Will Wonders Never Cease!

 “It’s a combination of the culture, the legal framework, the logistics and the risks.” Said Fred Goldberg, who served as I.R.S. commissioner from 1989 to 1992 talking about the likelihood that an insider would leak President Trump’s returns. 

Truer words were never spoken in advising organizations on the variety of controls to preserve and protect information. As an instructor in a cybersecurity program, employee of both state and private institutions, and as a consultant in information management, I strive to get these key points across. Technology alone will not fix the problem; logistical controls are necessary but not sufficient.  The best approach is multi-dimensional and involves the oft-quoted three prongs of administration, technology and physical security. There is no silver bullet. Perhaps more vital than any other factor is culture, as expert Rebecca Herold repeatedly demonstrates in her classic, Managing an Information Security and Privacy Training and Awareness Program. 

Risk remains highly elevated until users on a network system – all users, including the weakest links -- thoroughly and completely internalize information management. Higher education networks pose special challenges by comparison to industry and government for many reasons: financial constraints that limit everything from the purchase of necessary technologies to the staff required to implement a comprehensive program; faculty pushback on theories that range from “academic freedom” to “information wants to be free” in the belief that they are not obliged to comply with institutional policy; general user ignorance and negligence for the failure of the institution to adequately instruct or rigorously enforce policy. Notably, some good tools exist from anti-virus to SIEM products; specialists know the usual suspects.  For risk management, which more advanced institutions are turning for support, RiskLens, is the emerging product on the market.  Without legislation or even a good standard under state tort law for a breach, keeping up the Jone’s remains an institution’s best approach, which means, in this context, that utilizing these products is a good line of defense.  But when all is said and done, moving the dial progressively on culture remains the most significant nut that higher education has not cracked.

More than once I have embarrassed myself with an argument that higher education is no different.  One time in a webinar a couple of years ago I got so worked up I lost a good client.  After working closely with students this past year in the TACC Program, many of whom work for a Fortune 500 financial services corporation, I have shifted my analysis.  I still bristle at the dismissive attitudes that vertical peers level at us since they tend to compare apples to apples and fail to recognize that higher education is a special fruit.  But where I think that industry and government have pulled meaningfully ahead us in addressing the cultural component.  In many cases, it is not for want of trying. Almost every information security specialist in higher ed I have ever met is sincere, dedicated and hard working.  The problem is simply larger than the resources at hand or even the defined scope of their work. 

Given the bully pulpit that comes with this blog, readers will recognize my approach: to pull contemporary politics into this context.  If we see the connections between what we do on our campuses, not least of which is how we education students, and the larger world around us, we have a better chance at capturing the quality of attention we need to change our culture towards greater commitment to information management.  Think of it a little as one would a religious experience, when some inspiration from suffering to glee opens the heart.   The distinctions between a hack and fake news are collapsing, for example.  “Digital” and “information” literacy, once emphasized for difference, have become part and parcel of the same training and awareness. Even the term with which we are so familiar, “information technology,” holds the potential for a shift.   When first used, most people thought of information as an adjective.  It should now be regarded as a noun.  That is the kind of transition we now need to be comprehensive in our approach.   

It is therefore not a coincidence that the opening quote comes from an article on the probability that President Trump’s IRS returns can be hacked.  Curiously, in a world where just about everything can be hacked and/or leaked, this one document, according to the article, appears relatively sacrosanct. Leave it to our democratic republic to protect the wealthy more than its own foreign intelligence.  That is a sign of the times, and if that order of things does not get one’s attention I am not sure what else would. But do you also see the connections between information security and national security, policy and politics, in this one piece? Perhaps it is more metaphor than fact, but even in that case, it is potent.

Policy is inherently Janus-faced.  It presents in multiple forms, from operations through organizations and institutional strategies. It exists as need-translated-to-action at every level from the most local to the global.  It is important to distinguish the various types. But it is equally critical to recognize the connections between and among this complex universe of what “policy” constitutes. Rote memorization and simple answers won’t serve us. Never has it been more essential not only to the work we do but to the context in which we do it to deeply and meaningfully think.