There seems to be some denial within colleges and universities about how vulnerable they really are to cyber attacks. This mentality is misguided and potentially very dangerous, as hackers already have their sights set on the information goldmine that is our colleges and universities.
In fact, according to recent research from IT security firm BitSight, many organizations have a false sense of security, including many colleges and universities who think they are safe from harm.
You may ask, “Why would anybody want to hack organizations taking care of young people?” Well, criminals do not discriminate.
All they care about is information and you have lots of it- personal, financial and health care data from your students, teachers, administration, and staff, all conveniently packed under one roof.
Decades ago credit card information was most valuable but hackers wised up and figured that medical records or social security numbers can actually bring in 10 times more money.
Credit cards can be reissued, personal data cannot.
The alarming reality is that 80% of organizations today are attacked, sometimes repeatedly, according to the 2015 U.S. State of Cybercrime Survey from Pricewaterhouse Coopers, CSO magazine, CERT, and the U.S. Secret Service.
A great number of these cyber attacks originate from within, with about 3.8 insider incidents happening per year, said SpectorSoft.
The good news is that these numbers are gaining the attention of a lot of college and university CIOs. However, beyond stepping up your network security, you may also want to consider finding a chief information security officer, or CISO.
The New IT Role
Colleges and universities need to consider having a specific leadership role accountable for the organization's overall network security strategy.
The CISO job requirements will be hard to find in one individual but the increasing media reports of large data breaches will draw out more of them.
"The CISO is an evolving and increasingly challenging role. The individual is responsible for all security-related matters, including regulatory compliance, risk management, technology controls, disaster recovery and raising the awareness of security at the C-level,” said Jane LeClair, chief operating officer at the National Cybersecurity Institute at Excelsior College in Washington, DC.
Out of all these, security awareness may be the most crucial. The CISO can educate everyone on what security risks they can cause internally; and how much a potential breach will cost, both financially and from a PR standpoint.
However, hiring a CISO is one thing, but trusting him with the authority he needs may be a harder pill to swallow.
"With growing concerns about data breaches, organizations appreciate the need for network security leadership at the highest levels, but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations,” said ThreatTrack President John Lyons.
ThreatTrack Security also revealed that 75% of C-level executives do not think the CISO should take on a leadership role.
Even with some very prominent data breaches throughout this year, many top executives are still minimizing the efforts of their CISO's (if they have one) and really are just hanging them out to dry when things like a data breach occur.
What This Means For You
Money is usually an issue when it comes to many institutions, however this new position is critical for the network security of your campus and more importantly it's data. So how do you establish the need for the position?
This may be difficult to begin with seeing that nobody wants to pay for IT security until that time you really need it. And aside from CISO’s not being cheap, especially at a top manager level salary, top execs may be reluctant to place that much authority on such a new role.
"From my experience I think there is a little bit of denial going on," explained Ric Messier, senior security consultant at Champlain College in Burlington, VT. "A policy is not going to keep somebody out of your organization. There's not enough focus on 'what are our real risks and vulnerabilities and how are we going to effectively address those?'"
What To Look For
With all points considered, a CISO is your best bet. But how do you even hire for such a role, what do you need to look out for? We came up with 3 key qualities:
- Technical IT background
- Policy framework
- Leadership and relationship skills
Any successful CISO should have all of the necessary technical knowledge regarding network security but at the same time be able to stand in front of a board of directors and deliver an engaging presentation.
It takes a combination of technical ability and people ability to get the job done right.
These key traits may sound easy enough to find but the job market may not yet be up to speed. So while the recognition of the CISO’s importance is there, what CIOs are looking for in the role and what CISOs think CIO’s are looking for haven’t been reconciled.
The problem currently is that many CIO's and CISO's aren't on the same page. Current IT leadership is looking for technical ability but current CISO's think the skill requirement is more about the "soft skills" and this is hurting the advancement of the position.
Suggested Reading: "5 Network Security Issues Every College Struggles With [Infographic]"
Nevertheless, the need is real and you your new network security strategy shouldn't be without it. If you decide on hiring a CISO, get the word out and invest some time in sifting through the candidates. Every campus is different and you need to find the candidate that has the right mix skills for you.
To learn more about securing your college or university’s wireless network, simply contact us here. At SecurEdge, we’ve been helping Higher Ed organizations design and deploy a secure wireless network infrastructure all across the country and we're always more than happy to answer any of your questions.