The CISO’s Perspective
There’s an inherent dilemma in effectively managing cybersecurity: IT organizations must dedicate the time and focus required for long-term strategic planning while maintaining the agility to meet evolving threats and take advantage of emerging technologies. Add in the ongoing need to review and revise strategic plans to reflect those changing risk and technology landscapes, and the task can seem herculean.
The University of Wisconsin-Madison is one year into a five-year cybersecurity strategy; we published our first plan update in July 2016. The practices that worked and the lessons learned in Madison can easily apply to other institutions to make this high-stakes endeavor easier.
Capture all valuable input before making a security plan
UW-Madison forged its multiyear cybersecurity strategy during four months of intensive planning by security team domain leads and other IT stakeholders, along with faculty and administrators. Through existing collaborations on campus, such as the Madison Security Information Team, the planning group also had access to a wide community of experts to help vet good ideas. With 54 colleges and departments, as well as 13 research centers, UW-Madison has a complex IT infrastructure and more than 40 employees who demonstrate expertise in some aspect of information security.
The process of developing the cybersecurity strategy began with a free-wheeling, offsite session in which participants were encouraged to “think big” as they answered the question, “What are the specific things we can accomplish in the next five years?”
From that start, a few key practices were essential to formulating the strategy — and they continue to be crucial in executing it:
- Security domain leaders — for example, the head of Incident Response and Forensics — knew from the beginning that they would be empowered to make the decisions necessary to carry out strategic objectives. As a result, they focused on goals in the strategy that they could back up with action and intensified their already strong commitment to making the strategy work.
- The planning group actively engaged the broader university community to both understand the needs and concerns of faculty and staff around cybersecurity and to build buy-in for the strategic plan.
- Iteration and revision were central to creating a comprehensive strategy. The planning group repeatedly pushed updated versions out to security stakeholders and the university community, enlarging the conversation and making sure we addressed as many issues as we possibly could.
Continue to rethink cybersecurity strategy
By definition, a multiyear cybersecurity strategy must stand the test of time. The revision process extends into the execution phase of the project. This past summer’s update will take us into year three, when we’ll start looking at adjustments for the next five years. The aim is not to be locked in to our thinking from 2015, but rather to create a rolling plan that we continually refresh and renew based on what we learn.
Leverage all assets to build university culture
As a result of our planning, we have developed a comprehensive risk management framework. We are also less than a year away from launching a Cybersecurity Surveillance and Operations Center that will give us better tools to detect and thwart threats to UW-Madison information systems.
We are also making significant progress toward goals of building a university-wide culture of valuing security, defining meaningful security metrics, clarifying and understanding compliance requirements, finding sustainable funding sources, and developing a communications plan for the strategy. These types of objectives serve to build a strong foundation for security efforts, helping to grow the base of committed stakeholders and ensuring that efforts enjoy long-term support.
Throughout our process, industry has been a rich source of advice and assistance. We have found that businesses are eager to build lasting partnerships that help us find ways to make security technology more affordable and generate internship opportunities for our students.
Plan for staffing effects
As for how we stayed ahead of current security threats while we worked on the long-term plan, the answer lies in the depth and dedication of the UW-Madison security staff. Each domain lead trained a second-tier leader who would help run the business while the primary lead worked on the strategic plan. This time investment was not trivial, and the leads knew the value of a dedicated effort to get it right the first time.
The planning group went through several versions of the document before we started promoting the plan to the larger security and university communities. However, after the initial offsite meeting and the first few iterations, the level of effort required of the domain leadership curved sharply downward. Staff turnover must also be considered in the development and execution of a multiyear plan. In most colleges and universities, promotions and raises are hard to justify and are usually tempered by an inelastic budget. The importance of knowledge management and a strong bench should not be underestimated. The depth of the UW-Madison security team has given us a skills cushion, but mostly we are fortunate that our key leaders are comfortable in their roles and dedicated to the institution.
Know your risks
During the school year, the UW-Madison student population averages 43,000. At $194 a record, that’s $8,342,000 that it would cost the university in credit monitoring and insurance alone if the school suffered a major cybersecurity breach. And the potential financial impact doesn’t take into account the incalculable price of lost privacy for students and staff, not to mention damage to the university’s reputation. I think about those risks every day, but I also think we have the right strategy to minimize them.
Originally appeared in EdTech Magazine