Vancord logo

The Top 3 Questions Every Higher-Ed CIO Should Be Asking

On average, universities lose $245 per capita from cybercrime. More sophisticated hacking techniques, combined with an increased number of universities moving to the virtual classroom, have led to more hacking opportunities for cybercriminals. The result? More responsibility has been placed on the shoulders of higher-ed CIOs.


Today’s CIOs must have a firm grasp of the challenges, solutions, and impacts of cybersecurity regimens in the organization’s IT investments and infrastructure. Things like policies, risk management, and staff skills are all critical components impacting how robust a university’s cybersecurity protocols are in the event of data loss.

How can higher education CIOs know if their university’s security is set up properly, and fully operational? Below are the top three questions every higher-ed CIO should be asking when it comes to incident response readiness.

Are faculty and staff members sufficiently educated about cybercrime?

In some of the most common forms of cybercrime, your staff and students are the potential weak links that hackers will exploit. Phishing scams are the biggest culprit. If staff members or students click on fraudulent email links, your university can have its security breached, lose money, and possibly have its reputation impacted.

Patching issues are another major weak spot that hackers can exploit. If students or faculty don’t understand the importance of timely updates, they can put themselves and the organization at risk of data breaches.

How can you ensure that faculty members and students are sufficiently educated and protected from cybercrime? Consider the following:

  • Training protocols — In many cases, students and staff simply don’t know what a phishing email is or looks like. They may not realize that updating the system as soon as a patch is sent out is critical for keeping networks and data safe from attack. Train your staff and students on these cybersecurity measures with current best practices and offer incentives to encourage adherence to safety protocols.
  • Password security education — Remembering dozens of different passwords is troublesome and inconvenient. Staff and students may resort to using the same password with only slight variations for separate logins. Or they may write down their passwords and fail to store them in a secure place. One way to prevent password security problems is to offer students and faculty a user-friendly password management system.
  • Physical security protocols — Do staff and students know what to do with lost ID badges or smart cards? If these misplaced items fall into the wrong hands, even the most robust cybersecurity systems can’t prevent access to the compromised person’s sensitive data. Ensure that staff and students have access to a robust program and know the protocols for safely returning or recycling lost badges and smart cards.

Have the top risks to the school been identified?

Unfortunately, many universities struggle with establishing open communication lines between IT staff, business leaders, and the CIO. The top business risks aren’t identified adequately. As a result, IT staff will deploy cybersecurity programs that try to address every potential threat the school could possibly face. Cybersecurity investments are spread too thin, and the biggest risks aren’t given the appropriate security measures.

Business and IT leaders, along with the CIO, must identify the top risks to the school. Tweaking, optimizing, and tailoring cybersecurity programs to address the most significant threats will ensure greater protection.

Is our incident response plan adequate?

The industry best practice is to analyze the university’s incident readiness annually. Usually, a vulnerability assessment is the first step, followed by a penetration test. Controlled testing of the school’s security systems allows CIOs to identify the results of current measures, versus the desired outcome for risk management control.

Completed vulnerability and risk assessment tests will generate a detailed report of any weak points or vulnerabilities in the system hackers can exploit. Based on the results of controlled testing, organizations can build and implement a robust, customized incident response plan that addresses any security gaps.

Higher-ed CIOs and response readiness: The bottom line

There’s a massive skills gap in the cybersecurity field, with an estimated 500,000 cybersecurity jobs going unfilled. CIOs and cybersecurity leaders must deploy innovative solutions to address these skills gaps and keep their university safe from hackers and data loss. Ensuring adequate investment and resource prioritization via robust testing and education measures can bolster university cybersecurity.

Cybersecurity Tips In Your Inbox.

Get notified when we have something important to share!