Universities are subject to many information security regulations and contractual obligations. While it may seem attractive for a university’s chief information security officer (CISO) to cite these regulations when justifying new security tools and processes, taking this “compliance mandate” approach often backfires.

This article is the second in a three-part series exploring common information security governance mistakes at higher education institutions and how to avoid them. Series topics include:

• Creating data security silos
• Treating cybersecurity as a compliance mandate
• Approaching each new data security requirement as a separate project

Avoid treating cybersecurity as a compliance mandate

Many cybersecurity requirements apply to higher education institutions, ranging from contractual obligations to protect intellectual property to federal rules regulating sensitive data.

Some examples of these compliance requirements include:

• Research sponsors may include cybersecurity requirements in contracts. For example, many federal agencies include specific language requiring institutions to follow NIST 800-171 guidelines to protect Controlled Unclassified Information (CUI) from unauthorized disclosure.
• Universities conducting research funded by the Department of Defense may need to plan for a Cybersecurity Maturity Model Certification (CMMC) audit to qualify for research funding.
• Universities must protect student financial information using rules typically followed by lenders. In the past, this mainly focused on following the guidelines in the Gramm-Leach-Bliley Act (GLBA). Since 2015, the U.S. Department of Education has also urged institutions to follow CUI guidelines (such as NIST 800-171) to protect student financial information.

CISOs in higher education confront challenges that are unique to their industry when safeguarding sensitive institutional data and complying with cybersecurity requirements. For example:

• Universities place a high value on open communication and the development and free circulation of knowledge. Concepts such as “academic freedom” may make it difficult for a CISO to implement data protection measures that would be normal in other sectors.
• Many campuses have highly decentralized information technology (IT) organizations, which are managed by individual colleges and business units. It might be tough to implement uniform IT risk management practices across the institution because of this.
• Many institutions lack the robust board-level IT risk governance and oversight procedures that are typical in businesses. The CISO must navigate complicated internal politics to achieve results through indirect influence and collaboration.

Obstacles such as these might tempt a CISO to use compliance requirements to justify implementing security objectives. Pointing to external mandates might seem the fastest way to achieve necessary change, especially at institutions with relatively immature governance practices.

Using “compliance” to justify data security can undermine goals

A CISO can use compliance requirements as a tool to help them improve their institution’s security posture, but these gains are typically fleeting. Blaming external requirements rarely brings about lasting change to improve information security governance and IT risk management processes.

Relying too often on external mandates can undermine an institution’s cybersecurity program in several ways.

Alienates rather than engages stakeholders

Nobody likes to hear “because I said so” when asking for an explanation. Unfortunately, when a CISO points to “regulatory requirements” as the driving force for security improvements, some stakeholders may feel like they’re being told “because I said so.”

Blaming external mandates won’t help executives, faculty, or IT personnel understand how information security activities protect against risks. It also won’t help explain how cybersecurity supports campus goals, such as increasing research funding or safeguarding student, staff, and alumni personal information.

Encourages checklist approach toward cybersecurity

Another disadvantage of relying on regulatory requirements is it may lead to a checklist mentality. Instead of “risk management,” the standard for evaluating success becomes “gap assessment.”

The primary goal of an information security program should be to safeguard the confidentiality, integrity, and availability of the university’s information assets. While compliance gaps pose a potential financial risk, these costs are typically minor compared to the consequences of a data breach.

No compliance framework offers an absolute guarantee against a data breach occurring. When a CISO concentrates too heavily on compliance goals, it might cause institutions to be complacent about making further security improvements. Attackers constantly evolve their techniques, so security strategies must evolve as well.

Delays improvements until “required”

Relying too heavily on compliance to drive security strategy can delay improvements until there is an imminent deadline or audit.

For example, many institutions still struggle to encrypt all personal computers. This capability has been a feature of major operating systems for years, and it is one of the easiest ways to reduce risk of data breaches from a lost or stolen device. However, because device encryption is not “required”, many institutions still struggle to get universal adoption of this basic security measure.

This reactive approach may leave the institution vulnerable to attack. As mentioned earlier, attackers are constantly evolving their methods, so institutions need to have a proactive security strategy that anticipates potential threats.

Focus first on security risks and cyber resilience

Rather than relying on a compliance checklist, CISOs should prioritize strategies that establish cyber resilience.

Comprehensive cyber resilience moves beyond completing a checklist to provide three capabilities:

• PREVENT: To defend against the most prevalent cyber threats facing higher education institutions, use proactive information security controls, such as network security and endpoint protection.
• MITIGATE: To minimize the impact of a breach, implement reactive security controls, such as intrusion detection systems and incident response procedures, to detect and respond to attacks that bypass the preventative controls.
• SUSTAIN: To ensure the information security program has adequate funding and leadership support, establish an effective information security governance framework, security policies and procedures, reporting metrics, and staffing plans.

Adopting a cyber resilience mindset enables the CISO to align information security services to the university’s research, teaching, and business goals while also providing flexibility to react to changing cyber threats while managing risk.

Avoid security governance mistakes by not relying on external mandates

While a CISO may find compliance requirements useful in communicating their security improvement goals, relying too heavily on compliance to justify the security program might backfire.

A more effective strategy is to focus on cyber resilience measures that prevent most attacks, minimize the harm caused by attacks that get past the preventative measures, and ensure the ongoing operation and success of the program.

In the next article of this series, learn why institutions should avoid approaching each new data security requirement as a separate project.

‍