Page 14 - Campus Technology, March/April 2020
P. 14
:: IT Managment
“Training is great. You need to do that. But you can educate people until you’re blue in the face, and they will still make mistakes. You’d never be able to educate everyone to the point where they’d do no wrong, and even if you could, you’d never be able to keep up with the pace at which the threats are evolving.”
The Challenges of Going It Alone
Many colleges and universities struggle to put the
people, processes and tools in place for a formal security program, otherwise known as the security operations center or SOC. But often, until they’ve suffered a data breach or a ransomware attack, IT faces an uphill struggle even getting the attention of administrative leaders to discuss the problem or offer solutions.
A big part of the overall challenge is staffing. These schools will go out to hire somebody to lead their security efforts and find they can’t afford anybody with any experience. The median salary for an information security analyst, according to the federal government, was $98,350 in 2018. Compensation for a management position would be higher.
Even if a school manages to recruit a cybersecurity professional, he or she will say, “Hey, now I need all these tools,” Miller suggested. And by the way, “This person might get sick, might need to take a vacation, and not only that but they’re only one person.” In other words, security staffing on a limited budget does not make a SOC.
Security as a Blockade to Innovation
Another aspect to consider: Maintaining a strong security profile can often be viewed by non-experts as a challenge
to innovation, said Miller. As enrollment declines, smaller schools are fighting to stay alive. So, schools make competitive moves — adding online courses, trying out new forms of digital technology to increase engagement, broadening WiFi on campus, adopting esports. “What happens when you start to make software more available,” he observed, “is that you increase the risk exposure of that college or university.”
As Educause put it, “Security requirements are often among the last considerations when new systems are added.” And yet, higher education has so much data at risk:
• Personally identifiable information on students, faculty, staff and alumni;
• Applicant-to-alumni lifecycle data;