The world of information security is an interesting one, and oftentimes we who have chosen it as a vocation suffer from an identity complex. At least the discipline is now well enough established that we don’t have to explain our roles to people when they ask us what we do. Still, there is an element of mystery, and a difficulty in providing a concise answer when queried. I find it funny when I attend a conference or seminar and I hear the usual question asking how long the attendees have been in the information security field. This question is becoming more and more irrelevant, as the roles and responsibilities now are not the same as those ten, fifteen or more years ago. A great deal of this is because of the ever changing landscape that we know as information security.
Information security is no longer the troglodytes at the end of the corridor, working in dark offices or cubes, and living on Skittles and coffee. Security is now a respected member of not only the IT division, but the overall enterprise. With the integration of some aspects of physical security, privacy and compliance, the CISO may find themselves covering numerous areas of risk. It was not long ago that information security was having a hard time getting a seat at the table, and now it may find itself wearing multiple hats at that very same table.
This is certainly the case in higher education. While many institutions have created chief privacy officers and compliance areas, others chose to let the CISO cover these roles. And this makes sense, as looking at the confidentiality, integrity and availability of these areas holistically supports economies of scale, and creates a strong focus on reducing risk. With recent high-profile and well-publicized breaches in higher education, this has shown increased spotlight on the CISO function in higher education, and how overall information protection is accomplished.
Higher education is a stimulating and challenging area for security. With numerous constituents, including faculty, staff, students, researchers, scholars, visitors, applicants, parents, donors, sports fans and more, the mission can be daunting. While BYOD is a relatively new term for many entities, higher ed has been dealing with the issue as long as there has been personal devices. Many students (and faculty) have multiple devices that they need to access the network. Add to this decentralization, openness and academic freedom, and it is obvious that there needs to be a focus on information security. Higher education also continues to be a target for the darker side of the internet. We are a target because of the openness we embrace, the databases we may be keeping, and the valuable research that we participate in.
Changing the Mission
So how do we deal with the ever-evolving mission, and the ever-increasing threats? It takes a comprehensive view of security, which includes partnerships, governance, awareness, networks and business skills.
It all begins with a robust and agile strategy, structure and foundation of network security. Many institutions still have flat networks, and because of the openness of a campus, this architecture can be an incubator of issues. However, with the advent of APT and other emerging and serious attacks, this view is changing. Network security in higher education now utilizes segmentation as a key security strategy to reduce the attack vectors, and to minimize any compromise or disruption. In addition, a strategy on protecting the most valuable areas of the network is of continuous focus, be it the data these areas contain or the function that they perform. Many schools have dedicated security analysts and engineers in their network teams, and have even created security operations centers, as the need for proactive measures and quick response has taken center stage. Strategic alliances for network security are also necessary, through the Research and Education Network ISAC, which also aids in incident response.