Goldilocks Had a Point

Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Donald J. Welch, Ph.D. Interim VP and Chief Information Officer, PennState University

Most of us in cybersecurity see a vulnerability and want to close it immediately.  We can come up with a reason and catalog the many bad things that will befall the individual, their department and the university if this vulnerability isn’t mitigated immediately.  From our perspective the risks are unacceptable.  Mitigating the vulnerability is the right course of action.

Sometimes these mitigations are intrusive, cumbersome or expensive.  They impose a cost on our mission.  Our user population has built their careers by learning and problem solving.  They make their own cost/benefit analysis and when they don’t see the value, they question the security team’s judgement. In some cases, they apply those problem-solving skills to circumvent the control. At times, the workaround is worse than the original vulnerability.

Higher ed values openness and sharing. Our faculty look to information technology to help them collaborate more easily, especially with those outside of their institution.  Their default mode is to share rather than protect.  This is still true even though more and more academics understand that intellectual property theft is happening and the harm that theft causes.  Destruction of information through ransomware is also more common and universities are not immune.  As with most human endeavors, we must strike the right balance.

"We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right"

Life is not without risks and cybersecurity is no exception. The challenge for the security team is to balance risk with enablement.  Finding the right balance with anything is difficult, but that is what CISOs get paid to do.  If you err with security controls that are too tight one of two bad outcomes ensue.  They either workaround the controls or they aren’t as effective researchers and teachers as they should be.  When people are circumventing your controls, they are choosing which controls will not be effective.  They might workaround one that underpins your entire security strategy.  If your institution is really good at enforcing controls that are too restrictive then teaching and research will suffer.  Of course, if you pick controls that too loose, we know all too well what can happen.

What we must do is understand the value a security control brings and the true costs of the control.  The value must be considered in the context of all the other controls in your plan and the type of information it is protecting.  The cost calculation must include the annoyance factor.  The amount that a control gets in the way of a person trying to do their work is cumulative. Each individual has an annoyance threshold and when you pass that threshold the impact can be large.  Somewhat like the proverbial straw that broke the camel’s back.  One too many controls and the perception of your program drops while compliance with your program falls. 

We can’t just look for and compensate for vulnerabilities.  We have to take the measure of all our controls, think strategically about the risk and make the choice that is not too much, not too little, but just right.

Check This Out: Top Enterprise Security Solution Companies

Weekly Brief

Top 10 Innovative School District Tech Director

Read Also

Importance of Technology in the Education Sector

Importance of Technology in the Education Sector

Frank Williams III, IT Director, Student Management Systems at Houston Independent School District
Designing Learning Experiences with Educational Apps

Designing Learning Experiences with Educational Apps

Bucky J. Dodd, Ph.D, Assistant Vice President, University of Central Oklahoma
Bridging the Gap from Education to Employment

Bridging the Gap from Education to Employment

Mark Grovic, the Co-Founder and General Partner of New Markets Venture Partners, also taught at the University of Maryland for 20 years
Cybersecurity Worker Shortage is a Matter of National and Economic Security

Cybersecurity Worker Shortage is a Matter of National and Economic Security

Charla Griffy-Brown, Professor of Information Systems and Technology Management At Graziadio Business School
Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools