Higher education CISOs and CIOs must be prepared and ready to face and respond to today’s cyber threats more than ever.
The Cybersecurity and Infrastructure Security Agency (CISA) will require covered entities to report cyber incidents and ransomware payments to the Agency within hours they have occurred. Given the number of serious cyber threats reported by higher education institutions, there is a possibility that colleges and universities, too, could face a similar requirement in the near future.
Moreover, the Cybersecurity Maturity Model Certification (CMMC) has recently launched its 2.0 model based on the NIST cybersecurity framework. And, the Department of Defense’s (DoD) phased rollout plan requires all organizations which engage with the DoD to be CMMC 2.0-compliant by October 1, 2025. This, indeed, represents a challenge for higher education institutions that depend on DoD contracts and funding for their essential research programs.
During the recent EDUCAUSE conference, it was discussed that while the CISA regulation will not initially and directly impact higher education per se, it would make sense that colleges and universities may face federal cyber incident reporting requirements going forward.
With this in mind, Matt Coose, Founder and CEO of Qmulus, a pioneering cybersecurity software and services firm, shared four crucial top tips with Fierce Education on what risk and security must be covered by higher education stakeholders, CISOs, and CIOs for a more effective and efficient approach against today’s cyber threats:
Know your value, protect your value:
- Educational institutions don’t operate like commercial enterprises, so the traditional models of mapping risk to the value chain don’t easily translate. However, there are still mission-critical assets and infrastructure sensitive and regulated data, and intellectual property that must be protected. For research institutions engaged in government and defense research, the cost of a breach or compliance failure can affect their ability to receive continued funding. CISOs and CIOs must be tightly coupled to the “business in order to understand these critical assets, activities, and environments in order to prioritize their protection above all others.
Focus on managing risk, not technology:
- It’s tempting to pursue the latest in technical innovation in an effort to defend against the latest threats, whether commercially acquired or home-brewed. Stagnant budgets and constant pressure to do more with less tend to tamper these tendencies, yet the pursuit of latest and greatest tech is fairly common across CIO and CISO organizations. The right approach is to reposition the function from a technology management organization and into a risk management one, focused on the top-down, risk-driven, and threat-informed application of capabilities across the environment, inclusive of people, process, and technology.
Invest in observability, ensure confidence:
- Campus environments are notoriously dynamic and tough to manage with traditional enterprise security and compliance approaches. This makes it even more important to create a model for continuous, real-time, reliable monitoring of critical controls deployed in defense of your environment. If you cannot be certain of the state of your controls, you cannot trust the data or the function they are providing. Ensuring confidence in your program and its ability to mount a credible defense in the face of ever-emerging threats should be considered a strategic leadership priority.
Know yourself, know your foe - now!:
- Threats against educational institutions are on the rise, running the gamut from ransomware attacks pursuing financial gain to nation-state actors conducting industrial espionage. We cannot control attacker behavior, but we must understand it and work to predict he likely attack patterns. Threat modeling and mapping of potential attack scenarios against your existing controls must be considered a foundational capability for any enterprise, but especially educational institutions pursuing sensitive research. Periodic threat modeling should inform risk management decisions, which require leaders to know the state of their controls and their effective capacity to defend against incoming threats - and in real-time, not based on a stale compliance report from months or years ago.
For more cybersecurity articles see: