Trusting Remote Work Security in Higher Education
When a security leader creates a security program, conventional wisdom says that they should align that program to the institution’s mission. That the purpose of security is to “enable the business” — which for higher education means supporting teaching, learning, research, and operational efficiencies. I would suggest that the purpose of security is beyond even these lofty objectives.
Security exists not for security’s sake, but so the community can trust what our institution does, and how we do it.
According to CIO.com, trust and transparency “are presenting as the new first-class differentiators, with experience, engagement, price and quality all now settling in as second class.”
What does transparency look like in higher education?
We are up front about what data we collect, what we do with it, and how we keep it.
We give our community of faculty, staff and students as much control over the technology they use and the data they manage as possible, while ensuring careful handling of other people’s information.
Our institutional review boards ensure technology, data ethics and security are included in their considerations of appropriate research methodologies.
Considerations of privacy, security and data management are included in all business processes and operational expenditures.
Trusting Our Institutions
So how do we know when our institutions are trustworthy? It is the same as evaluating people. We trust people when they are honest, reliable and accountable for their behavior. When we manage systems and information on behalf of an institution, the way we do it reflects on the values of the institution. Do we transparently share our data handling, privacy, and security policies? Do faculty and staff hold themselves and others accountable for doing their work well, maintaining confidentiality and appropriate use of data? Do they take ownership when things go wrong?
Trust is neither binary nor permanent. Who we trust, and how much, and how long, depends on context. Higher education institutions may want to be trusted, but it’s easy to lose the trust of our community if our systems fail or our information is incorrect. We may tolerate an institution to have student-supported services with a delayed response time, but logging into the learning management system must be immediate and reliable. It may be annoying if the bus schedule is wrong by five minutes, but it’s really not OK if we’re about to undergo surgery and our health record is incorrect. We trust proportionally to the level of risk we are willing to assume — the less we risk, the more we are likely to give the benefit of the doubt, and trust.
What does lack of trust and transparency in technology and information look like in higher education?
Faculty choose to use non-institutional systems because performance is unreliable or confidentiality is not assumed.
Students and faculty choose to attend a different institution, because the institution does not handle their information ethically, efficiently, or for their best interests.
Granting agencies fail to award research and teaching grants because they are not assured the institution or the researcher can manage the security and privacy of the information correctly.
Security and Trust
Traditionally, security programs manage trust using the security triad: confidentiality, integrity and availability. Does the institution maintain confidentiality according to the expectations of the community? Are systems available when and where they are needed? Is the data accurate and behaves as expected?
Now, security leaders need to go further if they are to promote trustworthiness within and outside the institution.
They need to:
Create Partnership: Align not only to the technology partners in an institution, but to academic and research leaders, to understand how security can be used to improve academic outcomes. Additionally, security teams need to work with technology vendors and partners to ensure the entire ecosystem of technology and data is trustworthy, not just those systems created in-house by the institution.
Educate Stakeholders: Help the entire community understand how having secure systems will support their efforts. Help them know the information and technology risks they face, and help them devise strategies to address those concerns. These threats occur at home and at work, so awareness of issues needs to encompass their personal and professional lives.
Demonstrate Competency: Security leaders and their team must be trusted for their expertise. Be accurate, responsive, and professional. When the inevitable errors occur, own the effort to correct them and to change tools and processes to stop a repeat event. An untrusted security partner will be bypassed by the community, invalidating the security reason for existing.
Trust in Remote Working
As education institutions adjust to a post-COVID teaching, learning and working environment, the issue of trust is more important than ever. Many of us will return to physical campus, in-person teaching and research and team collaboration spaces. Some, particularly in security and technology, will decide to work and learn from another place. Security and privacy leaders will need to provide a way of working that is trusted by workers, leadership, granting agencies and regulators.
To enable this, security leaders should consider:
Evaluating remote-working processes, cloud applications and related analytics with a “private from the start” and “secure from the start” process. We know our institutions will want to analyze the impact of online learning and remote working to know if they are performing as needed. These technologies are reaching into people’s homes. They must adhere to privacy principles and be managed with appropriate security measures to support equity, privacy and desired institutional outcomes.
We can no longer secure the environment using on-premise networking solutions alone. We must ensure security tools are as close to the employee or student as possible — at login, on devices and in the cloud applications. In order for the security function to be regarded as effective, threat detection and response tools must extend to wherever faculty, staff and students are. It is not acceptable to only provide security protections to those on campus — the choice to work and learn remotely must not be a binary choice of “security vs. no security.”This raises questions of privacy — communicating early and often about how these tools work and are used is critical. Partnering with faculty, staff and students to implement a security technology stack that supports remote working is an important exercise in organizational partnership.
Expand security training and awareness to focus on the individual in their hybrid work/home environment, instead of focusing only on the needs of our institutions. Help them understand the personal and professional security threats and risks, and give them the tools to manage risks.
Security doesn’t exist for its own sake. It exists to ensure the institution is successful in delivering its mission. Security fosters trust, which allows the university or college community to live, work and thrive. As we move past the pandemic and into a new way of working, security continues to play a pivotal role in ensuring our institutions navigate these challenges successfully. Security leaders must consider their role in supporting the institution to foster appropriate technology use and build trust.
Try Duo For Free
See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.