This week, I have the privilege of spending time at Educause. This conference is all about Higher Education IT, and Security is one of the focus tracks. I actually don’t think I’ll spend a lot of time listening to the Security presentations, although I will certainly be networking with my Security colleagues while I’m here. Instead, I’m here to learn the business of Higher Ed IT. Which is as varied as the Universities and Colleges represented.
I’ve been noodling (that’s a technical term, btw) on how to understand the individual and corporate Security risk tolerance at OSU. There seems to be a wide range of opinion on this matter, such as:
– Using a 45 character password (full disclosure, my password is not that long!) and changing it every 60 days versus using a memorable password, and changing it as infrequently as possible
– Parking in the dark corner of a convenient garage, versus parking in a well lit parking lot
– Using a laptop lock versus. leaving your laptop on the lunch table, logged in
– Engaging Security when rolling out a new technology project, versus not engaging Security at all
– Encrypting your mobile device versus not using a PIN at all
– Fastening your seat belt versus Death.
It becomes more problematic when we realize we’re not just risking our own stuff; we’re risking the university stuff, and the University Brand. OSU hits the news for a ton of really great reasons – football, of course, and research breakthroughs, and academic success, and on and on and on.
However, we occasionally hit the news for not good things, and when that happens, we invariably ask “Shouldn’t someone have known better?” “What were they thinking?” “Who let that happen?” All good questions, and the answer cannot be “because I (the Academic, the Researcher, the Administrator, the Security Professional) was OK with it”, or “because I thought it was too much hassle to do what Security was asking” or “I didn’t want to change my behavior”. We have an obligation to hold our own Risk stance subordinate to the Security of the mission of the university.
Which brings me back to Educause. One thing I hope to learn more about here is where technology is taking colleges and universities in the US. And then to work out how Security aware that thinking is. And then to work out if OSU is more, or less, Security tolerant than its peers. Because OSU is a terrific university, and does a lot of terrific things. But if it gets this Security thing at wrong, it’s not only data at risk , it will be the whole Brand. O-H-I-O will become synonymous with OH-NO, and that will be a fate worse than Death.
So, wish me luck. There’s a lot of people here.. and only 4 days to talk to them all.