Goldilocks Had a Point

By Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Most of us in cybersecurity see a vulnerability and want to close it immediately.  We can come up with a reason and catalog the many bad things that will befall the individual, their department and the university if this vulnerability isn’t mitigated immediately.  From our perspective the risks are unacceptable.  Mitigating the vulnerability is the right course of action.

Sometimes these mitigations are intrusive, cumbersome or expensive.  They impose a cost on our mission.  Our user population has built their careers by learning and problem solving.  They make their own cost/benefit analysis and when they don’t see the value, they question the security team’s judgement. In some cases, they apply those problem-solving skills to circumvent the control. At times, the workaround is worse than the original vulnerability.

Higher ed values openness and sharing. Our faculty look to information technology to help them collaborate more easily, especially with those outside of their institution.  Their default mode is to share rather than protect.  This is still true even though more and more academics understand that intellectual property theft is happening and the harm that theft causes.  Destruction of information through ransomware is also more common and universities are not immune.  As with most human endeavors, we must strike the right balance.

"We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right"

Life is not without risks and cybersecurity is no exception. The challenge for the security team is to balance risk with enablement.  Finding the right balance with anything is difficult, but that is what CISOs get paid to do.  If you err with security controls that are too tight one of two bad outcomes ensue.  They either workaround the controls or they aren’t as effective researchers and teachers as they should be.  When people are circumventing your controls, they are choosing which controls will not be effective.  They might workaround one that underpins your entire security strategy.  If your institution is really good at enforcing controls that are too restrictive then teaching and research will suffer.  Of course, if you pick controls that too loose, we know all too well what can happen.

What we must do is understand the value a security control brings and the true costs of the control.  The value must be considered in the context of all the other controls in your plan and the type of information it is protecting.  The cost calculation must include the annoyance factor.  The amount that a control gets in the way of a person trying to do their work is cumulative. Each individual has an annoyance threshold and when you pass that threshold the impact can be large.  Somewhat like the proverbial straw that broke the camel’s back.  One too many controls and the perception of your program drops while compliance with your program falls. 

We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right.

Check This Out: Top Enterprise Security Solution Companies

Weekly Brief

Top 10 Security Solution Companies - 2018

Read Also

Connecting users electronically - efficiently and conveniently - at a distance

Connecting users electronically - efficiently and conveniently - at a distance

Howard C. Marks, Director, Learning Resource Center, Midland College
Post COVID Future Of K12 Education

Post COVID Future Of K12 Education

James Butler, Senior Director Instructional Technology and Online Education, Tucson Unified School District
How Technology in the Classroom Is Shaping the Outlook of Education

How Technology in the Classroom Is Shaping the Outlook of Education

Tom Ingram, Director of Information Technology, Escambia County Schools
Cloud Infrastructure: Supporting Organizations Adopting Cloud Technologies

Cloud Infrastructure: Supporting Organizations Adopting Cloud Technologies

John R. Wetsch, Ph.D., Program Director for Cloud Computing, Wake Technical Community College
Instructors are Key to Online Course Quality

Instructors are Key to Online Course Quality

Kriss Ferluga, Director of University Academic Services, Davenport University
UC Santa Cruz's Instructional Response to COVID-19

UC Santa Cruz's Instructional Response to COVID-19

Jim Phillips, Director, Campus Engagement (UC Santa Cruz) Jim Williamson, Director of Campus Educational Technology Systems and Administration (UCLA)