Educause Security Discussion mailing list archives
Re: IT Security in Higher Ed.
From: Allison Dolan <adolan () MIT EDU>
Date: Thu, 22 Oct 2009 13:47:01 -0400
Lee Ann I worked in corporate for 20 some years (many of those years in IT) before higher ed (now going on 12 years) I would say, when comparing with 'corporate', you need to drill down, since corporate cultures and IT environments vary widely. Some, like retail, have highly distributed environments, where there has to be a high level of consistency, and many of the users are relatively unsophisticated. Others, like banks and financial entities, are dealing with significant regulatory and compliance issues, as well as having information assets with obvious street value. Big companies tend to behave differently than smaller, entrepreneurial companies. Still others, like the company I worked for, had an environment that was very similar to higher ed - collaborative, not much in the way of top down mandates (each line of business manager had a good deal of autonomy), fairly sophisticated user base. And the research scientists working on the next 'big thing' had all the characteristics of elite faculty. Corporate, like higher ed, is chronically defending the value of the internal IT dept but at least for a while, outsourcing and offshoring were more common in industry than in higher ed. And, as with higher ed, the 'core businesses' of the organization will tend to complain about the resource drain of a non-core function like IT. Large corporate entities may have more mature business processes - e.g. more sophisticated HR, Finance, and procurement. Big decisions may have required much more complex analysis of value and ROI. For publicly traded companies, stock price is a major driver for decision making, and at least the appearance of a faster pace (if you look at the auto companies and some other industries, I suspect you will find many decisions don't move more quickly - but the consequences of slowness are much more visible.) Private higher ed environments tend to have the benefit of not being captive to the whims of the stock market. However, a well run private corporation could say the same. And no one is immune from budget cuts, layoffs and downsizings. Many corporate entities are truly 24x7/global concerns, and downtime of certain systems directly links to revenue loss - higher ed IT generally doesn't have the pressure of losing a million dollars per minute of downtime. This tended to translate to longer work hours for IT - you were lucky if your work week was only 40 hours, and you might have to carry a pager 2 weeks out of 4. (Of course there are groups like this in higher ed IT, but there are also higher ed groups where 35 or 37 hour work weeks are the norm) People are people regardless of where you work, and the human factor in IT security, for example, tends to be similar. The difference may be the degree to which the business information is valued by others. I haven't heard of too many hackers trying to break into student information systems to capture grades and similar, most companies, however, have intellectual property and business information that has real market value. Perhaps the single biggest difference is that in higher ed, 'competitors' cooperate - you probably couldn't have an EDUCAUSE-like organization for IT people in banking, or retail, for example. I'd be happy to talk further offline if of interest... Allison F. Dolan Program Director, Protecting Personally Identifiable Information Massachusetts Institute of Technology 77 Massachusetts Ave NE49-3021 Cambridge MA 02139-4307 Phone: (617) 252-1461 http://mit.edu/infoprotect On Oct 22, 2009, at 9:56 AM, Hart, Lee Anne wrote:
Hello, I'd like to do a little research on how or if IT Security in Higher Education is different from other organizations such as the government and corporate America. - Are the threats/risks different? - Is the purpose or goal different? - Are there organizational differences? - Unique challenges to working in higher ed? - Why do you work in higher ed? - Unique benefits to higher ed? - Have you worked for the government or a "for profit" company? If so, what differences do you see? - Should it be different? Why/why not? - Do you know of similar articles or threads on this topic? - Other? Thanks in advance for you help. Feel free to respond offline. I'll review the responses and use the information in blog entry I'll share with list. Thanks, Lee Anne ------------------------------- Lee Anne Hart, CISSP IT Security Analyst Montgomery College 15400 Calhoun Drive, Suite 310 Rockville, MD 20855 240-567-3142 (O) 240-731-2332 (C)
Current thread:
- IT Security in Higher Ed. Hart, Lee Anne (Oct 22)
- <Possible follow-ups>
- Re: IT Security in Higher Ed. Basgen, Brian (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. randy marchany (Oct 22)
- Re: IT Security in Higher Ed. Valdis Kletnieks (Oct 22)
- Re: IT Security in Higher Ed. Allison Dolan (Oct 22)
- Re: IT Security in Higher Ed. Plesco, Todd (Oct 22)
- Re: IT Security in Higher Ed. Pete Hickey (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. Jim Dillon (Oct 22)
- Re: IT Security in Higher Ed. Anand S Malwade (Oct 22)
- Re: IT Security in Higher Ed. Charles Buchholtz (Oct 22)