Data security in higher education

September 30, 2019 0 By Ronny Jaskolski

[MUSIC PLAYING] Welcome to Ellucian’s
Powering Achievement. I’m Jackie Yeaney, the
Chief Marketing Officer here at Ellucian. And today I’m joined by Lee
Congdon, our Chief Information Officer. Thank you for joining us, Lee. Hi, Jackie. Good to see you. So Lee, let’s start
by having you tell us a little bit about your
role here at Ellucian. So I’m the Chief Information
Officer at Ellucian. And fundamentally, it’s
my job to figure out what business problems we have
and how we can best solve them with technology. Now there’s a lot of
detail behind that. We run networks, operating
systems, servers, storage, applications, do
projects, and so on. But in an ideal IT
organization, I’m anticipating what the
business is going to need and setting up solutions
to solve those business problems in advance, or
improve our existing business processes with technology. Yeah. And really prioritize. I know it’s always an
issue to prioritize all those different business needs. Well, you never have
enough resources, and so you need to be thinking– I like to think of it
two different ways. In the short term, you
need to think about, what is it that I need
to get done right now? What’s an urgent need,
mitigating a risk, lowering cost, improving a
process, increasing revenue? Which, you also need to be able
to think about the long term, that 5%, 10%, 15% of things
that you can’t necessarily solve this year, but you
can’t let wait forever. And so finding the
right balance is part of the art of
the decision making and the partnering with
your business partners. Yep. Absolutely. So let’s switch gears
to cybersecurity, a very timely, relevant topic
to all industries at this point. But maybe you could
talk a little bit about why higher ed should be
particularly thinking about and concerned with
cybersecurity. So it’s a dangerous
world for all of us, and it’s getting more
dangerous all the time. But studies show
that higher ed is among the more risky
institutions or groups of institutions in
terms of attacks. I think there are
reasons for that. Valuable data about
students, valuable data containing
intellectual property. Tend to be free and
open environments where the exchange of
information is highly valued. And so not
necessarily culturally permitted to clamp things
down or to restrict things. And another challenge higher
education organizations face is typically a distributed
decision making process that makes it difficult
for one person to understand the risks of the
organization and resolve them. So given the
multitude of threats and given the vectors or
avenues by which attackers can get to a higher
education organization, I think it is a risky
time for all of us, but in particular for higher ed. When we were talking about
industry best practices, I’ve heard you talk
about heat maps before. Could you describe that to me? Sure. It’s a simple model, but I think
it’s actually a very good way to think about the problem. Think about a simple
heat map where you look at the
likelihood of a problem occurring and the
impact that it might occur on the x and y-axis. And then plot the
various likelihoods and incidents or threats of
incidents on the heat map, and look at the things that
are in the red area, the things that are most likely
to occur, and will have a high impact if they occur. And that’s where you
should start your work. But don’t ignore the other
parts of the heat map. Look at the opportunities
to fix things that can be addressed simply,
or to get started on things that may take a long time. Then– and this is a
very important step– understand who the
business owner is or the financial decision maker
associated with that asset. And get them on board
with your prioritization and your recommendation. So partner with
them so you’re not sitting there by yourself as IT,
trying to handle these risks? Is that what you mean? That’s correct. It’s very difficult
for an IT organization or any organization to
single-handedly go across the enterprise and solve all the
problems for several reasons. First of all, you’re going
to need additional resources, and you can’t solve the
problems just with technology. In many cases, there’s an
even bigger people component than there is a
technology component. Darn people. Darn people. Right. [LAUGH] So you need to be thinking
about putting plans in place in partnership with
your business counterparts, and start to
educate their teams, start to modify their
business processes so that in fact, they’re thinking
about and owning the security challenge as well. Then if you do well, you get a
chance to do it all again on– It doesn’t end, does it? On a repetitive cycle. That’s exactly right. And it’s probably happening
faster and faster. I think it’s an accelerating
challenge right now. If you see some of
the impacts we’ve had for every computer chip
in the world effectively or attacks on mobile devices
or the pervasiveness now of concerted attackers looking
for money or information, I do think the bar goes up. And so you can’t do this
on a leisurely cycle. You have to keep doing
it faster and faster. Round and round. Exactly right. Exactly right. So let’s talk for a minute about
how Ellucian actually thinks about and handles security
with our own customers, our institutions. Sure. So it starts with our products. We think about from
the beginning how we can build appropriate
security capabilities into our products,
and continuing to monitor those
products as the world changes where there are patches
to apply those sorts of things. We work with our
customers to give them advice about how they might
proceed from a security standpoint. When we do have an incident, we
have a response team in place that goes through a
disciplined process to understand what happened
and how we might correct it. And we share that with
our customers, work with them to make sure
it’s fully remediated. Great. Great. So tell me a little more about
some of the best practices that you’ve seen out there. Maybe not just here
at Ellucian, but I know you’ve had CIO positions
several times before. Some of those best practices
that some of the folks we’re talking to can take with them. A fundamental best practice
for information security is partnering with all
aspects of the business rather than trying
to do it centrally. You need standards. You need a common approach. You need to look at all of the
risks facing the enterprise. But in my experience,
those organizations that are most
successful are those that partner with
a business person to help understand their
problems, their challenges, and merge the
information security challenge into the
overall business context. You know, it’s amazing
when you all of a sudden understand that your reputation
could be at risk or– Your brand. –or your brand. And it could cost money in
terms of fines or other expenses when an information
security event occurs that the businessperson
might not have considered in their planning. And so I think building a strong
partnership with the business is definitely best practice. Being systematic
about it, ensuring that you are, in fact,
looking across the enterprise and identifying all
of the possible risks and scoring those appropriately. And then staying current
on technology is important. Make sure you choose the right
partners and the right tools as the threats evolve
to ensure you’ve got the appropriate technology
protections in place as well. Yeah. That makes a lot of sense. So Lee, you were mentioning
laws and regulations. Could you give us a few
examples of what specific laws and regulations– Sure. There are a lot of
acronyms, but you’ll hear HIPAA, which is health
care information and how it must be protected. Of late, we talk
a lot about GDPR, a series of European
privacy regulations that we all need to think about. FERPA is important
for higher education. Very important. And then PCI or the Payment
Card Industry standards. So some of these are laws, some
are regulations, some of these are industry standards. But in each case, you’re
obligated to comply, and there are a series of
steps and likely penalties or severe penalties
if you don’t comply with the law, the
regulation, or the guideline from the industry. Yeah. Better to get into the
details with those. And again, you need expertise. You need legal advice. You need people who
have done it before. You need to rely on partners
that know what it takes to, for example, do a
PCI certification. So Lee, I feel like we’ve gone
through a lot of information in a short amount of time. If you could pick out the one
thing that institutions should focus on when it comes to
information and cybersecurity, what would that be? It’s really a people
challenge, and you need to have the
right technology, but you need to put the
right people in place. And in particular, pick
the right partners. If you don’t have scale or
you don’t have expertise, make sure you’re identifying
those organizations and those partners that can
help you solve the problem that have done it before,
and that have adequate scale and resources to
be able to solve the problem. So really, don’t go it alone
is what I hear you saying. Don’t go it alone. Make sure you’ve
got the right team. Fantastic. Well, thank you so much, Lee,
for joining me here today. Thanks, Jackie. And thank you all for
joining Ellucian’s Powering Achievement. [MUSIC PLAYING]