Cyber Resilience: The Future for Higher Education

In today's dynamic regulatory and threat landscape, information security teams at colleges and universities face a unique mix of cybersecurity and compliance challenges.

Where cybersecurity is concerned, higher education institutions have a particularly complex digital footprint and must secure a broad spectrum of data that intersects with multiple industries. This data is a gold mine for cyber adversaries, which is likely why higher education and research were the most attacked industries in the third quarter of 2022.^Footnote1

At the same time, institutions must maintain compliance with a growing number of regulations. From the Family Educational Rights and Privacy Act (FERPA) to the Federal Information Security Modernization Act of 2014 (FISMA 2014), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Cybersecurity Maturity Model Certification (CMMC), the list of compliance regulations for higher education institutions is seemingly endless.

Higher education institutions can more effectively manage cybersecurity and compliance challenges with an information security risk management program that heralds cyber resilience as a North Star.

Beyond "Checking the Box"

Simultaneously thwarting threats and maintaining regulatory compliance is tricky and often overwhelming. Many institutions adopt a "check-the-box" mentality out of necessity to deal with the influx of threats and requirements.

However, this approach can create more problems in the long run:

• A false sense of security: Focusing solely on meeting compliance requirements rather than improving the security posture of an institution can lead to a false sense of security. The information security team may think an institution is adequately protected when, in reality, it is still vulnerable to cyberattacks.
• Limited cybersecurity scope: Since compliance requirements are often narrowly focused on specific areas of cybersecurity (such as data protection or access controls), institutions could overlook other potential vulnerabilities that are not covered by a particular compliance framework.
• Failure to adapt: Compliance requirements are updated infrequently and often can't keep pace with rapidly evolving cyberattacks, so organizations that are compliant on paper could still be vulnerable to new and emerging threats.
• Inefficient resource allocation: Institutions that invest heavily in meeting compliance requirements that don't align with their actual risk profile are more likely to waste money on security measures that aren't effective or necessary.

As regulations change and emerge, organizations will need to find innovative ways to adapt without simply "checking the box."

For instance, with new updates to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule coming in June 2023, institutions might be tempted to adopt the minimum requirements to meet compliance rather than seek out new ways to improve their cybersecurity posture—a strategy that could leave them vulnerable to threats. And should a security incident occur, it could have serious repercussions: a college or university could even lose access to financial aid.

This approach is a problem across the board—at small and large colleges and universities alike. "You have to keep up, but you also have to do what you need to in order to stay secure," says Jessica Sandy, an IT risk analyst on the Information Assurance team at the University of Chicago.

So how do institutions avoid "checking the box" when it comes to cybersecurity and compliance? The short answer is cyber resilience―the ability to anticipate and proactively prepare for what's next by adopting a proactive, risk-based information security strategy.

In fact, we at SaltyCloud believe in cyber resilience so much that our research team recently wrote a definitive guide on the subject, titled Cyber Resilience at Higher Education Institutions: The Definitive Guide for Information Security Teams. We'll cover some of the basics of cyber resilience next, but for those interested in learning more, I highly recommend downloading a copy.

Cyber Resilience as a North Star

Cyber resilience, or the ability to anticipate and adapt to adverse conditions, is key to anticipating threats and staying ahead of growing regulatory requirements. Simply put, organizations can't build resilience if they don't know what's ahead.

"When we don't know exactly where we're going, we use our instrumentation to guide us," says Cam Beasley, chief information security officer at the University of Texas at Austin.

But cyber resilience is not something organizations can achieve overnight. Ultimately, cyber resilience comes from an information security risk management program with intentional features:

• Is easy to implement
• Provides visibility
• Helps manage regulatory compliance
• Scales as it matures

Here are three initiatives organizations can adopt to implement a risk-based information security program with cyber resilience as a North Star:

1. Adopt a Security Framework

A security framework is a set of guidelines organizations can adopt to improve their security postures―almost like a table of contents for an information security program. But choosing a security framework can be overwhelming since not all frameworks are intended to fulfill the same requirements.

There is no single, universal security framework for the higher education sector, but there will be a framework that can help your organization achieve its unique business and compliance goals. And, as organizations mature, it's common to begin "crosswalking" or connecting existing frameworks with other frameworks to stay compliant.

For example, at Virginia Tech, "the CIS controls will always be our core," says IT Compliance Manager Ryan Orren. "But as other frameworks become relevant―like NIST 800-171 for CMMC and GLBA―it's important to have a crosswalk between controls so we can demonstrate compliance."

If you're curious about the pros and cons of the most popular security frameworks in higher education, our Cyber Resilience Guide provides a complete overview.

2. Fine-Tune the Information Security Risk Management Program at Your Institution

An information security risk management program is central for keeping track of your critical assets and security efforts so information security teams can prioritize them more effectively. If your organization's team is wondering how to build a risk-based information security program, they're not alone. Most information security teams aren't sure how to get started.

Completely overhauling the information security program at a higher education institution is an overwhelming undertaking, but improving the following four areas is a good place to start:

• Implement an IT asset management program: Protecting your organization is nearly impossible if you don't know which IT assets you have. Establishing an IT asset management program will ultimately allow you to better understand where critical data lives, how it's secured, and whether it follows regulatory requirements.
• Conduct control-based assessment surveys: Understanding where individual units and the institution as a whole stand against a security framework will be key to identifying gaps, making improvements, and reporting progress to key stakeholders.
• Perform vendor risk management: Protecting your organization from third-party risks is not only required for certain regulations, it can also help remediate supply chain attacks. Focus on putting measures in place to help you vet service providers, third parties, and IT suppliers for security risks, and then choose those with the best practices.
• Leverage the power of reporting: Cyber resilience is difficult to measure, but reporting consistent improvements over time is the best indicator that what you're doing is working. Additionally, reporting can help you demonstrate to stakeholders that your organization adheres to a specific set of industry standards, rules, and regulations.

3. Build a Culture of Information Security

"Culture" is a big buzzword, but many organizations don't understand what it really means. In the most basic terms, a culture of information security encompasses the attitudes, assumptions, beliefs, values, and knowledge that employees and stakeholders draw from when interacting with the security systems and procedures at an organization.

It might sound simple enough, but establishing a culture of information security is quite challenging. Really, it's how information security teams invest in internal information security education. In other words, in a world that is increasingly driven by influencers, higher education infosec teams need to act as influencers and sell the idea of infosec and the necessary processes to people across their campuses.

Building a culture of information security will look different for every organization, but it all comes down to how teams evangelize information security to raise awareness of―and participation in―the requirements of their programs.

"The success of our risk assessment process heavily relied on us going to the individual campus units and having conversations about information security and the purpose of an assessment," says Allison Henry, CISO at the University of California, Berkeley.

When infosec teams successfully implement a culture of information security risk management, they can start gaining visibility―which, in return, builds cyber resilience.

Conclusion

At SaltyCloud, our deep expertise in the higher education information security space informs our ability to help organizations solve some of these problems. But more importantly, our close working relationship with dozens of infosec teams at higher education institutions in the U.S. and Canada enables us to truly understand the complex state of cybersecurity and regulatory compliance affecting higher education today and helps them augment, automate, and streamline their information security risk management programs with our Isora GRC platform.

We know that no magic bullet will suddenly make your organization better prepared to withstand and recover from cyberattacks. However, we also know there's no better time than today to start on the journey toward cyber resilience, and the best way to get started is to just start.

To learn more about how to get started, download your copy of Cyber Resilience at Higher Education Institutions: The Definitive Guide for Information Security Teams.

Note

1. Check Point, "Third Quarter of 2022 Reveals Increase in Cyberattacks and Unexpected Developments in Global Trends," Check Point Research (blog), October 26, 2022. Jump back to footnote 1 in the text.↩

---

Andrew Scheifele is Co-Founder and CEO at SaltyCloud.