Educause Security Discussion mailing list archives

Re: IT Security in Higher Ed.

From: Allison Dolan <adolan () MIT EDU>
Date: Thu, 22 Oct 2009 13:47:01 -0400

Lee Ann

I worked in corporate for 20 some years (many of those years in IT)
before higher ed (now going on 12 years)  I would say, when comparing
with 'corporate', you need to drill down, since corporate cultures
and IT environments vary widely.  Some, like retail, have highly
distributed environments, where there has to be a high level of
consistency, and many of the users are relatively unsophisticated.
Others, like banks and financial entities, are dealing with
significant regulatory and compliance issues, as well as having
information assets with obvious street value.  Big companies tend to
behave differently than smaller, entrepreneurial companies.  Still
others, like the company I worked for, had an environment that was
very similar to higher ed - collaborative, not much in the way of top
down mandates (each line of business manager had a good deal of
autonomy), fairly sophisticated  user base.  And the research
scientists working on the next 'big thing' had all the
characteristics of elite faculty.

Corporate, like higher ed, is chronically defending the value of the
internal IT dept  but at least for a while, outsourcing and
offshoring were more common in industry than in higher ed.   And, as
with higher ed, the 'core businesses' of the organization will tend
to complain about the resource drain of a non-core function like
IT.    Large corporate entities may have more mature business
processes - e.g. more sophisticated HR, Finance, and procurement.
Big decisions may have required much more complex analysis of value
and ROI.

For publicly traded companies, stock price is a major driver for
decision making, and at least the appearance of a faster pace (if you
look at the auto companies and some other industries, I suspect you
will find many decisions don't move more quickly - but the
consequences of slowness are much more visible.)  Private higher ed
environments tend to have the benefit of not being captive to the
whims of the stock market.  However, a well run private corporation
could say the same.  And no one is immune from budget cuts,  layoffs
and downsizings.

Many corporate entities are truly 24x7/global concerns, and downtime
of certain systems directly links to revenue loss  - higher ed IT
generally doesn't have the pressure of losing a million dollars per
minute of downtime.  This tended to translate to longer work hours
for IT - you were lucky if your work week was only 40 hours, and you
might have to carry a pager 2 weeks out of  4. (Of course there are
groups like this in higher ed IT, but there are also higher ed groups
where 35 or 37 hour work weeks are the norm)

People are people regardless of where you work, and the human factor
in IT security, for example, tends to be similar.  The difference may
be the degree to which the business information is valued by others.
I haven't heard of too many hackers  trying to break into student
information systems to capture grades and similar, most companies,
however, have intellectual property and business information that has
real market value.

Perhaps the single biggest difference is that in higher ed,
'competitors' cooperate - you probably couldn't have an EDUCAUSE-like
organization for IT people in banking, or retail, for example.

I'd be happy to talk further offline if of interest...



Allison F. Dolan
Program Director, Protecting Personally Identifiable Information
Massachusetts Institute of Technology
77 Massachusetts Ave  NE49-3021
Cambridge MA 02139-4307
Phone: (617) 252-1461
http://mit.edu/infoprotect



On Oct 22, 2009, at 9:56 AM, Hart, Lee Anne wrote:

Hello,

I'd like to do a little research on how or if IT Security in Higher
Education is different from other organizations such as the
government and
corporate America.

- Are the threats/risks different?
- Is the purpose or goal different?
- Are there organizational differences?
- Unique challenges to working in higher ed?
- Why do you work in higher ed?
- Unique benefits to higher ed?
- Have you worked for the government or a "for profit" company? If
so, what
differences do you see?
- Should it be different? Why/why not?
- Do you know of similar articles or threads on this topic?
- Other?

Thanks in advance for you help. Feel free to respond offline. I'll
review
the responses and use the information in blog entry I'll share with
list.

Thanks,
Lee Anne

-------------------------------
Lee Anne Hart, CISSP
IT Security Analyst
Montgomery College
15400 Calhoun Drive, Suite 310
Rockville, MD 20855
240-567-3142 (O)
240-731-2332 (C)

Current thread:

IT Security in Higher Ed. Hart, Lee Anne (Oct 22)
- <Possible follow-ups>
- Re: IT Security in Higher Ed. Basgen, Brian (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. randy marchany (Oct 22)
- Re: IT Security in Higher Ed. Valdis Kletnieks (Oct 22)
- Re: IT Security in Higher Ed. Allison Dolan (Oct 22)
- Re: IT Security in Higher Ed. Plesco, Todd (Oct 22)
- Re: IT Security in Higher Ed. Pete Hickey (Oct 22)
- Re: IT Security in Higher Ed. John Ladwig (Oct 22)
- Re: IT Security in Higher Ed. Jim Dillon (Oct 22)
- Re: IT Security in Higher Ed. Anand S Malwade (Oct 22)
- Re: IT Security in Higher Ed. Charles Buchholtz (Oct 22)