Perhaps you have gotten a letter recently from your institution’s insurance provider informing you that you need to demonstrate that you have specific security controls in place before the cyber liability insurance coverage will be renewed. At the same time, you are concerned about losing Title IV funding if you don’t incorporate the FTC’s changes to the GLBA Safeguards Rule by June 9, 2023.
These are just some of the outside pressures that CIOs and CISOs are facing today. Higher Education has long had the privilege of running under the radar from regulators compared to many other industries. Security, compliance, and privacy are important to be sure, but to-date many institutions have been able to get by making “best effort” on their compliance checklists. However, that is changing. Many tasked with managing security and privacy risks in higher education are wondering how to address all the newfound attention on their compliance programs.
You may be thinking that this is a technology or compliance problem to solve, and in part it is, but what you may not realize is that there is a culture gap that needs to be addressed. Higher Education institutions are focused on their core business, research, instruction, and community impact, not security and privacy. You may often hear at your institution, “security and privacy are concerns for the IT department and the office of general counsel, not me.” In order to tackle security and privacy objectives in a sustainable way that narrative must change. Faculty, staff, and students need to see security and privacy as their concern and not only one for IT experts. Investing in a culture of security and privacy at your institution will greatly improve your ability to address security and privacy challenges.
PHS MODEL OF CHANGE
Changing a culture is hard work and can be an overwhelming prospect at your institution. You may have a great roadmap, plan, and budget, yet your initiatives may stall or fail. The greatest obstacle to success is often people and their resistance to change. However, there are some investments in culture change that are worthwhile and lead to successful adoption of your security and privacy initiatives. David Rock of the NeuroLeadership Institute suggests that there are three areas on which you should focus to successfully foster cultural change. Rock’s “PHS model of change,” emphasizes priorities, habits, and systems (Rock 2019). In other words, to do the hard but valuable work of culture change you need to get your leaders and champions onboard, promote new habits, and infuse security and privacy into the system.
Have you ever tried implementing a change without leadership support, or stakeholder buy-in? It is a non-starter if you go at it alone. Infusing security and privacy into your culture requires it to become a priority for the institution. You will need to start by getting the support of key leaders. Leaders set the priorities and communicate them to the organization. But you also will want to identify key stakeholders and champions. These are the people on campus that you want to bring on board who have influence that is not necessarily derived from their title or formal position. These are campus influencers – the people that will bring others on board with your security or privacy initiative.
P – PRIORITIES
First, you must get your management, campus governance groups, etc. to see the importance of what needs to be done so they can clear the runway for you and make what you are asking for a priority to the institution. Consider how your initiative may impact what is important to leadership, such as net tuition revenue or institutional reputation, and add that to your rationale for support. If you are asking for a change to business process and security controls but can’t demonstrate the business value and impact, you will have a greater likelihood of walking out of the room empty handed. Second, once you have management and governance support, you will want to bring your champions on board. These are the people on your campus that have real influence at your institution such as IT liaisons, director level, and admin assistants. Hopefully you have already forged a good relationship with these folks, and if you haven’t it is time to get started, because this won’t be the last time you will need their partnership. Your champions are your network of people across the campus that can help you make the changes you need. This is especially valuable when you are trying to change people’s behavior and adapting systems to support security and privacy, which we will discuss later in the article.
H – HABITS
The second area of the PHS model of change requires a change of habit for all those involved. Leadership has communicated that security and privacy are a priority and everyone must do their part to make improvements. They have cleared the runway and the mission is clear, but now you must land the plane. How do you get thousands or tens of thousands of people to change their behavior? The Heath brothers in their best-selling book “Switch”, say there are two things necessary for a habit to be formed (Heath 2010). First is that the habit needs to advance the priority, and second it needs to be relatively easy. The Heath brothers illustrate this with someone who wants to exercise more. There is a difference between saying, “I plan to go to the gym tomorrow,” and laying out your gym clothes the night before. The first is a restatement of the priority and the second is a small step that advances the priority and is also easy. Choosing to lay out your clothes the night before means you are one step closer to hitting the gym.
Consider the problem of phishing and people clicking on malicious links in their email. Instead of saying to your faculty, staff, and students, “Do not share your password,” instead give them a quick reading email checklist.
When you receive an email with a link:
- Pause and do not click (introducing time allows the brain to catch-up).
- Ask yourself if you were expecting this email from this person.
- If this is unexpected, then verify (via phone, text, or chat).
Checklists are one strategy that the Heath brothers recommend as a way to develop a habit. It also meets the criteria we established, namely that it advances the priority, and it is relatively easy. By encouraging behaviors like this at your institution you are reinforcing good habits and building a sustainable security and privacy culture.
S – SYSTEMS
Finally, to reinforce the changing of habits, the PHS model of change suggests that you should design systems and processes to support the new culture. There is a whole area of study around behavioral change support systems (BCSS), with the aim of influencing behavior of end-users that interface with a tool or system. You don’t need to be an expert in BCSS to use systems and processes to support your culture of security and privacy. There are small tweaks and changes you can make to existing systems at your institution that will reinforce this shift in culture. Some good places to start are your institution’s change management, project management, and procurement processes. These three areas have broad impact across the university and are great places to infuse security into the system at the front end. One example is adding a security/privacy review step to your existing change management and project management processes. Before an IT change is approved there should be a review to make sure the change includes relevant controls and compliance requirements at the institution. Similarly, project plans should be vetted before project execution, security and privacy should be included in the plan and not as an afterthought. In the procurement process, include a security and privacy checklist to be reviewed prior to purchase or introduce your procurement team to the Higher Education Community Vendor Assessment Toolkit – HECVAT (Educause 2021). By including security and privacy into the system it reminds people of the priority and reinforces good security and privacy habits.
LAYING THE GROUNDWORK
At this point you may be thinking, what about my cyber liability insurance requirements and the new FTC safeguards rule, how does this help? The fact is that the hardest part is done. By now you have engaged campus leadership and stakeholders and effectively communicated the importance and priority of security and privacy at your institution. You have engaged your champions and prepared them to be a part of your team of influence. Faculty, staff, and students are seeing the benefits of making small changes to their habits that benefit them and support security and privacy. Finally, you are infusing systems and processes with security and privacy that support the culture change needed at your institution. As you can see, the investment you continue to make in a culture of security and privacy has laid the groundwork for the success of your most pressing security and privacy challenges – both now and in the future.
Educause. 2021. Higher Education Community Vendor Assessment Toolkit. December 17. https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit.
Heath, Chip & Dan. 2010. Switch: How to Change Things When Change Is Hard. New York: Penguin Random House LLC.
Rock, David. 2019. “The Fastest Way to Change a Culture.” Forbes. May 24. https://www.forbes.com/sites/davidrock/2019/05/24/fastest-way-to-change-culture/?sh=3cbd5b223d50.
Adam Vedra is the Chief Information Security Officer and Senior Consultant at Moran Technology Consulting. Vedra’s area of expertise is cybersecurity – governance, risk, and compliance in higher education. He has over 20 years of practical hands-on experience leading IT infrastructure and cybersecurity initiatives in higher education, including developing security strategies, processes, policies, and programs.