Passwords, two-factor, encryption, firewalls, phishing campaigns, and awareness training? How do these efforts “make us more secure?” Some may even ask, “Why bother? Won’t the hackers just get the information anyway?” Or even, “Do we REALLY need this level of information security?”

Pick one:

1. These measures are just “Good Business” these days
2. These measures (and others) help increase the “digital value” of the university
3. Regulatory reasons – it’s the law
4. All of the above

If you picked “4,” you may quit reading this. If you picked any one of the other answers, stay with us.

Any Information Security professional that’s worth their salt will always talk about RISK. Usually, it’s followed by questions and discussions around threats and vulnerabilities. Reducing or eliminating RISK to IT resources is the goal. THAT is the answer to the WHY. With apologies to the DETAILS, the devil is in the HOW’s and WHO’s. HOW? One basic tenant of information security is to do what is necessary and appropriate for a given environment. WHO? All of us; it’s part of everyone’s responsibilities.

There are a lot of tools and software (shelf-ware?) out there that can be purchased. They help. There are also commercial services, full of professionals, that can be secured to address some of the WHAT and WHO. A university can hire services to monitor servers and networks. It can purchase (think:$$$$) software to help us protect our IT resources. However, [BIG REVEAL], the responsibility for protecting our IT resources; our “Digital Value” can’t be transferred to anyone. That’s on us and, yes, there’s no “US” without “U.” Apologies…that wrote itself!

Of the measures listed above and the tools that may be purchased in the future, the most important security measure is truly the user. Their actions and decisions can bolster (or render totally ineffective!) these measures and the information security posture of the campus and the university. Information security professionals serve as the body guards for digital assets; not the, “police.” Tools help, but the responsibility and accountability always filters UP to the user.

It’s 2022 (right?). It’s not 1994 when the Internet was new. The threats to our digital value are ever-evolving; we must adapt to the change. We are stewards of these IT assets, both our own and those of the students that matriculate to alumni. By acknowledging our responsibility to protect these assets, we increase our “Digital value,” increasing our competitiveness with other institutions. By creating, documenting our systems, and following standards of best practice, we ARE more secure; our DATA is more secure.

Policies and standards are a discussion for another day. Still, they are equally important measures that ensure repeatability, identify responsibilities, and allow us to hold each other accountable for protecting our IT resources.

For questions regarding the campus information security program, contact the OIT HelpDesk at 865-974-9900.