Savanti: InfoSec questions for Higher Education leaders

Our friends at Savanti (http://www.savanti.co.uk) have written a very thought provoking article covering important questions for Higher Education leaders.

Like many organisations, some universities are struggling to deliver information security (InfoSec) effectively.  What differentiates universities is the unique Higher Education (HE) context in which they operate and the robust yet flexible approach they need to adopt in order to meet legislative and regulatory requirements; enable teaching and research; and be effective for a diverse range of students, staff, and visitors.

The InfoSec challenge for the HE sector is growing as a result of increasing cyber attacks directed at universities; more demanding external requirements; a strengthened data protection regime; and difficulties in recruiting and retaining the right security resources.

Unfortunately, not all institutions are meeting this challenge effectively.

InfoSec can no longer be treated as a technical issue for IT staff to manage.  It requires support and leadership from across the institution, especially from senior staff to ensure it is effective.  As a university leader, how easily can you answer these key questions?

1. Do you know what secure looks like and how to get there?

The required security measures will differ across the sector depending on the risk profile and appetite of the university; the nature of your teaching and research; and the individuals involved in the delivery of security.  Articulating and understanding what secure looks like will require:

• A thorough understanding of the relevant information security objectives and requirements, and an assessment of the risk profile of your university and the appetite for addressing it

• The ability to develop an approach to security that enables your core teaching, research and administrative processes

• Clear roles and responsibilities for the delivery of InfoSec

• An agreed, prioritised and supported programme of work to achieve your objectives

2. How do you know how secure you are?

InfoSec will usually feature on your university risk register with a statement of how effective the mitigations are.  However, articulating the security level of your university in an accurate and meaningful way can be difficult and achieving this will require:

• A holistic security reporting framework that combines metrics and information about maturity, compliance, risk, incidents and threat

• The ability to report on security in a meaningful way to a range of stakeholders

• The right expertise to know where to look for shadow IT and risky activities

• Appropriate independent validation and assurance

3. Is your security function set up for success?

Universities can be challenging environments to actualise and bring about change, particularly those with a devolved nature.  As a result, having the right people in your security function who operate in the right way for your institution is key.  This does not mean that you will need dozens of dedicated security staff, but you will require:

• Dedicated security leadership, possibly a Chief Information Security Officer (CISO), to set direction and strategy

• The effective use of external support (contractors and consultants) where required to accelerate progress and upskill your staff

• A clear approach to recruiting, developing and retaining your central and dispersed security resources

• A focus on making security work for staff and students and adding value to core university activities

4. Is demonstrating compliance creating an unnecessary burden?

Most universities will be subject to external compliance requirements, typically PCI-DSS for card payments; the NHS DSPT for medical research; and Cyber Essentials for governmental work.  Meeting these obligations whilst not overloading the whole university will require:

• An ability to translate often complicated external requirements into manageable actions for staff and students

• A university-wide security framework that provides a foundation for all, and allows for greater compliance where required

• Mechanisms to ensure that new IT systems, administrative processes, and research activity is appropriately secured from the get-go

• An effective approach and arrangements for ongoing compliance and assurance activities to ensure confidence that requirements are being met

5. Are you keeping pace with other institutions?

Given so much research, and a growing amount of teaching and administration requires universities to demonstrate effective information security arrangements, getting this right is becoming a “business enabler” for leading institutions.  Understanding how your institution compares will require:

• Understanding what your peers are doing and how they are tackling their security challenges

• Utilising sector groups and events to share knowledge and experiences

• Taking good practice from outside the sector to accelerate your improvement

• Drawing on external support to highlight strengths and weaknesses

What do your answers look like?  If you are not sure or do not know how to start answering them, we can help. Savanti have demonstrable experience of leading change and successfully improving information security arrangements in the HE sector.

Visit www.savanti.co.uk for more information and additional Thought Leadership posts.