Information Security (InfoSec) Strategy has broken free of the moorings that relegated the practice to a bunch of stereotypical, nerdy administrators and analysts (at least in our minds), and it is now top of mind for thousands of companies, large and small, across the globe. Data breaches, identity theft, ransomware, malware, phishing—all of us have been affected by the flood of security and privacy issues facing our world today. Information itself has become a commodity, and hackers have been poised to take advantage for a long time.
EDUCAUSE recently rolled out their Top 10 IT issues, and, in what may come as a surprise to nearly no one, Information Security Strategy was #1. Again. In fact, Security has been, in some form or other, the top issue on the list for the past five years. This year, its close cousin, Privacy, topped out at #2. Further, EDUCAUSE itself admits that Privacy is on par with Information Security. So, why shouldn’t this surprise us? Well, for one thing, if every industry rolled out their Top 10 IT issues, the top two would almost certainly be close, if not identical, to this list.
Why Does Information Security Strategy Matter?
So, what does this have to do with higher education? A lot, actually. Our institutions of higher learning maintain some of the largest databases of personal information anywhere outside of government. It’s no wonder that there is a great deal of concern for the protection and proper handling of that data.
Still, higher ed institutions have been slow to embrace InfoSec. And some have paid quite a substantial price in lost data and reputation. In 2019 alone, University of Connecticut, Oregon State University, and Washington State University all suffered data breaches, and that’s just a small sample. UConn lost over 300,000 patient records from its medical center. The result? A class-action lawsuit.
It is difficult to write about the importance of information security without sounding like a fearmonger. Well-executed cybersecurity policy and practice really only serve to keep us from harm. But the stakes are high, and only getting higher. Colleges and universities are very attractive targets because of the volume and variety of data they gather and maintain. As we have witnessed in data breaches/thefts across nearly every industry, the interest in corporate secrets is nowhere near as popular as that of personal information. Where companies once fretted over loss of intellectual property, now it is customer lists and information that top that list.
How to Establish an Effective InfoSec Strategy
Every organization, regardless of size, business model, industry, or budget, needs an information security program. Often, we find it preferable to gloss over the need for information security because we think the information we maintain is only valuable to our organization. But every company is a target for data theft.
Information Security Officer or Manager Jobs
A crucial first step to establishing a security program is to assign a Security Manager or Security Officer. Depending on the size of the organization, this may be a dedicated position, or it may be an additional hat bestowed upon some lucky individual. Either way, this person will be accountable for the development, integration, and administration of the security program, and therefore must have an appropriate amount of authority and knowledge to carry out the project.
GRC: The Foundation of Information Security Programs
The foundation upon which any information security program is built is made up of three primary components: Governance, Risk, and Compliance (GRC, for short). This is a concept that is borrowed from wider organizational strategy, but it translates quite nicely into the establishment of a successful security program. Additionally, this strategy is one that many higher education institutions are already adopting for their wider organizations, making it a great fit for security.
Governance
Governance has been defined many ways as it relates to any organization, but in its simplest form, governance describes how an organization (in this case our security program) is directed and controlled. This is the aspect of the strategy where we create policies and procedures that our program will follow in order to align with business goals. Without a solid security policy, building a successful security program is nearly impossible.
Risk
Risk assessment, analysis, management, and mitigation are the cornerstone responsibilities of our security program. As we define our policies and procedures, we must understand the level of risk the organization is willing to accept (its “risk appetite”) and design our risk management processes accordingly. There is a great deal of analysis that goes into building an effective policy and supporting processes. Analyzing potential threats and vulnerabilities, determining control procedures, and developing methods for transferring or avoiding risk are key activities of this effort.
Compliance
Every organization must meet certain legal and regulatory requirements. Stakeholders in higher education understand well that there are myriad (sometimes seemingly competing) rules and regulations that must be considered. In the realm of information security, many of these regulations fall closer to privacy than to security at-large, but this does not change the need to deal with these compliance issues within our security program. In fact, security policy and controls are key to the delivery of compliant privacy practices.
Implementing IT Security Strategy
Once we have established our overall security strategy and defined a security policy, we need to determine the integration points within the organizational structure. This phase of implementation consists of building security practices into processes and infrastructure, but also contracts and activities of third parties (e.g., vendors, outsourced providers, business partners, and customers). The reality is that information security involves nearly every aspect of our organization. This means that not only will our operational processes, technology infrastructure, and contracts need to be integrated, but every human resource must also buy in to the goals and objectives of our overall security strategy.
Integrating our strategy into a cohesive program means defining the controls we will use to manage people, processes, and technology. There are five basic control categories that we can use to accomplish this:
-
Preventative – These controls reduce or eliminate specific instances of vulnerability by making the behavior impossible;
-
Corrective – These controls reduce impact by offsetting consequences after the fact;
-
Detective – These controls warn of violations or attempted violations;
-
Compensating – These controls reduce the risk of other controls’ weaknesses through layering;
-
Deterrent – These controls reduce threat through warnings and notices that influence behavior.
Nearly every program will use a combination of all of these control types depending on the situation. Layering controls is an effective way of providing what is known as ‘Defense in Depth’ and gives more critical areas additional levels of protection. These controls are implemented in any of three ways: 1) Administrative, 2) Technical, and 3) Physical.
Security Training
Controls, however, are rendered ineffective without cybersecurity training and awareness. Establishing appropriate communication plans for security standards, guidelines, and procedures, as well as developing and providing documentation all help to ensure compliance with the overall security policy. It’s also worth noting that this training is required in order to comply with the DoD 8570 directive, so this step isn’t much of a choice for some federal employees.
Monitors
In order to enforce the controls, there must be monitoring. It is vital to develop monitors that measure the effectiveness and efficiency of each control. As the impact of security management has exploded in the last few years, so has the sophistication of monitoring and event management tools. Commercially developed SIEMs have become ubiquitous in the information security space, and many are now integrating machine learning and artificial intelligence features to assist in the detection and resolution of security incidents. These platforms differ from traditional availability monitoring tools by aggregating threat analysis and real-time logging to identify attacks quickly across even highly complex infrastructures.
Security Incident Response
While the decision to create a dedicated Security Incident Response Team does depend on the size and budget of an organization, this is an important function that must be performed. Security Analysts are unique professionals with a wide range of in-depth knowledge across networking, systems administration, and development.
Metrics and Measurement
In order to continually assess how well the security program aligns with business goals and objectives, as well as how effectively the program is executing on the security policy, it is important to establish a meaningful set of metrics. Deciding on a useful mix of both management metrics (performance and alignment of the strategy) and technical metrics (how well the security controls are working) will ensure that the program is delivering the desired outcomes.
Final Thoughts
Information Security is, by far, the most critical challenge facing the world of technology. As is the case in many industries, higher education is struggling to keep up with the shifting landscape. Every organization needs to recognize that managing and protecting the data and information we collect and maintain is of paramount importance. Without a solid strategy and bold action, the consequences—to both our reputation and our bottom line—will be devastating. This is not a distant future “what-if” scenario. It’s happening now, in real time, and we must do all that we can to address it.