Cybersecurity Straight A's: Be an Ace in Your Academic Space

October is National Cybersecurity Awareness Month. So, I thought this would be an opportune time to post an article on cyber risk and how to increase your success in gaining the buy-in and support of executives and boards for risk mitigation efforts.

Cyber risk is one of the top risks in higher education. This fact is not dissimilar to other sectors, but what makes cyber risk more challenging to manage is that colleges and universities face a perfect storm of unique decentralized structures and vast amounts of data that make them particularly vulnerable to cybercriminals.

Balancing academic freedom and data protection

Higher education operates on an "open network" philosophy rooted in the importance of academic freedom and collaboration. The college environment also comprises diverse audiences, including LOTS of sensitive data, never mind the research IP. This makes Universities attractive targets for:

• Nation-state actors (research theft)

• Cybercriminals (student data)

• Hacktivists

Higher education CISOs and Risk Managers thus face the daunting task of navigating the fine line between promoting strong governance and balancing resource and staffing constraints, cultural opposition, and a dynamic compliance and regulatory environment that can impact the campus community on a global level.

So, how can Risk Managers and CISOs partner together to obtain executive and board support to build a robust cyber posture and reduce institutional risk? I have listed a few recommendations below.

Recommendations for Success

1. Build strong cross-functional relationships: CISOs and Risk Managers are pivotal to bridging the gap between technical cybersecurity details and board-level strategic understanding. It is essential to work together regularly to move cyber mitigation efforts forward. This goes beyond the cyber renewal or in the event of a claim.

2. Develop flexible, risk-based security frameworks to balance the need for a strong risk posture and innovation. Implementing a zero-trust architecture, which includes "least privilege" access, is another way to mitigate risk.

3. Align your risk mitigation resources with strategic goals and monitor your control effectiveness.

4. Create and frequently update cyber incident response plans, including performing tabletop exercises.

5. Partnerships are essential. Build rapport with in-house academics and other industry experts to support awareness, reduce blind spots, and share best practices and lessons learned.

6. Support and dedicate resources for training and education. This is one of the easiest and least expensive ways to mitigate risk. Having top-down support for the university community to complete training cannot be underscored.

Best Practices for Board Communication

• Stay out of the weeds and minimize the use of technical or risk jargon in meetings and presentations

• Present the challenges candidly but with solutions.

• Don't underestimate the board's understanding, so be prepared for probing questions.

• Understand the key performance indicators (KPIs) that matter to the board and ensure that your data supports them.

• To be more impactful, provide context for your "asks" by sharing relevant case studies from peer institutions.

Effective and proactive communication with the executive team, boards, and fiduciaries is essential for securing support and resources for cybersecurity initiatives to reduce institutional risk.

Aligning risk mitigation strategies with your institutional strategic goals, sharing supporting metrics to demonstrate value, and focusing on the cyber risks that have the greatest business impact will help build credibility and trust and ultimately enhance your institution's cyber posture and resiliency.