Cybersecurity in Higher Education: 6 Expert-Backed Strategies from NYIT & UMHB
April 23rd, 2025
OculusIT recently hosted a cybersecurity-focused webinar featuring Pennie Turgeon, CIO and CISO at the New York Institute of Technology (NYIT), and Greg Brandenburg, CIO at the University of Mary Hardin-Baylor. The conversation offered valuable insights into how colleges and universities can build a proactive, scalable cybersecurity framework, moving beyond traditional compliance toward long-term institutional resilience.
The panelists shared their experiences navigating everything from evolving threats to increasing regulatory pressures, and how strategic investments in leadership, monitoring, and culture are making a difference on their campuses.
Here are six key takeaways from this in-depth discussion.
1. The Cybersecurity Conversation Must Extend Beyond IT
Pennie Turgeon opened the conversation by emphasizing that cybersecurity is no longer a siloed responsibility, it must be a campus-wide priority. Faculty, staff, and students all have a role to play, particularly as social engineering and phishing attacks become more personalized and persistent.
“We’ve been seeing an increase in credential harvesting and business email compromise,” Turgeon said. “Threat actors are now leveraging automation and AI to target specific individuals within our institution as well as our infrastructure.”
Building a strong cybersecurity posture starts with education and awareness. A technology solution alone cannot compensate for human vulnerabilities, making regular training essential.
2. Compliance Is the Baseline, Not the Goal
As institutions work to meet updated GLBA Safeguards Rule requirements, Greg Brandenburg noted that compliance is only part of the picture. The real goal should be meaningful security that protects institutional data, builds stakeholder trust, and supports operational continuity.
“What’s evolving too is regulatory compliance,” Brandenburg explained. “You’re dealing with federal requirements, state policies, and internal university systems, it’s kind of never-ending from that standpoint.”
Both panelists agreed that while regulations like GLBA provide valuable frameworks, institutions should use them as a springboard, not a finish line, for broader data governance and risk management strategies.
3. 24×7 SOC Monitoring Adds Critical Visibility
When asked how institutions can improve their cyber resilience without significantly expanding in-house staff, both Turgeon and Brandenburg pointed to the value of a 24×7 Security Operations Center (SOC). Real-time threat detection, response, and event correlation are no longer luxuries, they’re essential.
“Having around-the-clock monitoring gives us peace of mind and a level of visibility we didn’t have before,” Brandenburg said. “It’s not just about seeing what’s happening, it’s about responding fast enough to stop it.”
Turgeon emphasized that a managed SOC helps their team prioritize response and avoid alert fatigue, especially as the volume and complexity of cyber threats continues to increase.
4. vCISO Services Provide Strategic Oversight
For institutions that don’t have a full-time Chief Information Security Officer, a virtual CISO (vCISO) offers a flexible and cost-effective way to bring in senior-level cybersecurity expertise. Both NYIT and UMHB shared how their vCISO partnerships have elevated cybersecurity from an operational function to a strategic conversation.
“With a vCISO in place, we’ve shifted from reacting to events to planning ahead,” Turgeon shared. “It helps us communicate risk to leadership, make smarter investments, and ensure we’re aligned with our long-term goals.”
Brandenburg added that having a vCISO helps bridge the gap between technical recommendations and executive decision-making, ensuring security gets the visibility it deserves at the leadership level.
5. Frequent Testing Is Key to Risk Mitigation
Quarterly vulnerability assessments and annual penetration testing are critical tools in identifying and addressing weak spots before threat actors exploit them. The panelists emphasized that these tests are more than just compliance checks, they’re essential to continuous improvement.
“You don’t want to find out your weaknesses because of a breach,” Brandenburg said. “Testing helps us prioritize and proactively reduce risk.”
Turgeon agreed, noting that vulnerability data should inform everything from patching schedules to training focus areas, especially when targeting common entry points like phishing or misconfigured systems.
6. The Right Partners Make All the Difference
Both CIOs highlighted that working with strategic partners, especially in areas like SOC monitoring, vCISO services, and GLBA compliance, has helped them scale cybersecurity initiatives without overwhelming their internal teams.
“You don’t just need the right tools, you need the right people supporting those tools,” Turgeon said. “The right partner doesn’t just solve today’s problem, they help you stay ahead of tomorrow’s.”
For institutions with limited bandwidth, external expertise provides not just support, but confidence that cybersecurity efforts are aligned with evolving risks and requirements.
Conclusion
The webinar made it clear that higher education cybersecurity requires a proactive, campus-wide strategy, not just a reactive or compliance-driven approach. From continuous monitoring and vCISO support to employee awareness and regular testing, institutions must embed cybersecurity into their operational and strategic planning.
At OculusIT, we help colleges and universities achieve this through vCISO leadership, GLBA readiness assessments, 24×7 SOC services, and penetration testing, ensuring your security posture is strong, scalable, and sustainable.
Recent Articles
What Happens When Students Bring Malware to Campus?
March 24th, 2025
Opportunities and Challenges for Higher Ed’s Tech Leaders
March 17th, 2025
How can Higher Ed Institutions Effectively Evaluate HECVAT?
March 10th, 2025