Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Announces Results of its Survey of Security at Higher Education Institutions

Lack of Risk Assessment Practices; Unclassified and Unmanaged Data; Understaffed and Underfunded

  • Bethesda, MD
  • June 10, 2014

SANS announces results of its inaugural survey of security in institutions of higher education, in which nearly 300 higher education IT professionals answered questions about the challenges of making their environments secure while maintaining the openness needed by faculty, staff, students and benefactors in traditional educational models. The survey was sponsored by Alien Vault, Tenable Network Security and Trend Micro.

The majority of respondents represented IT staff working predominately at US institutions: 48% at public universities, 19% at private universities, 10% at private colleges and 7% at two-year public/community college institutions. They represent a good blend of security management and technical security roles.

"IT staff at colleges and universities always feel as if they are isolated--that no one else faces the same challenges, but this isn't the case," says survey author Randy Marchany. "Our message from this survey is that you're not alone. All of us share the same problems in creating and maintaining a secure campus."

Of the organizations represented in the survey, only 45% have formal risk assessment and remediation policies in place. The situation is worse in smaller institutions, where only 31% have such policies. Yet all respondents say their organizations are required to secure a variety of personally identifying information across different types of networks, with often competing privacy requirements.

Yet, only 57% classify their sensitive data and provide guidelines for safe data handling, and even fewer (55%) define appropriate owner, user, and administrative roles. Staffing and budgeting for institutional security are key reasons why organizations are failing to protect their confidential data, according to the survey. While 64% believe they need 1-5 FTEs of additional staff, 43% believe they cannot pay premium rates for skills needed. Lack of budget, selected by 73% of respondents, is deemed a cause of not being able to maintain or increase IT staffing.

"Despite these concerns, institutions are working to provide open and secure educational environment to their clients, the faculty, staff, students, parents and benefactors," Marchany adds.

SANS will release the full set of results at a webcast featuring Randy Marchany, Paul Asadoorian, Patrick Bedwell, and Christopher Budd on Tuesday, June 17, at 1 PM EDT. Register for the complimentary webcast at

Those who register for these webcast will be given access to an advanced copy of the associated report developed by Randy Marchany.

Tweet this:
Colleges and universities lack risk assessment policies. Attend June 17 webcast @SANSInstitute.

Data classification and role definition needed. Attend June 17 webcast @SANSInstitute. Staffing and budgeting concerns pose challenges to IT security in higher ed. Attend June 17 webcast @SANSInstitute.

The SANS Analyst Program,, is part of the SANS Institute.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (