It sounds like a security oxymoron: Protect educational institutions that are meant to be, as Fitchburg State University information security officer (ISO) Sherry Horeanopoulos put it, "wide-open and unguarded."
But Horeanopoulos and several of her colleagues on a panel at the SANS Security Leadership Summit Wednesday in Boston, agreed that it is possible.
"We work in an environment that is designed to be wide open and unguarded," she said. "Professors and students need access to resources that span the globe. So how do you take a top-down approach in a bottom-up environment? Everything can't be completely protected, but we provide an open, flexible place to work in technology by working to keep things reasonably safe and not being dictators."
The panel discussion, titled "CISO 101: Lessons Learned from Higher Education," was moderated by Larry Wilson, CISO at UMass, and also included David Escalante, director of computer policy and security at Boston College; and David Sherry, CISO at Brown University.
Another major challenge, they said, is that a university campus is like a small city, where the security team has to deal with "everything in the city. We provide housing in residence halls, entertainment and sporting events, food, we're associated with hospitals so we're involved in health care, we make loans so we're defined as bank you can't win," said Escalante.
And then there are the multiple constituencies, Sherry said, which include, "faculty, staff, students, donors, boosters, athletic support groups, applicants, parents and alumni it's very wide."
Given that environment, the panelists said they have to set priorities and focus on a limited number of things.
Escalante said one of the things he does is firewall off the data center from the campus network.
But there was general agreement that the goal in dealing with those on campus students especially is to enable what they need. "We try never to deny them a service," Horeanopoulos said.
Sherry agreed. "The key goal is never to say no we don't want to turn them down, just enable them to do it securely," he said. "So I like to call it a persuasion program. We try to convince them to do the right thing."
And that, he said, takes personalizing the security message. "If we put something on at lunch about how to protect their home network, people come because it's about them," he said. "If you make them secure at home, they will be secure at work."
Escalante said the same is true in the dorms. "Don't tell them about something in the New York Times," he said. "Tell them about something bad that happened to a guy down the hall."
It is a constant battle, however, Horeanopoulos said. "You can't keep up with every threat. We have perimeter guards that let us know what's going on, but even that you can't sift through all day long. So you try to automate what you can."
And, of course, not every student's intentions are good. Wilson told of a student who was able to change his own grades, while another hacked into an Oracle database. "We learned from our own mistakes," he said. "There are no more students working in sensitive areas."
Another challenge is cutting through the fog of pitches from vendors. Wilson, who had a background in finance before joining academia, said his approach is to "pick and choose" from security frameworks to what works in an academic environment.
He said at UMass he uses, "ISO for process and management, and SANS for technology. We focus on protecting our assets more than the threat du jour."
And how do they recruit and train people? Sherry said it is difficult to find good people, but he looks at, "graduating seniors in computer science or entrepreneurial fields. This really is a cool place to work it's stressful, but there's a lot going on."
Escalante agreed. "We need people who know how to code," he said. "If you need coding, check out the university, and think about hiring a summer intern. It's a low investment, and maybe they'll work out."