August 2023 Security Topic - Organization Level Cybersecurity

What is cybersecurity and how do we practice it? People often envision MIT graduates surrounded by burritos and Red Bulls furiously typing away on a Cray supercomputer. It’s the stuff of TV shows and movies. They pause ever so often to converse in the inscrutable language of computers. Then it’s right back to furious typing long into the night. The reality of cybersecurity, the most important aspects of it, are very different. Information Technology presents risks. We all have a role to play in managing them.  

First, we need to evict that pretend MIT professional from our heads. We need a more realistic view of the problems and solutions to envision ourselves as a participant. We don’t all have to be computer scientists and engineers to address cybersecurity.  

In fact, we already have the expertise we need inside our organizational DNA. Cybersecurity is an underdeveloped sub component of three existing functions of the University.  

  • Emergency Management 

  • Campus Safety  

  • College Senate 

It may be surprising that I didn’t mention BITS as a functional group in this area. This is an important observation. BITS is responsible for delivering information technology capabilities to the campus. Its primary function (in this regard) is very much like the Academic Success Center or the Alumni Engagement Office. BITS processes, tools, and thinking are aligned towards providing services to the campus. Cybersecurity, on the other hand, is a risk management and protection function.  

To illustrate this point, people don’t go to a music concert to hang out with concert security guards. The security guards are a risk control measure for the audience and the performers. While safety is important to people, they wouldn’t necessarily buy a concert ticket based on the security and safety measures at the concert.  

Yet concerts can be dangerous, such as the Travis Scott concert in 2021 where 8 people died and hundreds were injured (Goodman & Moya, 2021). Despite the dangers, performers are focused on developing their musical skills. They are not typically trained in concert security or involved in protecting their own concerts. There are professionals who specialize in that and develop those plans, communicate and execute them.  

This isn’t to say that BITS is not responsible for both risk management and protection in technology. But it’s not a core competency of the department. This is important to note because we can learn much from departments where risk management and protection are core competencies. We already have examples and outputs there to learn from which can be easily adapted into SUNY Brockport’s cybersecurity efforts.  

So, let’s look at these outputs. For campus safety we have clear descriptions of protection measures and reporting on incidents that happen on campus (Clery Act Campus Safety Report, 2021). We have 16 certified police officers who patrol the campus 24 hours a day. They can be immediately contacted through 31 blue light phones installed throughout the campus to respond to crimes, emergencies, and provide campus escort (Advocacy and Safety Services, n.d.).  This is part of the campus plan in place to respond to campus risks.  

In many areas, such as fire safety, we acknowledge that safety and security are important components of our campus environment (Annual Student Housing Fire Safety Report, 2021). In this area we have evacuation plans, alerting systems, delegated responsibilities and prevention guidance that are documented. Residence halls are inspected for fire safety hazards and fire drills are conducted to ensure the campus community is trained on the plans and can execute them. New buildings must have sprinklers with complete fire and smoke detection and alarm systems. (Annual Student Housing Fire Safety Report, 2021).   

We can continue along this line in the areas of hazardous waste (Hazardous Waste Emergency Response Plan, 2019), blood borne pathogens (Blood borne Pathogens Exposure Control Plan, 2019), and many other areas of campus risk.  

But none of these areas discuss cybersecurity at all, you might be thinking. What value can they be? The approach to managing cybersecurity risk as an organization is nearly identical to the approaches taken in these other areas. We need to understand our responsibilities related to laws and regulations. We need to identify risks that we want to avoid. We need to select ways to reduce those risks. Everyone on campus needs to be a part of supporting many of the safety measures. And our efforts need to be clearly documented and measurable.   

I am often amazed that we engage in textbook risk management activities in many areas across campus but often resist formally managing cybersecurity risk. This might be because we think that the risk is too complicated, too hard to understand or not impactful enough. On the last point, our recent fire safety report indicated total damage in the last few years related to fire at $90 with no injuries (Residence Halls Fire Safety Data, n.d.). We do typically recognize that a fire can be catastrophic if uncontrolled with significant damage and injuries. Despite the fact that SUNY Brockport has not recently experienced a major fire with loss of life, we recognize the importance of reducing the likelihood and impact of such an occurrence.  

Again, cybersecurity incidents are the same. A major cybersecurity incident could have significant legal and financial consequences for the University and disrupt campus operations for weeks. There are also lasting impacts of significant incidents which can affect the institution for months and even years, such as the loss of critical data or ongoing legal processes. It only must happen one time to be a huge problem. This isn’t new though. As a university we manage these risks with plans, policies, standards, documentation, training, and delegation of responsibilities.  

We have the skills to do this as a university. We just need to be able to place cybersecurity and campus safety into the same arena and expect the same levels of planning and outputs. It’s not a mystery what campus safety does to protect the campus and what our plans are to deal with bad situations. We can achieve the same in cybersecurity, and we should. 

References 

2021 Annual Student Housing Fire Safety Report. (n.d.). Retrieved August 19, 2023, from https://www2.brockport.edu/support/environmental-safety/fire-safety-report/ 

2021 Clery Act Campus Safety Report. (2021). https://www2.brockport.edu/support/university-police/safety-report/policy-statements/ 

Advocacy and Safety Services. (n.d.). Retrieved August 19, 2023, from https://www2.brockport.edu/life/safety/ 

Bloodborne Pathogens Exposure Control Plan. (2019). Environmental Health and Safety, SUNY Brockport. https://www2.brockport.edu/live/files/3230-exposurecontrolplanpdf 

Hazardous Waste Emergency Response Plan. (2019). Environmental Health and Safety, SUNY Brockport. https://www2.brockport.edu/live/files/3232-hazardouswasteresponseplanpdf 

Goodman, D., & Moya, M. (2021, November 12). ‘No Way Out’: A Sudden Life-and-Death Struggle at a Houston Concert. https://www.nytimes.com/2021/11/06/us/travis-scott-crowd-surge.html 

Residence Halls Fire Safety Data. (n.d.). Retrieved August 19, 2023, from https://www2.brockport.edu/support/environmental-safety/fire-safety-data/