of funding research grants in this area or grants where security is extremely important because of the nature of the data involved. There will be a better use of resources not spent on breaches.
Where to Begin?
We recommend starting with a gap analysis or security assessment to help find a start point and produce a map to success for all IT issues.
Hiring a firm to perform a risk/security assessment can be a daunting task. With little to go on we often we fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc. And often that results in poor performance or obvious cookie-cutter results. How then should we approach the task of ensuring we get value from our security assessment vendor?
After years of performing risk/security assessments and gap analyses for various companies in different vendors I’ve noticed some themes and want to share six items to look for when selecting a vendor.
Read more from, “6 Considerations for Your Next Security Assessment Vendor.”
2. IT ISSUES: PRIVACY
Safeguarding the institutional constituents’ privacy rights and sustaining accountability for the protection of all types of restricted data
Privacy is about properly handling personally identifiable information that institutions collect, create, store, share, use, and dispose of. Privacy affects everyone. Without sensitive personal information, institutions can’t register students, hire staff, conduct research, and complete their organizational missions. Understanding what data is being collected and how and where it is being used is central to discerning the institution’s role in safeguarding this information.
“Privacy is not the same as security. Privacy is about being able to have a say in or control over how your information is handled. People think privacy is just about protecting data; privacy is bigger than that.”
—Merri Beth Lavagnino, Director, Strategic Planning and Enterprise Risk, Indiana University
Ensuring Privacy is met through Compliance Audits
Privacy and security, while they are the same thing, they are equally important in the eyes of the US Government for compliance reasons. Is your Institute heavily regulated as most are? Then you should have a readily available resource for ensuring audits are a breeze. If you don’t, like most colleges and universities don’t, consider a compliance management system.
Today’s compliance environment is an overwhelming assortment of never-ending checklists and to-do items. Not only are organizations required to adhere to a standard, but there are also often many standards that a company must adhere to adding additional complexity to an already frustrating situation. Pulled in many directions, today’s IT professionals often feel as they are descending into a fog of compliance.
There is also a constant stream of acronyms that businesses now must learn and adhere to be compliant. Each new entrant into the pantheon of compliance complicates and weaves an even more complex web of checklists, procedures, and policies. Each time new letters are added to our alphabet soup of regulations we must scramble to meet that specific list of requirements.
We have created a better way. Introducing ComplyCORE.
ComplyCORE clears the fog of compliance into a clear and concise vision. With ComplyCORE as your compliance management system each new compliance matrix that springs to life is easily and quickly integrated. There is no scrambling each time an auditor for a specific regulation appears, it’s all part of the plan.
3. IT ISSUES: Digital Integrations
Ensuring system interoperability, scalability, and extensibility, as well as data integrity, security, standards, and governance, across multiple applications and platforms
Many years ago, institutional IT systems were simpler. Colleges and universities would build a monolithic ERP system, pour the data in, and expect everyone to use it. Today, with the proliferation of cloud applications and emerging applications in the research and academic space, many more applications are contending for data, requiring data sharing and data integration across platforms. A monolithic strategy is no longer practical. Digital integration is becoming more prominent in institutions due to the need to securely interconnect systems to avoid data duplication. IT organizations must ensure the integrity, security, and governance of the data in these disparate but interdependent applications.
“The number of integrations to deal with is staggering, and I keep challenging my team about how to reduce the ones we know about and support directly—which doesn’t count the ones we don’t know about.”
—Michael Gower, Executive Vice President for Finance & Administration, Rutgers, The State University of New Jersey
People, Process, And Technology
When you have a framework in place, it helps direct the decision making process for all IT issues including people, process, and technology. When this is in place, institutions can focus on their main goal – education. Integrating systems in a friction point that add time, money, and detracts from your end goal. Lack of coordination and governance increases the likelihood of mistakes and missed opportunities.
What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.
According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.
4. IT ISSUES: Data-Enabled Institution
Taking a service-based approach to data and analytics to reskill, retool, and reshape a culture to be adept at data-enabled decision-making
As colleges and universities adapt to a rapidly changing future, the ability to make effective decisions may well distinguish those that navigate change successfully from those that don’t. We live in a world awash with data, yet many institutional leaders struggle to convert data into decisive and informed action. Without access to timely, accurate, and relevant data at the right time, leaders will not be able to make successful decisions. Applying data more rigorously and expansively to decision-making requires that technology and data professionals possess new skills. Institutions need professionals who are adept at discovery, pattern matching, and searching for the data inside the problem.
Higher education also has a programmatic opportunity. Analytics, AI, and machine learning are creating new jobs and disciplines.6 Technology’s impact on the needs of the impending workforce means that college and university programs have the potential for dramatic change.
“Faculty will have to work hard to adapt under a data-enabled culture. To help them, we must be transparent and clearly show how these new initiatives will benefit the students and them. We have to show evidence of IT’s value.”
—Colleen Carmean, Associate Vice Chancellor, Academic Innovation, University of Washington, Tacoma
Enable Data through Security and Compliance
It is more important than ever for data to be secure. There are two reasons – the impending doom that will follow a cyber attack if data isn’t properly secured. And failing a compliance audit for data not being properly secured.
Data Security – consider PREtect.
PREtect is a tiered cybersecurity service that will help optimize the protection of data assets and the detection of malicious events by addressing the most common vulnerabilities in the enterprise.
PREtect is offered in 3 tiers:
- CORE: Continuous cyber threat detection through Managed SIEM
- ADVANCED: CORE plus Managed Endpoint Detection and Response
- PREMIUM: ADVANCED plus vulnerability and patch management
Compliance Audits – Consider ComplyCORE
Instead of jumping from one compliance to another rushing to ensure all the boxes are ticked Cybriant helps your organization settle the noise by collapsing all the various compliance initiatives into one program. Currently meeting NIST and HIPAA compliance only to have PCI placed in your lap? Not a problem.
Through ComplyCORE, we can help you adopt clear policy statements and demonstrate clear and unequivocal expectations about compliance.
5. IT ISSUES: Data Management and Governance
Implementing effective institutional data-governance practices and organizational structures
Colleges and universities are information-driven organizations. They create, transmit, and run on the flow of information. Data is the institution’s lifeblood. Like any other consequential resource, data has to be properly managed, curated, secured, understood, and optimized to help the institution achieve its mission and goals. Data tends to be invisible because it flows in and out of the business processes. But without the ability to use data to make decisions, institutions are flying blind. Effective data management and governance is the foundation on which decision support and intelligence capabilities are built.
“Institutions with effective data management and governance have built the pipeline to support effective decision-making.”
—Chris Gill, Chief Information Technology Officer, Drake University
Start with a Solid Foundation
Begin with a solid foundation – we recommend you start with a security assessment to determine any gaps in your data governance policy. The needs and abilities of the institution to use data look like a pyramid. At the base is the important data on which the institution is based. These data must be accurate, timely, secure, well understood and consistently defined throughout the institution to be useful. Any use of the data can be more harmful than beneficial on the road without this basis.
Security or risk assessments help you protect your data and develop a foundation for strategic security decisions. Consider the assessments we currently have available and let’s start a conversation about which one is right for your institution.