Implementing a Risk-Based IT Security Strategy in Higher Education

November 25, 2020
[First] [Last]

It’s no secret that information security is the number one concern of IT leaders in higher education. For the third year in a row, information security was at the top of the Educause Top 10 IT Issues list as colleges and universities struggle to keep up with evolving threats and challenges. Specifically, IT leaders are concerned about developing a risk-based security strategy and educating institutional leaders about security risks.

Although many institutional leaders expect IT leaders to simply fix information security problems, IT leaders recognize that a data breach is a matter of “when,” not “if.” As a result, schools need to develop a risk management strategy and make investments based upon which risks are acceptable and which are not. If you can’t quantify and manage risk, the same security issues will continue to cause problems, even as new, more serious issues emerge.

Of course, risk management issues aren’t limited to higher education. Recent research from the FAIR Institute found that risk management is immature across industry sectors, even in the industries that received the highest scores – health, finance, consulting and insurance. Researchers learned that most organizations were simply going through the motions instead of using analytics to measure and prioritize risk and make informed decisions. This is typically traced back to a lack of understanding of risk and how to evaluate it.

Risk management is the process of identifying and evaluating threats to an organization, and then directing resources and implementing policies to control the most serious threats and reduce vulnerabilities. Risk management can also involve acceptance of certain known risks, usually because the likelihood of the threat is low or the expense to mitigate outweighs the impact of the risk.

Risks can be financial, operational and strategic. In the area of IT security, risk management focuses on threats to digital assets such as proprietary data, the private data of employees and customers, intellectual property, and trade secrets. Threats range from the modification or deletion of data by unauthorized users, to accidental system configuration errors, to weather events that cause an outage.

A critical part of risk management is the communication of risk and associated strategies to executive management. The mistake many IT security professionals make is in the language they use to explain risk. They tend to use technical jargon rather than explaining the real-world impact of IT security risks from a business standpoint. Institutional leaders need a clear understanding of what data assets exist, how those data assets are classified, the importance of various data classifications, how data is being protected, and the risks associated with each data category.

Communication of risk management to institutional leaders should be based on a thorough risk assessment. This should include a description of each risk, the potential impact, the likelihood of the risk occurring, the strategy for dealing with that risk, the costs involved, and the residual risk after the strategy has been implemented. These insights, not technical jargon, will enable senior leadership to determine what action should be taken.

The inability to manage risk, in higher education and across industry sectors, only creates more risk. Applying risk management to IT security begins with integrating data from disparate sources and simplifying data management. Let us show you how Axiom Elite can play a role in the management, control and monitoring of risk.