Creating a security-conscious culture is no easy feat for any organisation, but universities face unique hurdles. Adam Mikeal, the Chief Information Security Officer at Texas A&M University, offers a candid perspective on this challenge based on his experiences in higher education.
Mikeal outlines three critical elements for embedding a strong security culture: getting executive-level buy-in, ensuring security is everyone’s responsibility across the organisation, and fostering an environment where people feel safe voicing concerns without fear of consequences. While executive support is key, actually securing that backing can be an uphill battle for security teams.
No ad to show here.
“My executive leadership understands cybersecurity is critical and that we’re heavily targeted,” Mikeal says of Texas A&M’s stance. “But getting funding to match that spoken priority can be more challenging.” He admits there are many competing priorities vying for attention and resources at a large institution.
Universities grapple with distinct obstacles in promoting a security mindset. Researchers and faculty are laser-focused on their academic pursuits – whether that’s genetics, physics or 17th century literature studies. Implementing security measures can be viewed as roadblocks hampering their ability to quickly deploy systems and tools for their work. As Mikeal bluntly puts it, “For them, security is just a barrier. They have to deal with the technology so they can conduct research, but they’re not there to be software engineers.”
The spirit of open collaboration underpinning academia further complicates matters. The thousand-year tradition of freely sharing knowledge and transparency can seem at odds with modern security principles like zero trust policies. “I try to explain why we need to encrypt or secure data, and they’ll say, ‘I want to share it anyway, what does it matter?'” Mikeal says of some researchers’ reactions. Striking that balance between robust data integrity and preserving academic values is tricky.
Another focus for Mikeal’s team is extending the security mentality beyond the core cybersecurity group to the wider IT organisation on campus. “We’re like 5-7% of the IT professionals, so if we were the only ones doing security, we’d fail,” he explains. “The rest of the engineers, developers and sysadmins have to own security for their areas.”
Using analogies like “paved roads” to make security smoother, and incentivising good practices, are tactics Mikeal employs to change the cultural mindset. But it remains an ongoing challenge to shift the perception that “security is over there in that building” and make it an ingrained part of how IT operates.
In the resilience and disaster recovery realm, the cloud enables Texas A&M to be better prepared for disruptive events by dispersing risk across multiple data centres. “We need systems that can handle payroll, student management and so on,” says Mikeal. “I try to shift those to the cloud where possible, so we can be more resilient.”
Resilience has rapidly risen up the agenda for CISOs globally in the past year, reflecting changing attitudes. As one CISO told Mikeal, “It’s a guarantee there will be some kind of event. What defines you is how you respond to it.”
Rather than seeking impenetrable prevention, the modern CISO accepts breaches are inevitable and prioritises rapid recovery capabilities. Mikeal endorses this outlook: “Something will happen – I just want to recover from it quickly.”
To prepare, some organisations now run “real-world” simulations based on low-risk incidents. “They’ll treat a P3 issue as high-risk, so they can rehearse their full incident response plan,” reveals Danielle Ruderman, Sr. Manager, AWS Worldwide Security Specialists. “It’s brilliant – a dry run for when a major event happens.”
On the compliance front, higher education faces a broad range of regulatory requirements due to the diverse nature of data handled. “We have data governed by every law you can imagine – HIPAA, FERPA, GLBA, Sarbanes-Oxley,” says Mikeal. “My team has to understand all of them.”
However, he cautions against equating compliance with robust security. “Compliance is not equal to security,” Mikeal states as one of his core principles. “If I focus just on compliance, I could be missing 20-30% of what I want for security. And vice versa.”
While championing a strong security culture remains an uphill battle for CISOs in higher education, Mikeal’s experiences highlight pragmatic strategies to drive change. From securing executive backing to evolving resilience mindsets and balancing compliance duties with risk-based security priorities, it’s an ongoing effort to embed cybersecurity into the fabric of how universities operate.
Read next: Cloud security myths that could be holding your small business back
