In light of the recent Penn State data breach, it seems higher education struggles with resource constraints more so than in private industry. How do you communicate the security risks to university leaders and boards, and to what degree does private industry play a role if, for example, you are partnering with a company to commercialize research?Overall, in Higher Ed, budgets are not as expansive as they are in private industry – this is true for all aspects of IT and also general support services, not just Security. Having said that, a review of a lot of the EdTech communications would reveal that we, as a research industry, are just now waking up to the Security implications on our research data. Researchers care relatively less about data theft – they want their stuff to be public, mostly – but they care deeply about the integrity of the data. It doesn’t occur to university leaders that they may have research data that is modified without their knowledge, and that they would only find that out after years of research investment of time and money. The other inhibiting factor has been the distributed nature of IT at most higher Ed institutions. Here at OSU we have over 130 individual units with their own IT, standards, and budgets. This creates two big problems:
- Getting people to know when an apple is an apple, and not a marsupial; and
- Getting upper management visibility across disparate systems and units
Are there currently requirements from private industry with regards to security controls being put in place when conducting research, or exchange of technology?Private industry is not yet consistently REQUIRING researchers to include security controls in their research plans – we’re pushing that from our side. Our framework aligns to NIST, which allows for mapping to ITAR/DOD research, but processes between the acronym agencies and HigherEd researchers are still maturing. You will see a rash of Universities starting to invest in Security technologies as a result of all this activity. Boards cannot ignore the fact that we’ve underinvested in Security for too long. Research, not federal/state dollars, will be the largest part of the income pie for most research universities – we have to get this right.
What is one of the most challenging aspects of dealing with cyber security for a large academic institution?The hardest part about external University spend is that we are not one industry, with one behavior footprint (like Finance, Retail, Healthcare, etc). We are ALL industries (did I mention that OSU owns a Nuclear reactor, a golf course, a hotel, an airport, etc?), so having external security services companies try to identify “normal” behavior is really tricky. Not impossible, but tricky. If a vendor can invest to solve this problem for HigherEd, they will corner the market for all other industries. Vendors also need to realize they cannot eat all the university at one time (here at OSU it takes 2 to 3 years to roll out a new security product) – so pricing and licensing has to be flexible to allow for consumption-based pricing, or vendors will immediately price themselves out of range of most universities. Don’t think for a second, though, that funding isn’t available – it is. Universities and vendors need to partner to get creative enough to get things accepted in the context of the higherEd environment. Title image courtesy of ShutterStock