Dealing with Big Challenges on Small Scale
By Allan Chen, VP of Institute Technology and Chief Technology Officer, California Institute of the Arts
Today’s information technology world is a complex and multifaceted one. Compliance, operations, strategy, tactics, etc., all meld together into one giant effort to stay on top of trends and issues. Perhaps especially in higher education, the sector from which I come, getting things done blends with getting things planned until they seem the one and the same. Strategy begets tactics, but tactics can dictate long-term decision-making, too. I have spoken to several CIOs and CTOs in education and the line between strategic and tactical has blurred to almost nothing, even at the largest of institutions with the most resourced teams.
There are many topics we could cover, but cybersecurity is one that is not only appropriate, but also front and center today.
Having said that these concerns cover all kinds of organizations, I would like to zero in on the area that I inhabit – the small institution/operation. I am currently the Vice President of Institute Technology at the California Institute of the Arts (CalArts). We have about 1400 students, 300 staff and between 300-500 faculty, depending on how you count our part-time population. Our IT team is 15. Our annual budget is under $100M. While we might be larger than some SMBs in the corporate world, we are small by higher education standards. In comparison, my last institution had 35,000 students, over 2500 faculty, and an IT team of more than 150. All this to say that I would like to focus on the smaller operations and teams out there. It’s what I know and, more importantly, I think it’s a critical sector to consider. In higher education, there are many more small and medium shops (student FTE<5000) than the huge ones, but large research institutions tend to be disproportionately overrepresented on governing boards, in articles, and in the overall public profile. So, let’s spend some time on the many, mighty small and medium-sized institutions that I’m familiar within higher education.
There are many topics we could cover, but cybersecurity is one that is not only appropriate, but also front and center today. At CalArts, we do not have a (Chief) Information Security Officer. With the exception of the one large institution I have been at, I have never had an ISO on the team. I have been the de facto person filling these shoes. So how do we handle these situations? And what lessons might other SMBs take from my experiences?
First, security is something you can partially outsource. Higher ed tends to be so varied from institution to institution that you cannot work with a true managed service provider, just taking over all your operations. But in terms of the “top” best practices and certainly as far as understanding compliance (GLBA, GDPR, etc.), an outside firm can be extremely helpful. As more and more threats come up as zero-day exploits, understanding the scope of the issue and the appropriate response can be extremely difficult without an ISO or another expert that you can lean on with a moment’s notice. In this case, the only real solution is to crowdsource among your team members. Have a trusted “second” that can help read through the notices and dispatches on threats to best understand their impact on your environment, and will drop everything if action is required. Work with communications (either internally or, if you have one, an organizational Communications team) to prepare language to your community about steps to be taken.
Second, lean on your peers. This might be easier in higher education than in SMBs; colleges and universities have a long history of sharing knowledge and expertise. Another institution’s ISO or sometimes just general staff are facing the same challenges that you are, and can offer advice on what to do, and interpret findings and regulations that are perhaps beyond your level of expertise. In the SMB space, this might be another way that you can utilize third-party experts. They know not only how to interpret regulations like GLBA, but also know what’s coming down the pike in terms of changes, and can help you make the needed adjustments before they hit. They can also be sounding boards to gather answers to new questions.
Finally, an ounce of prevention goes a long way. Whether it’s something as simple as an email reminder every month or cybersecurity training programs or actual fake phishing simulations, do them, do them regularly, and follow through with individuals. Obviously, sending out messages to your constituents does not cost you anything except time. And training offerings are becoming more and more affordable and easier to configure and use every year (especially as the field has become more competitive). This is a space that you simply cannot ignore. Fundamentally, the small to medium-sized organization space is an important one. In higher education, there are far more institutions below 5000 students than any other sector, and this creates an incredibly varied and disjointed landscape. However, this diversity does not decrease the importance of dealing with fundamental IT issues such as cybersecurity. There are ways to mitigate these challenges even when one’s operation is a small one, though.