Chris Schreiber
Your firewall team, email administrators, and server engineers already make security-critical decisions every day. Yet fewer than one in five institutions have formal technical security training programs for these IT staff members.
Your firewall team, email administrators, and server engineers already make security-critical decisions every day. Yet across 200+ higher education assessments, we found that fewer than one in five institutions have formal technical security training programs for these IT staff members.
This disconnect creates unnecessary risk in an era when higher education can't afford it.
You're competing in a global market already short 4.8 million cybersecurity professionals, according to the 2024 ISC2 Cybersecurity Workforce Study. The talent gap won't close anytime soon. If you can't hire your way to safety, you must cultivate the skills you already pay for.
The blind spots in your security program aren't exotic zero-day techniques. They're everyday tasks that fall outside traditional success metrics.
Your network engineers excel at uptime but rarely receive structured training on log analysis, anomaly detection, or firewall rule hygiene. Yet vulnerability exploitation against edge devices jumped 800% year-over-year as an initial breach vector.
Your developers track features shipped, not security flaws prevented. Competencies like dependency management, secret handling, and threat modeling are "assumed" rather than taught.
Your user services teams optimize for ticket closure speed, not security fundamentals like verifying disk encryption is in place or secure device lifecycle management.
Your identity administrators handle MFA deployment but may lack training in privilege hygiene and how best to correlate MFA logs with the SOC.
These gaps persist not because your teams lack skills, but because security responsibilities remain disconnected from their performance metrics.
Forward-thinking institutions merge security KPIs into the scorecards that already drive operational behavior.
West Virginia University hard-codes CVSS-based remediation windows into IT service objectives. When network and server teams see patch SLAs next to availability SLAs, backlog reduction becomes a shared win, not "extra work from security."
Transparent, role-based reporting creates positive change. By publishing weekly dashboards ranking campus IT units on mean time to remediate (MTTR), institutions can drive significant improvement in MTTR with a little friendly competition and a reminder that senior leadership cares about this metric.
The most effective approach frames every metric in terms of mission risk. When a database outage and a critical exploit both threaten classroom continuity, operational staff recognize they're chasing the same outcome.
By inserting clear, risk-aligned KPIs into dashboards operational teams already watch, you convert routine IT work into measurable security gains without adding headcount or tools.
When implementing cross-training initiatives, you'll may encounter three types of resistance: budget protection, bandwidth concerns, and the "not-my-job" mindset.
Network, application, and desktop managers naturally guard their training dollars for certifications tied to traditional KPIs. Counter this by reminding them that security is now an institutional competency, not a bolt-on project. EDUCAUSE lists cybersecurity as the #1 strategic priority for 2024.
Create a single training cost center sponsored jointly by the CIO, CTO, CISO, and the rest of the IT leadership team. When the money lives in one pot and the leadership team negotiates openly among themselves, territorial debates fade.
Teams worry about downtime from stepping away to learn. Solve this with micro-learning: 15-minute, role-specific modules dropped into existing stand-ups or sprint retrospectives. According to Gartner, 77% of leaders plan to grow security-training budgets, yet 47% still cite "strategic misalignment with the business" as a top obstacle. Embedding lessons in team members' daily routines closes that alignment gap.
Nothing shifts culture faster than visible, shared metrics. Publish a weekly dashboard that ranks units on vulnerability dwell time and recurrence. When staff see their name next to a risk number, fixing issues becomes a point of pride.
Celebrate wins publicly in town halls and intranet shout-outs. Peer validation motivates more effectively than another policy memo.
Cross-functional tabletop exercises create powerful learning opportunities. Consider the University of Auckland's 2021 ransomware tabletop, which brought together participants from across the institution.
The scenario forced a campus-wide shutdown of everything from learning management systems to HVAC. Because every step required cross-team hand-offs, long-standing "not-my-job" lines dissolved in real time.
During the post-exercise review, the group identified gaps that only became visible when everyone was in the same room: 17 overlapping outage procedures with conflicting escalation paths, and no single channel for real-time status updates.
Another institution we work with used a tabletop exercise to consolidate incident procedures into one campus incident-response playbook. They also created a shared chat channel so team leads from each functional area could communicate more efficiently during larger incidents.
Subsequent drills cut decision-making time from hours to minutes and produced measurably faster containment during a live phishing outbreak later that semester.
When every role rehearses shared scenarios that cross traditional silos, ownership becomes collective, and coordination improves long before the next real incident.
You can launch a credible cross-training program without adding new dollars or headcount:
By repurposing existing dollars, tapping freely available free training resources, and embedding learning into the rhythms of IT work, even cash-strapped institutions can turn everyday operations into coordinated cyber-defense practice.
Over the next few years, the wall between "the security team" and "everyone else" will continue to erode in higher education. Three forces drive this convergence:
Cloud-first architectures. Eighty-one percent of campuses already run workloads in two or more public clouds. When sensitive data lives outside the campus firewall, network engineers, database admins, and SaaS owners become the de facto perimeter.
Zero-trust adoption. Gartner predicts that by 2025, more than 60 percent of organizations will treat zero-trust principles as their security starting point. Implementing continuous verification and least privilege shifts day-to-day control from a small SOC to every service operator and identity custodian.
Workforce economics. With a 4.8 million-person global cyber talent gap, hiring a standalone specialist for each control simply isn't feasible. Institutions must grow capability from within.
Practically, this means security groups evolve into risk coaches who set policy, supply tools, and curate analytics while general IT staff own secure configuration, real-time monitoring, and rapid remediation for their domains.
Expect to see mixed "service squads" (identity + app dev + SOC), joint KPIs that pair uptime with risk reduction, and shared micro-credential programs that rotate through existing staff.
In short, security excellence will become indistinguishable from operational excellence, and every technologist will wear at least a part-time defender's hat.
Focus on metrics that tie staff development to risk reduction and, ultimately, to avoided costs:
Combining "people" metrics (training coverage), "process" metrics (dwell time, MTTR), and "business" metrics (incidents avoided) gives leadership a clear story: every additional staffer cross-trained translates into faster fixes, fewer incidents, and money saved when fewer data breaches happen.
Role-based programs work best when they blend foundational security theory with hands-on skills that map directly to each team's daily tools and metrics.
Mapping these targeted competencies to each group's existing KPIs ensures the training feels relevant, measurable, and worth repeating every year.
Aim for a T-shaped skill profile: give every technologist a broad, shared baseline (the crossbar of the "T") and then add a narrow, deeper column that aligns with the risks they directly manage.
Start broad with one language, one playbook. Deliver a short core curriculum on phishing indicators, incident-reporting paths, vulnerability severity (CVSS basics), and least-privilege principles. Keep it to 90 minutes of micro-modules per quarter so no team feels overloaded.
Go deep where it matters most. Map each role to a single high-value control and invest extra depth there: network engineers master CASB policy design; system admins drill on risk-based patching; developers practice OWASP Top 10 code reviews. Limit deep dives to 6-8 hours a year so they fit existing training budgets.
Create an upsell path for enthusiasts. Offer elective badges or more extensive training labs for staff who discover a passion for security. You may find that some "non-security" learners later fill hard-to-hire SOC or analyst roles. This creates an organic talent pipeline with zero recruiting cost.
Measure both reach and impact. Track baseline training completion rates and time-to-remediate metrics together. Institutions that pair 90% coverage with focused MTTR targets find this focused improvement can reduce incident costs.
The result is a program that everyone can finish, nobody resents, and a few will leverage to become tomorrow's cybersecurity specialists.
Technical proficiency only goes so far. Resilient campuses cultivate three complementary "human" capabilities across every IT function:
Risk framing. Encourage staff to think like advisors, not gatekeepers. When a server admin raises a configuration question, the conversation should start with, "What risk does this reduce, and is it proportional to the effort?" That mindset replaces rule-following with risk-informed decision-making.
Psychological safety for disclosure. Incidents surface faster when people feel safe admitting mistakes or flagging suspicious activity. Regularly celebrate "near-miss" reports and make post-mortems blameless. Teams learn that bringing news early is a career-positive act, not a liability.
Collaborative muscle memory. Build routine cross-team touchpoints, such as shared chat channels, monthly ops-plus-security stand-ups, and tabletop drills. This ensures you forge relationships before a crisis hits. Familiar voices on the incident conference call translate into quicker hand-offs when minutes matter.
You can turn the information security office into a risk coaching function and break down traditional team silos. This ensures that incident response activities are better coordinated, more transparent, and focused on rapid risk reduction rather than finger-pointing.
The familiar refrain "security is everyone's job" remains hollow without structured training, aligned incentives, and shared metrics.
By mapping security competencies to existing IT roles, embedding micro-learning into daily workflows, and measuring outcomes that matter, you transform your entire IT organization into your cybersecurity front line.
This approach doesn't require new headcount or massive budget increases. It leverages the team you already have, the tools they already use, and the institutional knowledge they already possess.
In a world where the cybersecurity talent gap continues to widen and higher education remains a prime target, your best defense isn't hiring more specialists. It's unlocking the security potential in every technologist you employ.
Start small, measure relentlessly, celebrate progress, and watch as security excellence becomes indistinguishable from operational excellence across your entire IT organization.
