conference table

Information Security Tops List of Higher Ed IT
Issues In a recent poll conducted by the EDUCAUSE Higher Education Information Security Council (HEISC), information security emerged as the top issue in its yearly list of Top 10 IT Issues. While it’s not surprising that information security is a significant issue and risk, what’s interesting is how consistent the finding are across industries and how the actions taken in higher ed mirror actions taken across other sectors. Regardless of industry, your list of information security issues probably looks something like that of higher ed IT leaders:

  1. Phishing & Social Engineering
  2. End-User Awareness, Training, and Education
  3. Limited Resources for the Information Security Program
  4. Addressing Regulatory Requirements

It’s more than just phishing. Security awareness officers need to build a holistic and comprehensive awareness program that reinforces the right behavior across all risk areas. It’s also interesting to see how information security officers within higher ed approach these risks and challenges. They mirror what we see across many organizations. Here are three solutions to the challenges faced by all security awareness officers across higher ed, business, government and non-profit.

Remember the 3 C’s We’re constantly reminding security awareness leaders to focus their training on the top human risks. Sharon Pitt, CIO at Binghamton University and HEISC co-chair echoed this beautifully when noting that "our security communications team and security leadership have developed targeted communications for specific audiences (e.g., staff with financial authority, faculty, and leadership) regarding our awareness of specific threats and reminders of security practices.” Well put.

Reuse, repurpose and repackage Another challenge for security awareness officers is creating the raw assets needed to get the word out and reinforce the right behavior. That’s one reason the Show 'n Tell sessions (and Tank the Armadillo) are so popular at the Security Awareness Summit. Report authors Joanna Grama and Valeira Voge noted that the EDUCAUSE working group on informational security put together a framework that “includes ready-made content that security professionals and IT communicators can customize and integrate into their information security education communications.” Remember the reduce, reuse recycle mantra? Reduce the noise. Reuse what you can and recycle what works.

Consider ambassador programs "We have a small team with no immediate ability to add staffing to this area, so we are working to extend our capabilities with graduate assistants and with an information security liaison program across campus,” noted Cathy Bates, CIO at Appalachian State University. Working cross-functionally, either through an ambassador program or something similar, is yet another example of doing more with less.  

Sign up for the OUCH! Newsletter to get the latest Security Awareness tips and tricks send to your email.

 

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.