The Higher Education CISO: A Modest Security Awareness Hero

October 23, 2017

Every hero’s journey begins with a call to adventure.[1] This call usually arrives in the form of a disruption to one’s ordinary routine: Katniss Everdeen’s sister is selected as a tribute for the Hunger Games; Harry Potter starts receiving magic letters delivered by owl; Luke Skywalker must chase R2-D2 off into the desert. Often our hero refuses the call to adventure: Katniss is plagued by self-doubt; Harry believes that he can’t be a wizard because he’s just Harry; Luke can’t get involved—he’s got work to do. Sometimes our hero refuses out of a be­­­lief that she lacks the skills necessary for the coming adventure. Yet in time, our hero crosses the threshold and steps up to the challenge. And in the end, we celebrate their courageous qualities and deeds.

Surely there are few greater calls to adventure in higher ed than an institution’s information security. In 2016, the EDUCAUSE Center for Analysis and Research conducted a study on chief information security officers (CISOs) in higher education. This study sought to identify the characteristics and functions of CISOs and to understand what makes CISOs successful in their roles. One of the most interesting parts of the research was the types of responsibilities that CISOs had at their institutions and whether or not they thought that they had sufficient experience in those areas of responsibility.

This chart shows the duties for which 90 percent or more of higher education CISOs have and their self-evaluations of their levels of experience in those areas. This figure makes it clear that CISOs have responsibility for areas of information security in which they believe they need more experience.

Awareness and training sticks out in the figure above. While CISOs rate their level of experience in all of these areas quite low, awareness and training was reported highest. In other words, most CISOs not only are responsible for awareness and training activities but also tend to rate themselves more experienced in this area.

And it’s a good thing that CISOs are reasonably confident in their experience in awareness and training, since it’s central to one of the CISO’s most important areas of responsibility: educating the campus community about information security hygiene. It can be a big job. For instance, while 66 percent of students typically connect two or more devices to the campus network,[1] only one in four institutions have mandatory online safety training for students.[2] About 75 percent of institutions offer information security training for faculty and staff, mostly on regulatory compliance topics that involve data handling.[3] This focus on data handling is key, because less than 50 percent of faculty understand university policies regarding data storage in online, cloud-based tools.[4]

Additional challenges abound. Higher education information security training and awareness budgets and the number of staff dedicated to these activities are small. In 2017, about 45 percent of higher education information security awareness professionals reported yearly awareness budgets of less than $5,000.[5] Over 70 percent of higher education institutions have one full-time employee or fewer devoted to information security awareness and training activities.[6] But we know that information security education and training works. When it is offered, 88 percent of students[7] and 86 percent[8] of faculty who take such training find it useful.

Fortunately, higher education information security professionals don’t make the awareness and training hero’s journey alone. Each year the EDUCAUSE cybersecurity program’s Awareness and Training Working Group creates a framework that is designed to support security professionals and IT communicators as they develop or enhance their own security awareness plans. The Annual Campus Security Awareness Campaign is a resource that includes 12 blog posts on various information security and privacy topics with ready-made content for campus communication channels. The campaign provides the CISOs – and any other information security awareness heroes – with the tools they need to quickly and easily communicate with the campus community on cybersecurity and privacy topics. All of the materials in the campaign are created with a campus community in mind and can be adapted to meet a college or university’s unique communications needs. The prepared content helps leaders create a steady stream of awareness information for students, faculty and staff, not only securing campus resources but also providing our digital citizens with tools necessary to help make the internet safer for all.

[1] The hero’s journey is a familiar one, best popularized by Joseph Campbell in The Hero with a Thousand Faces (1949).

[2] EDUCAUSE. Information Security Almanac 2017, available at: (May 2010).

[3] Grama, Joanna L., and Leah Lang. CDS Spotlight: Information Security, available at: (August 15, 2016).

[4] CDS Spotlight: Information Security (August 15, 2016).

[5] CDS Spotlight: Information Security (August 15, 2016).

[6] Forthcoming September 2017, The State of Higher Education InfoSec Awareness Programs, an EDUCAUSE Security Matters blog.

[7] Forthcoming September 2017, The State of Higher Education InfoSec Awareness Programs.

[8] Forthcoming results, 2017 EDUCAUSE study on students and information technology.

[9] Forthcoming results, 2017 EDUCAUSE study on faculty and information technology.

About the Authors

EDUCAUSE is a higher education technology association and the largest community of IT leaders and professionals committed to advancing higher education. EDUCAUSE supports those who lead, manage, deploy and use information technology to anticipate and adapt to change, advancing strategic IT decision making at every level within higher education. The EDUCAUSE Cybersecurity Program supports higher education information security leaders and practitioners and provides vibrant community discussion and action on constantly evolving information security challenges and opportunities.

Joanna Lyn Grama is the director of cybersecurity and IT GRC programs for EDUCAUSE.

Jeffrey Pomerantz is a senior research analyst for EDUCAUSE.

Valerie M. Vogel is senior manager of the cybersecurity program for EDUCAUSE.

© 2017 Joanna Lyn Grama, Jeffrey Pomerantz and Valerie M. Vogel. This blog is licensed under Creative Commons BY-NC-SA 4.0.