When I started my role at the University I had prior experience in the private sector as well as K-12 but was brand new to higher education. It was a bit of trial by fire for me.
As I started to learn the intricacies of practicing information security in a higher education setting I found one resource invaluable in helping me succeed—Peers. Like-minded Information Security professionals with higher education focus.
The local higher education CISO's had started a group that met periodically and shares information, insight and ideas. I was fortunate to be able to join the group and immediately benefit. Institutions, small or large, face many of the same issues. Having a sounding board to pitch ideas or, in many instances, having a peer that already uses a solution or service really helps.
I haven't experienced this level of peer support in other industries and it''s refreshing. In my latest search of new talent at my University, other peers reached out and suggested candidates. It really augmented the typical type of search. In our last CISO gathering we actually discussed this sharing perspective. The general thought was that by maintaining a strong ecosystem of highly qualified security talent, we all will benefit. It also allows for greater upward mobility in your staff's career path and encourages folks to remain in higher education and continue to see higher education as a viable career option.
"As I started to learn the intricacies of practicing information security in a higher education setting I found one resource invaluable in helping me succeed—Peers. Like-minded Information Security professionals with higher education focus"
I realize that this group might be the antithesis of the stereotype of the tight lipped security practitioner but I really think other IT security organizations should consider a similar collegial approach. I guarantee that you will find more ground that is common than not.
Based on my experience this is an area in K-12 and other market verticals that is ripe for change and innovation. I previously worked for one of the largest school districts in the USA and still struggled to create and maintain those peer relationships. In some areas information is still treated as a secret commodity, not to be shared. Another perceived barrier may be lack of time, staff, or permission to participate.
I get some possible arguments. "I can't share sensitive information" or "I am not sure our management would approve", etc. It can be done. With or without specifics. Even being able to share your ideas on the future of authentication, without giving away your specific posture, is helpful.
So how do you create this ?
Start small. Really small if necessary. Connect.
Educause and ISAC's are great for information but are huge organizations with many members. While I belong to both and really do see the benefits of both, I don't think it's reasonable to believe that I could make an immediate connection with every member of the groups.
In my example it's a loose group of the regional higher education CISO's built up over time. Try introducing yourself and reaching out to a local peer. Grab lunch once a quarter or if proximity is an issue use Zoom or similar to bridge the distance. Sponsor a lunch on a specific security topic. Or maybe just start an old school mailing list. Maybe step outside of your comfort zone and research and present at an Information Security conference. Lastly, joining a local governing body or board is a great step towards enhanced networking.
In summary, thanks to those peers that have created and supported the sharing environment. I hope I can help further this concept in the future.