When dealing with IT security, it pays to plan ahead.
Many colleges and universities approach IT security reactively, tackling problems when they arise as opposed to preventing them from occurring. But this method has damaging financial and organizational repercussions, said Ed Bassett, vice president of global security practice at CIBER, an IT consultancy.
“There’s a tendency to handle [IT security] with a firefighting approach, where you wait until something bad happens, and when it does, you scramble all the troops and try to fix it as best you can,” he said. “It’s a painful way to handle it.”
The root cause might be that educational institutions are fundamentally based on a culture of openness to which IT security is perceived to be a roadblock, Bassett said. That security incidents are relatively infrequent only exacerbates the problem.
Additionally, since IT security was originally considered a network function — protecting the Internet from hackers — it developed organically into a cause-and-effect practice.
“Early on, when there weren’t many solutions available, firewalls came out billed as ‘the silver bullet’ — they could protect hundreds of systems in one fell swoop,” Bassett said. “So it sort of started this trend of, ‘Oh, you’ve got a problem? Here’s a solution.’ And I think the industry built itself up around that, designing a lot of point-solution technology.”
As a result, a university in distress would rely heavily on customized software and an individual IT pro’s personal heroism to save it from disaster.
Ultimately, this approach became too inefficient and too expensive for institutions to rely on.
“The biggest impact we’ve seen there is that the spending is not predictable,” Bassett said. “[CIOs] were looking for something that was a little more of a systemic fix.”
The key to doing just that — instituting a more comprehensive security plan — is taking a strategic approach rather than a tactical approach and modeling security spending as a percentage of the overall IT budget, keeping in mind that security spending averages are expected to drop to 4 to 6 percent (from 6 to 8 percent) of all IT spending in the coming years, Bassett said.
“In the long run, security becomes cheaper by raising your level of operational maturity,” he said.
And the benefits aren’t just fiscal: A proactive approach to IT security can also improve overall effectiveness.
“If you look at the approach that had a lot of point solutions, a lot of individual contributors doing their thing, sometimes the security will be inconsistent across the enterprise,” Bassett said. “It may be very good in one place, very weak in another, just based on the skills of one individual employee.”
Institutionalizing security also makes it more predictable and, therefore, easier to demonstrate to users, Bassett said. This is particularly important when faced with alumni donors, whose gift-giving intentions might be swayed by their confidence in the system.
“Alumni givers and students are expecting that when they turn over their personal information, it’s going to be well protected,” he said. “If their institution is perceived as doing a poor job, people might opt not to do business with them.”
Still, one of the biggest hurdles for institutions hoping to implement an overarching, proactive approach to IT security will be to overcome the perception that it in some way jeopardizes the sharing of information.
“We’re not talking about reducing the services that students are getting,” Bassett said. “So, we need to make it clear that the security is not going to restrict that discourse, but rather protect its integrity.”
– Agatha Gilmore, firstname.lastname@example.org