UW–‍Madison’s cybersecurity future: Collaboration as our superpower

A message from Lois Brooks, vice provost for information technology and chief information officer:

In the modern world, where digital threats are evolving faster than ever, higher education faces a cybersecurity challenge. Institutions like UW–‍Madison are attractive targets for digital attacks and scams in part because of what makes us special—our commitment to collaborative research, academic independence and open inquiry that create rich repositories of data.

This reality requires us to be proactive, agile and adaptable in our cybersecurity practices. We need to be creative in our search for solutions that secure our people, infrastructure and data while enhancing the university’s educational and research capabilities. It’s not about building higher walls; the future will require us to evolve our approach to security.

Tomorrow’s threats and opportunities

Several developments will shape our cybersecurity landscape in the coming years:

• AI-powered threats and defenses: Criminals use generative AI to create increasingly convincing phishing attempts, while defenders leverage AI to detect unusual behavior. This technological arms race requires continuous adaptation.
• Identity as the new perimeter: With resources distributed across cloud environments, strong identity management becomes a critical control point.
• Security embedded everywhere: We’re moving toward security built into every system and process to provide more nuanced and contextual levels of security.

Smart Access: Our Zero Trust journey

I’m particularly excited about our Smart Access program—our multi-year effort to implement Zero Trust architecture at UW–‍Madison. Zero Trust architecture is a cybersecurity approach that’s becoming a consensus best practice for universities like UW–‍Madison.

Unlike traditional security models that automatically trust users inside the network, often referred to as “implicit trust,” Zero Trust continuously verifies users and devices before granting access to systems or data. This verification happens even when users and devices are already inside the network, creating multiple security checkpoints based on context and activity.

The core principles include:

• Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, behavior and anomalies. This will help ensure that devices without current virus protection don’t access sensitive university data.
• Use least privileged access: Limit user access with just-in-time and just-enough-access, risk-based adaptive policies and data protection to secure both data and productivity. This might allow people to access their own data with fewer controls vs. administrative users with access to others’ information, who may require additional security steps.
• Assume a breach could happen: There are many access points across our network and systems that could be hacked, so we must provide multiple levels of security. This would help ensure that a compromised system in a research lab doesn’t infect college or university administrative systems.

Adopting Zero Trust will fundamentally reinvent and improve the university’s security practices, reducing risk and enabling all members of our university community to work safely and securely, wherever they are. We’ve been laying the groundwork for a few years, and we are nearing the end of our testing and evaluation phase. You’ll hear more about it as we move into the planning and implementation phases in the coming months. You can join our Smart Access mailing list to be the first to hear updates as we move forward.

Building our cybersecurity future together

What gives me hope for our cybersecurity future isn’t any particular technology — it’s our people and culture of collaboration. When we work together, we create security solutions that enhance productivity rather than impede it.

As we look ahead, here are ways we can harness our collaborative superpower:

• Shared responsibility model: Everyone at the university has a role in our cybersecurity posture. By clearly defining these roles, we can distribute security responsibilities effectively across the entire UW community.
• Proactive partnerships: Rather than waiting for security incidents, we can proactively work on joint security initiatives and assessments. With the experience of working together across the university to minimize our security exposure with multiple identity systems, I can confidently say that collaborative problem-solving and open communication consistently yield the best outcomes. UW’s Active Directory Migrations Program is a great example of the power of this kind of proactive partnership.
• Embracing the human element: While technology solutions are essential, many security challenges ultimately stem from human factors. We need security measures that work with human nature rather than against it.

I remain fundamentally optimistic about our cybersecurity future. Yes, the threats are real and growing, but so too are our capabilities, our collaborative spirit and our commitment to protecting the university’s mission.

When I look at the creativity and dedication of our IT professionals across UW, I see a community more than capable of rising to these challenges. By working together, we can build a safer digital environment that enables rather than constrains our academic mission.

— Lois

Envision the Future series

This blog entry is part of the Envision the Future blog series by UW–‍Madison Chief Information Officer Lois Brooks, examining key technology trends and opportunities in higher education information technology. Read other entries in the series:

1. Envision the future: Preparing for tomorrow’s IT landscape at UW–‍Madison — December 2024
2. Preparing for the future means supporting our IT workforce — January 2025
3. Computing innovation to power tomorrow’s research — February 2025
4. Powering the future: IT’s role in university sustainability — March 2025
5. Working smarter together through modernization & federation — April 2025
6. UW–‍Madison’s cybersecurity future: Collaboration as our superpower — May 2025

Related links

• 2024 EDUCAUSE Top 10 #1: Cybersecurity as a Core Competency | EDUCAUSE Review
• Higher education trends 2025: Public trust drops, leaders must act
• 8 Considerations When Establishing Cybersecurity in Higher Education | EDUCAUSE Review
• How Zero Trust Can Protect Against Evolving Cybersecurity Threats in Higher Ed | EdTech Magazine
• Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025
• Overcoming the cybersecurity talent shortage in 2025
• Top Cybersecurity Trends and Strategies for Securing the Future | Gartner
• 3 Key Solutions to Higher Education Cybersecurity Workforce Challenges | EDUCAUSE Review