Incentivizing Secure Practices
Practice 11: Breach Chargebacks
Breach Costs Largely Invisible to End Users
Charging back remediation to units almost unheard of
Even as data breaches have increased in severity and frequency across higher education, managers outside of central IT have stayed mostly immune to the consequences. A dean who is engaged in cybersecurity will be a strong ally for the IT security team, but simply charging departments a penalty for security breaches could generate significant tension between IT and the academy.
Breach chargebacks get deans listening and talking
At Purdue University, breach chargebacks are not intended to punish misbehavior, but rather to provide deans and administrators with a clear reason to adhere to reasonable security standards. Engaging academic administrators through chargebacks allows the CIO to deliver education to the person with most relevant authority, in the language they best understand.
Use Breaches As Education Opportunity
Go for signal value, not cost recovery
Breach chargebacks are not intended to recoup the true costs of a data breach; instead, use the incident as an opportunity to educate responsible managers (e.g., academic deans) about what happened, why it is necessary to improve behavior, and how to prevent future incidents. A simple letter explaining the breach cause, campus policy, previous reminders, and explanation of future prevention should accompany the bill for academic departments, and the CIO should also offer to meet in person to discuss the charge.
Practice 12: Cyber Risk Mitigation Incentives
Distributed Systems at Risk
Increasing attacks on Indiana University computing
Like many institutions of higher education, Indiana University has faced increased cyber attacks in the last several years. When the IT team at IU analyzed the history of attacks, they discovered that the fastest-growing segment of attacks involved botted hosts, or servers that had been taken over by a third party and used for external attacks under the guise of IU computing.
Routine audits reveal a pattern of policy compliance gaps
A review of five years of internal audits revealed recurring gaps in unit-level compliance with existing cybersecurity policies. IU had already constructed a highly secure data center, but the institution’s decentralized culture left many servers without effective security controls. With the board of trustees’ support, the institution rolled out a Cyber Risk Mitigation Policy that included unit-level reviews and dean sign-offs.
Treating Cyber Risk Like Financial Risk
Allowing units greater discretion for acadmic uses
IU’s IT reduced friction with departments by segmenting acceptable risk mitigation approaches for administrative and academic uses. Administrative technologies (e.g., website HTML servers) are presumed to be candidates for shared services, but the policy gives greater latitude to academic technologies for research and instruction. In either case, deans and researchers can use differentiated, unit-based services if they demonstrate how local security controls provide an ongoing and appropriate level of risk mitigation.
Peer review of exception requests increases buy-in
Schools, administrative departments, and central IT codesigned the implementation rules, which drew on existing approaches for financial policies with the CFO. Policy compliance begins with each unit conducting a self-review and planning their path to policy compliance. Exception requests are peer reviewed, and if the dean provides an alternate means to mitigate cyber risks per security policies, the CIO is not likely to push for further centralization.
Incentivizing Cyber Risk Mitigation
CIO offers deans reduced risks, lower costs
The key to policy success is making deans and administrators aware of the potential costs of cyber threats and the unit benefits available through centralization of servers and technology. In town hall meetings, online broadcasts, and in-person meetings at the department level, the CIO and CISO spent three months educating departments about reduced costs, insulation from risks, increased staff specialization, and space reclamation.
While some local IT staff and researchers did not like the new rules, face-time with the CIO and leadership team helped explain the nuances of the policy and the multiple ways to achieve cyber risk mitigation. Support of the deans and vice presidents was crucial.
Reducing the ‘Surface Area’ of Vulnerability
Administrative focus helps IT collect 90% of all servers in secure, cost-effective facility
Since the introduction of the new cyber risk mitigation policy, hundreds of servers have been virtualized or physically moved into the secure server space; there are fewer physical servers to attack, and 9 out of 10 servers on campus are now within the secure data center. The vast majority of administrative units have moved all servers into shared services, and only a handful of units still maintain internal servers. For units that recently purchased administrative computing systems, and would thus “lose” their investment if departmental servers were migrated immediately, the CIO offers to set up a future date for planned migration—and as systems retire, most are moved into the secure facility.