Are you Ready for the Golden Shovel?
Don’t wait for a major security scare at your organization to deliver a “golden shovel.” Have your plan ready to make the most of any teachable moments as well as increases in funding.
Source: Educause Presentation
Security Architects Partners attended a May 2015 Educause Security Professionals Conference, where CISOs from three major universities described lessons learned in the wake of their recent breaches or incidents. Although these lessons and their implications are couched in the higher education environment, they are universally relevant to security thinking.
Let’s take things in order: First the breach or near-miss incident awakens executives (Provosts, Presidents and Boards of Directors), then the “golden shovel” disgorges unexpected funds. At the Educause panel about 40% of respondents answering an audience poll said they’d experienced the shovel. Why so many?
Juicy Higher Ed Targets and Systemic Vulnerabilities Breed Breaches
Security pressure has increased greatly on higher ed institutions and especially on large universities because of:
- Risk inflation: All colleges hold troves of student personally identifiable information (PII) and may operate regulated credit card processing and student health care services as well. Large state universities even operate hospitals and perform FISMA- or ITAR-controlled Federal research. At the same time, IT availability has become mission critical to operating the classroom and to revenue-producing functions like registration.
- Vulnerable environments: Institutions tend to be highly decentralized with many “cooks in the kitchen” including inexpensive student labor. Faculty members insist on high levels of IT privilege and openness in the name of academic freedom. One university we consulted with had no centralized firewalls for over 50 colleges operating their own often ad hoc perimeter security.
- Growing threats attracted by juicy PII and research targets: Confidential personal and academic data is of great interest to cheaters, malcontents and criminals. Worse, Stanford University and others have stated publicly they suspect nation state involvement in attacks against them.
By its nature, the golden shovel moment triggers a highly reactive remediation exercise. Often, the security department finds itself in the proverbial position of closing the barn door after the horse has escaped. Executive sponsors want fast and visible results. Security staff must move quickly, decisively and effectively before the funding is spent, re-allocated or withdrawn. Are you ready?
At the Educause conference, Brown University CISO David Sherry moderated a panel where CISOs Michael Duff, Gerry Sneeringer and Joshua Beeman (from Stanford University, the University of Maryland and the University of Pennsylvania respectively) shared lessons learned from their “golden moment.” I’ve quoted or paraphrased from the presentation, trying as much as possible to keep the following in the speakers’ own words.
- Getting community buy-in is crucial even if you already have a mandate. Everyone is for security, but your colleagues are not always happy about losing funds when security is getting funds. Other groups may be resentful.
- Be good stewards of the golden shovel funding. Provide leadership through an inclusive approach with University IT, CIO councils and faculty committees. Relationships are key, so work in partnership with other groups. Share the wealth when it makes sense to build a security capability on top of (non-security specific) IT infrastructure, such as service ticketing.
- Incidents may expose technical debt from years of excessive decentralization and other IT dysfunctions. Everything else that you are supposed to do – the day-to-day operations, incident management and meetings – doesn’t go away. It’s very easy to spread your talent too thinly, and experience“project thrashing” between too many inter-dependent activities. You quickly find out what doesn’t scale when you go “campus wide.”
- Quick results are expected, and getting them is hard work. Don’t let perfect be the enemy of the good. Get Stuff Done.
- Also think long term (governance, charter, a seat the table with executive IT and business management in the future).
- Don’t let artificial deadlines become commitments on your President’s performance review, and understand you can play the “emergency” card only so many times when dealing with state procurement recommendations. Someday you’ll be asking for money again. It is helpful to have peer organizations’ staffing and spending benchmarks to help justify new funding requests.
The speakers also described some of the things that they accomplished or attempted using their funding bonanza. For example, the Stanford University CISO was able to roll out two factor authentication across the entire environment by October 2013; the breach had only been announced in July. Security Architects Partners considers this a great use of the golden shovel for a quick win. Two factor authentication are a good example of something that requires significant investment, can be deployed fairly quickly in some form factors, and are easy to justify as a strong preventive control.
Organizations with relatively low levels of security maturity go through the following cycles: IT and business as usual, incidents or breaches, panic at the top, crash security improvement programs and a gradual return of complacency. Don’t wait for the breach to take action to improve your security program, but recognize that part of the program should always be ready to capitalize on the next “opportunity” phase in the cycle.
Have your plan ready with a three-pronged approach to put the golden shovel to good use in as suggested in the lessons learned: 1) deploy some tangible solutions quickly to provide real risk reduction, 2) build to last by allocating significant funding and mindshare to longer term maturity-raising governance and infrastructure projects, and 3) hedge your bets by enhancing your fundraising capability for a sustainable security budget.
- Security Governance for Higher Education Webinar (recording)