Spotlight on Higher Ed Security with Brian Cornell, OculusIT’s Chief Information Security Officer

This month, we sat down with OculusIT’s Chief Information Security Officer, Brian Cornell, for a brief Q&A session to discuss the latest trends and challenges we’re seeing across the higher education IT security. Brian has proudly served the higher education industry for more than 20 years, taking on campus security roles and working closely with industry partners to enhance institutional security posture. Below are the highlights from our conversation that we hope will spark ideas and internal conversations at your institution.

As a seasoned Chief Information Security Officer with more than two decades in higher education, what industry challenges do you foresee in 2023?

As 2023 moves forward, higher education institutions will continue to see an uptick in cyberthreats and malicious activity. Regardless of the institution’s size, higher ed will continue to face targeted and relentless attacks from cyber threats and malicious actors.

One of the biggest challenges in remaining proactive and secure against the increased cyber-attacks across higher ed, is the lack of resources needed for security equipment, cyber-solutions, and staffing.  We are seeing that vacant cybersecurity job postings remain unfilled and top talent is being lured away and recruited by other industries due to remote opportunities, higher wages, and more enticing benefits.

How are last year’s security challenges different from this year’s? What factors have led to this change?

Since colleges and universities process tuition and other financial transactions, they are deemed financial institutions by the government. As a result, higher education is experiencing an increase in pressure from laws, regulations, and cybersecurity insurance providers. This pressure and the changing regulations, such as the newest GLBA mandates, are increasing security requirements needed to achieve compliance and obtain much needed insurance coverage. This shift has left many institutions feeling helpless and overwhelmed as many do not have the internal resources and cannot afford dedicated information security teams.

How does your role as a CISO play into identifying and addresses these challenges?

As a CISO, it is my responsibility to understand the current landscape, the abilities of the workforce, and the resources available to formulate and execute an effective cybersecurity strategy. Each higher ed institution is unique and comes with its own set of risks that must be assessed, analyzed, and mitigated.  There is never a “one size fits all solution,” and a CISO must effectively identify, categorize, and communicate all risks facing an institution.  The ability to prioritize these risks and then develop comprehensive strategies, plans, and solutions remains a primary role for any CISO.

A CISO must introduce solutions and mitigation strategies that are proactively comprehensive, to maximize the capabilities of limited resources on campus. Any solution or effort that is ad-hoc or piece meal, will simply diminish security while straining the existing available resources.

What are the best security practices that every institution should adopt this year?

There are a multitude of tactics, projects, tools, and initiatives that higher ed can obtain to assist in maintaining a sound security posture. However, the most successful security practice begins with a security leader who can effectively develop security strategies, roadmaps, and plans. There will never be enough time to do everything that is needed to be done.

What do we do first?  Where do we begin? What do I do next?

Having an information security leader who can, formulate strategies and plans, based upon the specific and unique risks facing an institution, will be very effective in resource allocation and the proactive mitigation of threats.

What many smaller institutions don’t realize is that they do not necessarily have to have this leader on payroll. Virtual CISO services on a shared model can be quite powerful and give the institution access to tenured talent at a fraction of the price of a salaried employee.

How can Managed Security Services help higher education institutions deal with these emerging security concerns?

Managed Security Services can provide a variety of solutions and offerings that can supplement higher ed’s lack of resources and their growing challenges. A Managed Security Service Provide (MSSP) can leverage industry expertise and knowledge, to efficiently assist any institution acquire adequate resources that work together in optimizing and maturing the security environment. A partnership with an experienced MSSP, not only provides a service or product, but also serves as a valued and trusted extension of one’s team that is equally dedicated and committed to the institution’s mission.

For example, an institution that may not be able to afford a full-time Chief Information Security Officer can look towards an MSSP to acquire the same resource on a part-time engagement while avoiding the burden of full-time salary and associated benefits. Additionally, a MSSP, that is deep with expertise and knowledge in a multitude of service offerings within the Higher Education realm, provides additional team members and resources that can be leveraged and utilized in any given situation.

Furthermore, many institutions lack the resources to maintain a 24x7x365 Security Operations Center (SOC) to provide “real time” and “continuous monitoring” of their environment. Establishing an onsite SOC can be labor intensive and costly, while tying up internal resources that must continually adjust, modify, and tweak alert, rules, and notifications. A MSSP SOC solution can free up onsite resources and it can provide all the capabilities needed and required to monitor, detect, and respond to security incidents, events, and anomalies.

If you’re interested in learning more about working with OculusIT’s for Managed Security Services, including Chief Information Security Officer services and Security Operations Center-as-a-Service, let us know.