Published on November 4th, 2021 📆 | 7852 Views ⚑
0Include cybersecurity in higher ed board meetings, group recommends
Higher education governing boards should stay appraised of rising cybersecurity threats and fund efforts to address them, according to guidance published Thursday by a leading professional organization.
Governing boards are typically in charge of approving budgets and staffing, so board members â known as trustees, regents, governors or other titles depending on the state or institution â need to see cybersecurity as a crucial business matter, Merrill Schwartz, a senior vice president for the Association of Governing Boards of Universities, told EdScoop. Amid continued ransomware attacks against higher education institutions, the association developed recommendations for board members on how to communicate with their information security teams, including questions to ask about cybersecurity and suggested cybersecurity frameworks for their institutions.
âPart of making budget decisions is that cost-benefit analysis,â Schwartz said. âLike risk management, itâs important to look at what risks youâre going to accept, what youâre going to mitigate, what youâre going to transfer through insurance. You try to eliminate risk or mitigate risks so that you arenât paying out for losses, and that requires an investment of resources. So being clear about what the risks are is extremely important.â
When board members approve purchasing new technology or enter a partnership with a company or organization, any additional cyber risk needs to be part of the conversation, Schwartz said. This supported by the groupâs guidance, which urges boards to take cybersecurity into account when making decisions on mergers and affiliations. Managed service providers can pose potential cybersecurity threats to institutions, as highlighted by recent attacks on SolarWinds and Atlassian.
Schwartz said that understanding ongoing cybersecurity threats also helps board members understand the IT security departmentâs financial needs. The associationâs guidance recommends regular feedback from cybersecurity staff at board meetings and for board members to independently educate themselves on cybersecurity risk. She said implementing some of the advice in the document, such as that on how to use cybersecurity metrics when making business decisions, will help board members familiarize themselves with the landscape.
âBoard members learn a lot about what they should be thinking about by coming to agreement on what they will be monitoring, how often and in what in what format, so thatâs a great place to start,â Schwartz said. âThis is going to vary depending on the type of institution. A small private college still has cyber risks and must monitor them, but itâs different than a large research university with an academic medical center, or a large hospital with patients.â
Gloss