Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University
Most of us in cybersecurity see a vulnerability and want to close it immediately. We can come up with a reason and catalog the many bad things that will befall the individual, their department and the university if this vulnerability isn’t mitigated immediately. From our perspective the risks are unacceptable. Mitigating the vulnerability is the right course of action.
Sometimes these mitigations are intrusive, cumbersome or expensive. They impose a cost on our mission. Our user population has built their careers by learning and problem solving. They make their own cost/benefit analysis and when they don’t see the value, they question the security team’s judgement. In some cases, they apply those problem-solving skills to circumvent the control. At times, the workaround is worse than the original vulnerability.
Higher ed values openness and sharing. Our faculty look to information technology to help them collaborate more easily, especially with those outside of their institution. Their default mode is to share rather than protect. This is still true even though more and more academics understand that intellectual property theft is happening and the harm that theft causes. Destruction of information through ransomware is also more common and universities are not immune. As with most human endeavors, we must strike the right balance.
"We can’t just look for and compensate for vulnerabilities. We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right"
Life is not without risks and cybersecurity is no exception. The challenge for the security team is to balance risk with enablement. Finding the right balance with anything is difficult, but that is what CISOs get paid to do. If you err with security controls that are too tight one of two bad outcomes ensue. They either workaround the controls or they aren’t as effective researchers and teachers as they should be. When people are circumventing your controls, they are choosing which controls will not be effective. They might workaround one that underpins your entire security strategy. If your institution is really good at enforcing controls that are too restrictive then teaching and research will suffer. Of course, if you pick controls that too loose, we know all too well what can happen.
What we must do is understand the value a security control brings and the true costs of the control. The value must be considered in the context of all the other controls in your plan and the type of information it is protecting. The cost calculation must include the annoyance factor. The amount that a control gets in the way of a person trying to do their work is cumulative. Each individual has an annoyance threshold and when you pass that threshold the impact can be large. Somewhat like the proverbial straw that broke the camel’s back. One too many controls and the perception of your program drops while compliance with your program falls.
We can’t just look for and compensate for vulnerabilities. We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right.