Editor's note: Brian Kelly is the chief information security officer at Quinnipiac University. Scott Kannry is the CEO at Axio.
Educational institutions have a unique challenge to contend with when it comes to managing cyber risk: The very organizational structure that supports education and research can be detrimental to risk management.
This is perhaps most evident when it comes to justifying budget requests for a comprehensive cybersecurity or regulatory compliance program. Chief information security officers (CISOs) must cross multiple organizational boundaries and communicate cyber risk in terms that the board of trustees, provost and financial officers — three very different stakeholders — will understand.
In higher education, students and professors enjoy a different contract with the institution than an employee does with their employer. Universities must offer broader access to networks, maintain less control over student–employee actions and deal with significantly more turnover (matriculation and graduation) than the average private sector enterprise. Additionally, universities hold vast quantities of personal data, including social security numbers, financial aid status, health records and course grades.
To further complicate matters, universities operate in a highly regulated environment. The Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) are just the beginning. Any school receiving funds from the Education Department under specific programs must comply with the Family Educational Rights and Privacy Act (FERPA). Violating the terms of FERPA can lead to substantial penalties, including the complete loss of federal funds to the school.
Additionally, many research projects depend on government-provided controlled unclassified information. Universities must comply with the standards of the National Institute of Standards and Technology (NIST) Special Publication 800-171 when handling and protecting this data.
The decentralized nature of educational institutions works well for research and learning, but it creates silos from a risk-management perspective. Before CISOs can do anything — for example, create a comprehensive cybersecurity program or implement controls for regulatory compliance — they must first justify their budget requests to a diverse group of stakeholders that perceive and communicate risk in different ways. This requires quantifying risk in a nomenclature that matters to the risk manager as well as to finance, the board of trustees and the provost.
This can be achieved by undergoing the following exercise:
- Understand the institution's risk exposure in financial terms. Start by asking one question: "If a cyber event happens to us, what might it look like?" Generate scenarios based on various aspects of the school, how technology is used and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in grading systems? Could a hacker dupe someone in treasury into wiring money to a fraudulent account? Could a hack into our admission database expose students' financial records? Then take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the cost of those events should they materialize.
- Choose a maturity-based cyber evaluation framework and align it with the scenarios quantified in step No. 1. This will allow you to prioritize high-cost scenarios that will have the most impact on your security posture and work down from there. A maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards, on the other hand, will never go away, and all too often produce a false sense of confidence once the checklist is complete and the compliance framework met.
- Maintain the resources and financial ability to recover from a meaningful event. At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See step No. 1.
- Benchmark against peers when possible. Cyber risk management is a shared responsibility. In a world where standards and certifications can only provide a floor, the rising tide dynamic is the only means to stay as close to or as ahead of the curve as possible. All of the aforementioned components contribute to that dynamic: Are you as good as, or ideally better than, the median marker for the maturity of your cyber program? What's at risk from an exposure standpoint? Do you have appropriate abilities and financial resources to recover from an event?
Together, these four steps can provide CISOs with a means of communicating cyber risk to various stakeholders. By articulating the financial impact of an incident and presenting maturity levels in comparison to other institutions, CISOs can justify their budget requests and improve their institutions' security posture. In short, it gives CISOs in higher education a framework for making cyber security and risk management meaningful.