In a recent EDUCAUSE blog post, Nathan W. Fisk, Lecturer at Rensselaer Polytechnic Institute, discusses the challenge of creating a culture of security at higher education institutions. He stresses how building cybersecurity into the very fabric of campus culture is much different than issuing policy directives, policing the network, and telling users what they cannot do. By constructively supporting faculty, staff, and students, cybersecurity teams can change perceptions about cybersecurity and increase understanding. The importance of cybersecurity to all we do on campus becomes endemic and should not be seen as a threat to “the centuries-old cultures and traditions of academia.”
We can create an effective security culture by building partnerships and breaking down boundaries between our information security team and the campus community. By working closely with colleges, schools and units (CSUs), our Information Security Office (ISO) addresses immediate concerns–and if we assist—can better anticipate and prepare for future challenges. The goal is to establish a campus culture where there is a strong sense of shared responsibility and a deep, pervasive commitment to information security which is why we should direct all information security matters (like “phishy” looking emails) to email@example.com
Lessons learned from the corporate world suggest that open dialogue between users and an organization’s information security team encourages us to be the front line of defense, and enable the security team to learn how their efforts are perceived. Jennifer Lesser-Henley, director of security operations at Facebook, is highly regarded for the security culture she has helped create. Her key point is that when a safe space for dialogue about information security is created, community members are more empowered to protect themselves and their organization. For academia, which so highly values dialogue, we also want to instill in the campus community the collaboration and critical literacies necessary for building an academic culture of cybersecurity.
Our ISO is taking positive steps to foster the security culture. Communication is paramount. For example, when there are major incidents like the recent phishing attacks, these events become learning opportunities at all levels of the University. Security-related incident data is widely shared with campus leadership, the IT community and Principal Investigators. The ISO takes advantage of these opportunities-as-they-occur to engage the entire campus community in order to build a more resilient defense. Moreover, proactive security assessments by the ISO open opportunities for greater CSU collaboration and engagement
Some institutions of higher education are beginning to structure academic programs to require basic cybersecurity coursework for all students. This increase in cybersecurity education emphasizes a strong and growing relationship between faculty and cybersecurity teams. New Federal and state funding for cybersecurity education should help strengthen this collaboration. And even better, our ISO team teaches hands-on InfoSec courses in the Department of Computer Science.
While the ISO serves as the primary resource for cybersecurity, it takes the entire campus community to protect and defend against the increasing number of sophisticated and costly cybercrimes. Here at UT Austin, we all should foster an academic culture of cybersecurity.