Trustees of educational institutions across the United States are tasked with providing direction to the administration on many subjects and must make difficult spending decisions at the board level. These decisions can and will dictate a lot of what their institute of higher learning will do with the precious money that has been entrusted to them. There are always compelling reasons behind budget requests, and yet, tough decisions consistently need to be made. This can make the friction in the boardroom quite palpable.
I understand these challenges firsthand as a trustee of a small college here in Minnesota. Every request is interesting, sincere, and has been studied to show how they’ll attract new students and grow revenues. Growth models are shared. We see charts and graphs. The lobbying is strong. What gets funded are usually the things that show the most bang-for-the-buck on a short ROI schedule. Not everything gets funded appropriately, though.
Information security (infosec), or cybersecurity, is an often-overlooked topic in the boardrooms. At FRSecure we talk to many colleges and universities. We know that money is tight and raising tuition is never a popular decision. We know that parents and students are looking at degree programs and rarely look at how effectively a school protects student data. Honestly, students, parents, and faculty assume that student data is protected by the school. I doubt that most people would even bring the issue up. However, as a trustee or someone in senior administration of your college or university, you need to be thinking about the details that don’t make it into a brochure sent to prospective students.
Your institution is a caretaker of a great deal of personally identifiable information (PII) and student data, and you should make a significant investment to protect it. Despite that, InfoSec investment at the college and university level is often low on the list of priorities and sometimes falls prey to last-minute funding changes. InfoSec is often the first issue to fall by the wayside for something seemingly more important at the time. Here is the stark reality, though: the amount of PII that resides inside of your institution is valuable to hackers who would love nothing more than to take that information about students and faculty and sell it on the dark web. The less investment you are making into the defensive posture of your organization, the more apt you are for breach. By allowing under-funding of InfoSec, you are making it easier for the certified bad guys to get in and obtain the student information that parents assume you are keeping under lock and key. Not only are you gambling on your students’ and faculty’s important personal data, but you’re also gambling on the reputation of your organization.
The solution is not difficult. It starts with engaging with an information security expert and getting a baseline understanding of where your information security program stands. This baseline understanding should come from a reputable source and through an assessment that is thorough and backed by industry knowledge.
Information security risk assessments will give you that baseline understanding. These assessments measure the maturity of a given organization’s information security program. The result is a numeric value built on the same scale as a personal credit score. More importantly though, they allow you to take what you’ve learned about the state of your information security program and use it to make drastic improvements over a tailored timeframe. If you get a risk assessment that comes with a roadmap (a list of remediation items to help you determine what your information security goals should be and how your organization can work to hit them), you’ll know what steps to take based on your strengths and weknesses. Part of that is the assistance in making appropriate investments to truly make your program more secure, without compromising the other aspects that are important to the board and your student body.
I understand the difficulty. I’ve debated decisions like this in the board room. I understand how challenging it can be to put a focus on information security when you’ve never had an issue and more looming challenges exist. But I want to leave you with this thought: ignoring infosec funding can cause financial loss for your institution and your students. Not to mention, a breach (particularly a poorly handled breach) could tarnish your reputation enough for parents to never want their kids to attend your school. The decision for educational institutions to take information security and student data seriously is a critical one. It can be easy to focus on things that will make your institution more immediate money, but the monetary and reputational losses of a poorly handled breach could easily eclipse the potential increase in revenue you may see from funding another program in its place. This investment is a simple cost of improving your institution as a business, and you should fund it appropriately and without reservation.
To help your school protect its reputation and its student data, contact FRSecure for a security risk assessment. Understanding where your organization stands is the first step in making immediate and impactful improvements to your infosec program.