Goldilocks Had a Point

Goldilocks Had a Point

By Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Most of us in cybersecurity see a vulnerability and want to close it immediately.  We can come up with a reason and catalog the many bad things that will befall the individual, their department and the university if this vulnerability isn’t mitigated immediately.  From our perspective the risks are unacceptable.  Mitigating the vulnerability is the right course of action.

Sometimes these mitigations are intrusive, cumbersome or expensive.  They impose a cost on our mission.  Our user population has built their careers by learning and problem solving.  They make their own cost/benefit analysis and when they don’t see the value, they question the security team’s judgement. In some cases, they apply those problem-solving skills to circumvent the control. At times, the workaround is worse than the original vulnerability.

Higher ed values openness and sharing. Our faculty look to information technology to help them collaborate more easily, especially with those outside of their institution.  Their default mode is to share rather than protect.  This is still true even though more and more academics understand that intellectual property theft is happening and the harm that theft causes.  Destruction of information through ransomware is also more common and universities are not immune.  As with most human endeavors, we must strike the right balance.

"We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right"

Life is not without risks and cybersecurity is no exception. The challenge for the security team is to balance risk with enablement.  Finding the right balance with anything is difficult, but that is what CISOs get paid to do.  If you err with security controls that are too tight one of two bad outcomes ensue.  They either workaround the controls or they aren’t as effective researchers and teachers as they should be.  When people are circumventing your controls, they are choosing which controls will not be effective.  They might workaround one that underpins your entire security strategy.  If your institution is really good at enforcing controls that are too restrictive then teaching and research will suffer.  Of course, if you pick controls that too loose, we know all too well what can happen.

What we must do is understand the value a security control brings and the true costs of the control.  The value must be considered in the context of all the other controls in your plan and the type of information it is protecting.  The cost calculation must include the annoyance factor.  The amount that a control gets in the way of a person trying to do their work is cumulative. Each individual has an annoyance threshold and when you pass that threshold the impact can be large.  Somewhat like the proverbial straw that broke the camel’s back.  One too many controls and the perception of your program drops while compliance with your program falls. 

We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right.

Check This Out: Top Enterprise Security Solution Companies

Weekly Brief

Top 10 Security Solution Companies - 2018

Read Also

Transforming the Student Experience

Transforming the Student Experience

Doug McCollum, Senior Vice President, Product Development, K12, Inc.
Keeping Parents in the School Activities Loop

Keeping Parents in the School Activities Loop

W. Wesley Watts Jr., Ed.D, Chief Information Technology Officer, Prince George's County Public Schools
The Key to a Successful Strategic Technology Plan: Relationships

The Key to a Successful Strategic Technology Plan: Relationships

Camedra Jefferson, Ed.D., Director of Instructional Technology, Yes Prep Public Schools
Protect and Serve: Balancing Student Data Privacy with the Need for Access to Student Data

Protect and Serve: Balancing Student Data Privacy with the Need for Access to Student Data

Robby Carmichael, Executive Director of Student Information Services, Cherokee County School District
Election Cyber Security - Considerations for Educational Institutions

Election Cyber Security - Considerations for Educational Institutions

David V Creamer, CTO-CISO, St. Petersburg College
Connecting with Mobile Learners through Video

Connecting with Mobile Learners through Video

Kayla Murphy, Director of Distance Learning, Mercyhurst University