Improving cybersecurity practices from the classroom to the boardroom
How colleges and universities can engage and educate all campus stakeholders about infosec.
- Good cybersecurity governance isn’t just about technology—it’s about people and processes, too
- Everyone on campus, from students to board members, needs infosec training and education
- When engaging campus leadership, a focus on incident response is as important as prevention
Dave Swartz, Vice President and Chief Information Officer, American University
The first thing to know about cybersecurity is it's more than technology. It includes people and process. And this broader area of people and process we refer to as cybersecurity governance.
We really need to be looking at all aspects or dimensions of the challenge really, not just dealing with the technology but the challenge with people. One of our vulnerabilities today is the lack of awareness and knowledge of our people. So, we do focus a lot, not just on providing training to them, but we also provide an active learning environment where we actually simulate intrusions through pen tests and what we call blue and red teams.
But we also do active phishing. So, we actually phish our staff, faculty, and some students. And if they fall for the phish, then we get them directly into a training program that makes them less prone to that kind of social engineering.
We also are focused on issues of governance, which means we have to engage our leadership and our board and not just focus on prevention but incident response. So how do we respond to an incident? Can we do it properly and do it quickly? And that's almost as important as dealing with the prevention side.
Our board, like many boards, has a diversity of expertise. So, we had to raise the bar on their understanding. The way to do that is to approach it, not as a technical training exercise, but as one that engages them around the language of risk and the business value of your investment in cybersecurity.
We did it through case studies where we looked at problems other universities had and what we could learn from that experience. And we also engaged the board members in what they could share from their own experiences. The key thing, I think, is about engagement and keeping them abreast of our progress and where we are.