Listen to Huron's information technology strategy podcast to learn more about the trends and challenges facing higher education information security.
In this podcast, Huron’s information technology (IT) experts discuss how to mature information security processes, what the main contributor is to information security breaches and why focusing on the fundamentals is important for ensuring a strong information security management program.
Read the Full Transcript:
Chris Slatter: Hello and welcome to the Huron podcast series exploring information security and IT strategy. My name is Chris Slatter, and I am a manager in Huron’s higher education consulting practice. Today we are joined by Merritt Neale, a director at Huron specializing in IT operation assessments, strategy development and service improvement implementations for higher education institutions. Merritt leads numerous aspects of our IT operations assessments, including information security. Welcome Merritt, thanks for your time today.
Merritt Neale: Chris, it is great to be with you here today.
Chris Slatter: Merritt, you spend most of your time working with higher education institutions across the country. Can you tell me a little bit about what you are seeing and hearing in the industry as it relates to information security and its current state of maturity?
Merritt Neale: That is a great place to start. Our IT strategy practice has had a great bit of visibility into information security management practices over the past several years in small, medium and large colleges, universities, academic medical centers and research organizations. We have been fortunate to have that view into higher education. A couple of things come to mind. To state the obvious, we see tight IT budgets and numerous areas of reduction in IT spending. Information security has historically been at the top of chief information officers’ lists, but in practice, it makes up a very small percentage of overall IT spending. It also puts more pressure on IT security management staff to do more with less, and to be honest it is really an evolving operating environment.
For example, in higher education, we see information security units staffed at about two percent of the overall IT staff. Outside of higher education in other industries, we see an average of up to five percent or higher. Chris, I think many realities across higher education and other industries are that the technical threats are becoming more and more sophisticated on what appears to be a daily basis. At Huron, we monitor individual breaches through resources such as privacyrights.org, and continuously report these out as a component of our IT strategy assessments to our clients. I think that the reality is we also see many of our clients fall under what I affectionately call the M&M candy security model. M&Ms, Chris, of course, are hard on the outside but soft on the inside. Our clients have firewalls and other technology and security controls to safeguard and prevent intrusion, but we have other internal risks that are as equally a significant challenge. Adoption of formal and regular user awareness programs are fairly inconsistent, and that is an internal soft target.
We are seeing some organizations adopting security management training capabilities through vendors such as The Sands Organization and they are securing the human training programs. Then we see other internal challenges, such as identity and access management. This is a really big problem across many of our clients, and where true role-based access control models are rare, most organizations struggle to manage user access consistently. For the most part, policies and procedures are rarely updated, and with any level of regularity, they tend to be technically and functionally stale. We definitely see major gaps in policy frameworks, procedures, standards and guidelines across the board. We do not see the effective use of information security monitoring data. There is a big gap there – the controls are in place, the data intelligence is in place, but the eyeballs are not on the security data.
Overall as part of our engagements, we will typically do a security maturity evaluation, as part of our IT service maturity evaluation. Based on our findings, we typically find organizations at about a 1.5, on a scale of zero to five, from a maturity rating perspective, and that puts them at a solid basic level of maturity. We do see some clients swinging up to the low end of functional. Realistically information security is specifically in this range of a lower level of maturity. Chris, there is certainly no shortage of security to-do items across today's higher education landscape, and we see a broad range of findings across our clients.
Chris Slatter: Thanks Merritt, that is interesting and speaks to the broad range of challenges your team sees across the complex technical and operational landscape within higher education. Given those points, how do organizations determine their own level of maturity with so many technical risks, cross-industry compliance requirements, distributed IT functions and other factors?
Merritt Neale: Chris, that is a great question, and that is something that we get from a lot of senior leadership across higher education. I am a big fan of information security self-assessments. That is something that we commonly recommend to clients that use the best practices framework or are interested in utilizing a best practices framework for assessing their security management program and maturity. I am a big fan of the International Organization for Standardization (ISO) standards, the ISO International Electrotechnical Commission (IEC) standards specifically 27001 and 27002 standards. I have been using these since they were British standards, and Chris, we can thank your native countrymen for this major contribution to information security. The ISO IEC standards are an appropriate tool to leverage and benchmark an organization against, particularly if they are lower on that maturity scale and they are serious about formalizing an information security management program with the supporting practices, standards and techniques.
There are a number of frameworks that we recommend to clients, as I have said, if you are looking for more of that baby step model then ISO IEC standards are very appropriate. We are starting to see a lot of clients adopt the National Institute of Standards and Technology (NIST) cybersecurity framework. Arguably it is the holy grail for security management and benchmarking, and going forward operational requirements and practices. It definitely has more granularity and complexity to it. Organizations that start with an ISO standard can easily graduate to some of these more mature frameworks such as an ISO or even a Control Objectives for Information and Related Technologies (COBIT). Depending on the appetite and the direction the board, they may want to appoint security risk management.
We also recommend to many clients that they engage a partner to assist in conducting a deeper dive into the technical, physical and administrative areas of information security management. There is a lot to be said for having another set of eyes and experiences available to help an organization examine their current state, and to help identify remediations that are appropriate for the organization that they may otherwise overlook.
I think the outputs of these assessments help kick start security management programs in terms of initiatives and priorities. Even the larger and more mature organizations should be conducting self-assessments or third-party assessments with a degree of regularity. We are definitely seeing more of these types of engagements taking off, particularly, in specific areas of compliance such as the payment card industry, data security standard, Federal Information Security Management Act (FISMA), which obviously is very applicable to research organizations, and Health Insurance Portability and Accountability Act (HIPAA) for academic medical centers.
Unfortunately, Chris, the one other observation we have is that these tend to be done in silos by departments that own each of these compliance areas, such as the college of medicine. They have an area of ownership, the finance organization may have ownership or the research organization, and we are not seeing that symbiotic and synergistic approach to managing security risks across the enterprise.
Chris Slatter: You mention the different departments involved, so there appears to be a wide variety of stakeholders involved in supporting and maintaining a security management program. How does leadership maintain institutional governance, and what are key questions leaders should be asking themselves and their owners of information security management?
Merritt Neale: That is a great question. Governance is one of the top areas that we are engaging in with senior leadership. Governance is at the top of their agenda, in terms of understanding what their next steps are. From a best practice perspective, we would typically have organizational leadership fully informed of information security risks and threats across the enterprise. In reality, this is rarely the case, and we find that organizations with formalized risk management practices tend to not place emphasis on information security as a part of this broader context of the enterprise or institutional risk management. We frequently see some boards, in a university or college, presented with internal audit findings, some of which do include IT audit findings, if they are conducted at all. Even with organizations that have an IT audit function, most commonly the focus is on the central IT organization and not across the enterprise, which of course would include distributed IT functions if the college, research organization, medical center level, and in some cases physicians' practices or other areas of operations from within the organization so there is a broader range of applicability.
Information security never has - and really should not be - just an IT problem.
Leadership and governance mechanisms must take ownership of these key areas of information management. It may sound a little cliché, but information security never has – and really should not be – just an IT problem. I think we are starting to see this shift in higher education where the broader sets of ownership of IT security management is being held.
Chris Slatter: Merritt, a couple of things there, you mentioned technical control monitoring and security awareness training for end users. What are the real implications and outcomes of these efforts, and why are they such a big deal?
Merritt Neale: This goes back to that M&M model that I mentioned before, Chris, hard on the outside and soft in the middle. As I mentioned, we have people inside of our networks, and they are soft targets. We very frequently hear of targeted spear phishing attacks all of the time. The creativity and pure genius of many of these attacks are pretty amazing. We recently had one president indicate that his institution had received an A scorecard based on a recent phishing exercise conducted by a third-party vendor. Chris, this is where an outside entity will simulate an attack within the organization. He enthusiastically presented us a report which showed the findings from two separate attacks that they had against the organization. The first attack had a fairly high success rate of the attack in terms of having users clicking on the link or going through certain exercises. The second one had a much lower success rate. The one thing that I found interesting on that second attack conducted several months later, based on the size of the organization its relative, had 65 people get to the point that they would have downloaded a Trojan, or a rootkit, a virus, ransomware, you name it. They were in a position that they would have done so.
User training is such a big deal. If you are not conducting regular security awareness training with your users, you are at risk. Users are the number one contributor to information security breaches, period. We see many organizations only addressing user information security from the standpoint that it is done at onboarding. As I previously mentioned, external and internal controls such as firewalls, integrated intrusion detection, prevention systems, virtual local area networks (VLANs), data loss prevention (DLP), and really all of these other security controls are fairly ubiquitous across higher education. There is rarely a shortage of technical controls in an environment. But the other common finding that we have is that there is rarely a process in place to do real event correlation to reveal threat analysis. The data is building up in security controls, and that correlation is not occurring, so the value of that data is not being realized. You can only do so much in an automated response to an attack or an event within your organization, but realistically automated corrective action can only take you so far. At the end of the day, you do have to have eyeballs on that particular issue.
Chris, we have recommended and evaluated for a number of clients the options of utilizing alternative service delivery models for security and information security management. That would include third-party managed security service providers. These firms specialize in proactively managing and monitoring our clients' security environments and their posture. Quite frankly they can do a much better job than most of our clients can do.
Chris Slatter: Thanks, Merritt. It is apparent that there is quite a bit of work that many organizations need to do to bring themselves up to even a functional level of maturity. Where do you think is the most effective place to start pushing the envelope on maturing information security and security process improvement within an institution?
Merritt Neale: This is where the rubber hits the road, so to speak. I think first leadership needs to recognize and take action with the realities that higher education faces today. They are maintaining prime data for fraud. They maintain personally identifiable information such as social security numbers and dates of birth. They process credit cards. They maintain grateful patient donor systems, electronic medical record systems, and hundreds, and in many cases thousands of shadow systems with similar data. Chris, I think the real take away here is that leadership should ensure that enterprise risk management includes information security with a strong emphasis on the word enterprise. A key component in establishing a baseline of their current security environment and their maturity, if done correctly, should be that self-assessment or use of that third party that is going to help expose tangible risks and their opportunities for improvement. This does set the stage for establishing priorities and aligning goals and objectives with institution goals and objectives.
We tell our clients that their environments are only going to be as strong as their weakest link. These environments are growing and changing in complexity on a continuous basis. A strong information security management program is the most pragmatic and common-sense approach to truly understanding their security posture. Risk analysis and management must be done at the core and be at the core of every security management program. There are no whizzbang or shiny new security technologies that can build a security management program. Humans are pretty much always the weakest link, and most institutions of higher education need to focus on the fundamentals. Those are our primary takeaways Chris, and our recommendations to clients, to focus on those fundamentals. You have a lot of the technology in place now, let's manage it well.
Chris Slatter: It certainly looks like better enterprise risk management practices across the institution should be at the top of everyone's list. Thanks again to Merritt Neale for joining us today. We look forward to hearing more in later editions of our series discussing other dimensions of information security management including research compliance, specific areas of information security management program best practices and practical implementation guidance. To hear more from Merritt Neal, follow us on twitter @Huron and visit our website, huronconsultinggroup.com, to subscribe to our newsletters, see our upcoming events and learn even more about adopting cloud technology at your institution.