EDUCAUSE 2022: Security experts discuss innovation and partnerships | Techno Glob

Incorporating security into IT offerings requires risk management

Risk management is top of mind for many CIOs, in order to incorporate security into a university’s overall IT service offering.

“It’s a risk-based approach, where you monitor your risk, you understand your risk, and then you prioritize your capabilities to respond to that risk based on the highest level of risk and the highest potential impact to your organization,” Stan Waddell, said the CIO of Carnegie Mellon University.

At Princeton University, CISO David Sherry said that risk management is baked into the mission of the organization’s IT department. Information security is programmatic and cultural, he said, supporting Princeton’s overall efforts to support its teaching, research and education.

“Programmatic” means that IT security is part of everything that happens at the university, from hiring new staff to buying a new copier or evaluating a new cloud service. The cultural aspect requires a campus-wide awareness of the importance of cyber security.

“It means that everyone is aware of security, the security mission and the security team, and they recognize that they have a role to play,” Sherry said. “We culturalize them by teaching them that security is important in their personal lives as well, because we think if they think about security from 5pm to 8am, they will think about security from 8am to 8am. 5 pm It is slowly but surely working and we are changing the culture of the 275-year-old university.”

University of Michigan CISO Sol Berman said he’s seeing the biggest process improvements, building security assessments into existing processes, breaking down silos between security experts and the rest of IT.

Read further: How a Security Maturity Assessment Can Protect Your University from Cybercriminals

Balancing innovation and operational excellence

Support for innovation can start at the employee level. When Sherry was building his security team, the first people he hired were people with organizational knowledge he knew he could trust. But since then, they have made it a point to hire experts from other schools and industries.

“It’s a different way of thinking that blends innovation and operational excellence,” he said.

He sees mistakes as learning experiences that will make his team better in the long run.

“Me and my staff, we use an old quote from football coach Don Shula,” he said. “He says, ‘Strive for perfection and settle for excellence.’ Sometimes our roles are like ladders and ladders. We get a ladder, we climb up a little bit, but sometimes we get a ladder. We do some post-mortems, and we say, as long as you learn from it and we start moving to the next ladder and some level of excellence, that’s fine with us.”

Waddell sees things a little differently. Previously CISO at the University of New Hampshire, in his current role, Waddell understands the IT security team’s responsibility to be good stewards of its resources while contributing to the university’s overall mission. This means managing risks as much as possible while understanding that they can never be eliminated.

“For a few days,” he said, “now it’s our turn. “Bad guys can be lucky, so we want to make sure we have the right balance and tools in the game so people can get their jobs done.” If people can’t do it in a secure environment, they’ll find another way to do it, he said, one that’s less secure than what IT professionals can provide.

Click on the link below All to follow of EdTech Coverage of the 2022 EDUCAUSE Annual Conference.

Source link