Cybersecurity Metrics to Help Drive Strategy

Don Welch, CISO, Penn State University

Don Welch, CISO, Penn State University

Cybersecurity in education is difficult. Especially in research universities, we face the same threats that most other industries face. Nation states try to steal our intellectual property. Criminals go after our money. We are basically small (or not so small) cities processing information that is governed by almost every regulatory regime there is to include some international compliance edicts. Educational institutions have a lot to deal with in cybersecurity.

We must confront these challenges in a unique environment.  Universities have an environment of innovation, experimentation and autonomy. Shared governance has ensured the primacy of the education and research missions but slows institutional decision-making. Decentralization has served this mission well, but it has resulted in a large attack surface, a lot of technical debt, conflicting priorities and mis-aligned cybersecurity programs. We employ cybersecurity strategies to balance the preservation of all that makes higher ed successful while protecting the information of our community members and the institution. 

Strategy is the critical first step. Through the development of a strategy we understand the threats we face and the constraints within which we must operate.  We develop long-term strategic goals.  We prioritize our resources. We establish a framework for cybersecurity decisions throughout the institution so that cybersecurity efforts can be better aligned across the institution. Executing the strategy, especially in a decentralized environment is hard but without good execution the strategy is doomed.

In most decentralized educational institutions, the IT teams report to their college or campus leadership and not the CIO. Most academic leaders are not experts in every facet of their unit’s operations. They want to manage the cybersecurity risk so that their college or campus is adequately protected, but they don’t want to over invest in cybersecurity. They must prioritize resources and effort to ensure success. They need actionable information so that they can weigh risk and lead their unit. 

"Cybersecurity in education is hard, we face the same threats that industries like finance and the defense industrial base do, except we face them with a culture that prizes openness, privacy and agility as well as decentralized operations"

At Penn State we have developed a security dashboard with key security metrics that is designed to be used by our university leadership. IT leaders have access to the dashboard too, but it is designed for the non-technical leader. The dashboard’s purpose is to provide actionable information, so a leader can understand how well her unit is securing its information and prioritize effort appropriately. As the CISO, I think that cybersecurity should be everyone’s highest priority.  You may be surprised to hear that not every leader feels the way I do.  Each unit is different with different capabilities, and needs.  This is why decentralized IT is so common. The senior leaders with unit IT reporting to them need the knowledge to give the right guidance. The university’s leadership must set the priorities and make the trade-offs to succeed.

My office determines what our priorities are and collects metrics for all our units. Currently, our dashboard gives an overall score, the status of their high risk information, information about vulnerabilities in their network, account compromises, machine compromises, and the results of our latest self-phishing exercise. Along with the raw data, we also normalize for size. We have very small units as well as very large ones and we strive to provide a reasonable comparison for a leader to know how well their security posture compares across the University. The dashboard compares the unit’s metrics against our standards (if appropriate) and more importantly against other units. Leaders get a quick overview of how they are doing in all areas and how they compare to the rest of the units in the university. They can drill down to specific areas. For example, in the vulnerabilities dashboard they see how many vulnerabilities are currently not mitigated in their network, the average time to mitigate, and the standard. They also see how they compare to all the other units with respect to vulnerabilities.  

Providing these metrics in a dashboard that is updated daily arms university leaders to ask questions. By benchmarking against the rest of the university those leaders can better understand the amount of risk they are tolerating. They can better lead their units by prioritizing the efforts of their IT teams.

Cybersecurity in education is hard, we face the same threats that industries like finance and the defense industrial base do, except we face them with a culture that prizes openness, privacy and agility as well as decentralized operations. Creating a strategy that meets these threats within the constraints of our institution is a critical foundation. As the saying goes, “a mediocre plan well executed beats a great plan poorly executed every time.” Executing a cybersecurity strategy in a complex decentralized institution requires the support of all the university leaders. Higher ed leaders understand that cybersecurity is important and want to protect the institution. To do so they have to know how their unit is doing and whether or not their performance is appropriate. A dashboard that benchmarks their performance against the rest of the university gives them that knowledge.