TL;DR:

At EDUCAUSE CPPC 2022, the SaltyCloud team hosted a workshop, shared HECVAT assessment analysis, organized a networking event, and engaged with thought leaders and friends in the higher ed infosec community.

The SaltyCloud team attended the first in-person EDUCAUSE Cybersecurity and Privacy Professionals Conference (CPPC) in two years, and we did a lot! We hosted a dream team of higher ed infosec pros for a risk & compliance workshop, gave an updated analysis across 350 HECVAT assessments completed on Isora Lite from SaltyCloud, and hosted an infosec networking shindig at the SaltyCloud House.

We also learned from thought leaders across the community, reconnected with old friends, and made new friends. These are our highlights of EDUCAUSE CPPC 2022 (#CybersecPrivacy22).

Risk & Compliance Workshop

TL;DR:

SaltyCloud hosted a workshop featuring top infosec professionals discussing the evolution of IT risk management programs in higher education and sharing their experience using Isora GRC.

On Tuesday, May 3, 2022, we hosted a three-hour workshop with a dream team of infosec pros, including Cam Beasley, CISO at The University of Texas at Austin (UT Austin), Allison Henry, CISO at the University of California, Berkeley (UC Berkeley), Randy Marchany, CISO at Virginia Tech (VT), and Ryan Orren, IT Compliance Manager at VT titled, “Evolving Risk and Compliance Landscape in Higher Ed: Implications for Building and Maturing an IT Risk Management Program.”

While the panelists shared their experiences building and maturing their IT Risk Management programs with Isora GRC from SaltyCloud, they also had open-ended discussions with attendees on a range of hot topics. Here are the highlights of the discussion:

Securing resources for an IT Risk Management program

TL;DR:

A security breach can prompt leadership to invest in risk management, but learning from other institutions’ experiences and using penetration testing can also demonstrate the need for security investment.

While no organization wants to experience a security breach, Allison Henry noted that a breach was “always helpful” for convincing an institution’s leadership to invest in risk management initiatives. A less painful option was to “look to other institutions you know [that have been breached] and use their cautionary tales,” she said.

Cam Beasley added that penetration testing was a valuable tool for demonstrating the need to invest in security. Russia’s war on Ukraine was a timely reminder that nation-state activity against infrastructure, including Supervisory Control and Data Acquisition (SCADA) networks, was a growing threat and the need to bolster security around this infrastructure.

Implications of reputational damage

TL;DR:

The workshop also highlighted the significance of informing EDU leaders about the long-term reputational damage from breaches.

The workshop discussed the importance of ensuring EDU leaders knew the long-term implications of reputational damage—including drops in enrollment, donations, and even research grants—resulting from a breach. Data on this type of impact could be hard to come by, but documenting reactions on social media to a breach was one way of conveying the impact to senior management.

Weighing up risk tolerance

TL;DR:

EDU leaders are increasingly factoring risk tolerance into their decision-making process when considering investments in mitigation measures.

Cam noted EDU leaders had begun taking a more sophisticated view of risk management, with “risk tolerance of an incident…factoring more into our executives’ calculus” when they were faced with investing in mitigation measures such as network infrastructure to enhance Controlled Unclassified Information (CUI) compliance.

“They’re starting to ask ‘how much would an incident cost?’ to understand the delta between the investment versus taking on the risk,” he said.

Growing challenges with cyber insurance

TL;DR:

We also discussed cyber insurance concerns, emphasizing increasing costs, limited availability, higher deductibles, and costly mandatory controls.

Cyber insurance was a hot topic at the workshop, with concerns raised that costs were skyrocketing, fewer carriers were offering it, deductibles were rising, and carriers required EDUs to implement stricter, more expensive controls.

The panel shared several tips, including working with your broker to ensure they understand the full extent of your EDU’s current security posture, which may not necessarily be clear to the insurance provider.

Institutions were also encouraged to address any flags raised by cybersecurity rating companies such as BitSight and Security Scorecard. Minor changes were often all that was required to improve ratings, resulting in a flow-on impact on insurance premiums.

Approaching IT Risk Management as a smaller organization

TL;DR

Smaller EDUs can initiate risk management programs with simple, cost-effective measures by focusing on mission-critical assets and starting with a manageable set of controls.

Ryan pointed out that smaller EDUs did not need expensive technology to kick-start their risk management program.

“[If necessary] implement something simple to start with,” he said.

“We (VT) started with just document-based assessments, and though that is ultimately not the long-term place we want to go, it was certainly helpful for the units that were completing those assessments.”

Cam added: “Focus on your mission-critical assets: your data center, your network, those areas first. And then maybe if you’re choosing NIST 800-53, choose the low bundle of controls. So you’ve got something you can chew on that’s not overwhelming. Start small and keep it simple.”

Faculty deep-dives

Allison at UC Berkeley and Ryan at VT shared their own unique stories about establishing an IT Risk Management program with Isora GRC from SaltyCloud on their campus. You can read their customer stories here:

• Meeting system-wide cybersecurity compliance at UC Berkeley
• Maturing the campus security posture with CIS at Virginia Tech

HECVAT Analysis Presentation

TL;DR:

We also co-hosted a presentation discussing the analysis of 350 HECVAT vendor assessments across 40 EDUs, sharing insights on leveraging Isora GRC from SaltyCloud for an automated, reliable vendor risk management process.

On Wednesday, May 4, 2022, we co-hosted a presentation with Cam Beasley, CISO at UT Austin, titled, “An Analysis of 350 HECVAT Vendor Assessments Across 40 EDUs.” At last year’s virtual conference, we presented the first iteration of this presentation with 250 completed HECVAT assessments completed on our free-to-EDU vendor assessment platform, Isora Lite from SaltyCloud. This year, we followed up on the success of that campaign with an expanded data set of new assessments, including the new HECVAT v3. Cam also discussed leveraging the HECVAT and Isora GRC from SaltyCloud (the enterprise version of Isora Lite from SaltyCloud) to build an automated and reliable vendor risk management process across UT Austin.

Highlights

• Overall scores between completed HECVAT Full v2 and HECVAT Lite V2 were consistent.
• Initial analysis of completed HECVAT Lite v3 compared to HECVAT Lite v2 shows lower scores. However, deeper analysis is required to assert whether it’s an actual phenomenon or just initial outlier data.
• The IT Accessibility category is the most significant factor in a score’s downward shift.

If you missed the presentation, you can watch the recorded presentation on YouTube.

SaltyCloud House @ EDUCAUSE CPPC 2022

We hosted the SaltyCloud House @ EDUCAUSE CPPC, an infosec networking shindig. We had libations, snacks, and in-person connection. It was a great way to catch up with our customers, old friends, and new friends in the community. We can’t wait to get together again next year!

Other Highlights

Aside from the things we directly hosted or co-hosted, there were many excellent presentations by thought leaders we respect across the community.

The University of Chicago

Cornelia Bailey, Director of Information Assurance, Jessica Sandy, IT Risk Analyst, and Gabe McElwain, IT Risk Analyst, at the University of Chicago gave a presentation titled, “Introducing Annual Cybersecurity Assessments to an Obstreperously Decentralized Campus.” The team provided many insights from their experiences and successes deploying NIST CSF across their campus using Isora GRC from SaltyCloud. You can access their presentation deck, which contains a wealth of knowledge and resources!

HECVAT Updates

The HECVAT Core Team updated the community on the HECVAT and the recent release of v3. They provided some insights into the recent changes and also future plans. We’ve been following the project since the team launched it over five years ago, and we’re super happy to see where it’s evolved to today. You can access their presentation deck for more information.

CIS Controls

Cara Bonnett, Risk Assurance Manager at Duke University, and Randy Marchany, CISO at VT, gave a presentation titled, “Framework for the Future: Connect Dots and Build Bridges with the New CIS Controls.” Cara and Randy went over the recent v8 updates to the CIS controls and how and why their two individual campuses are using them to build cybersecure campuses. You can access their presentation deck for more information.

Conclusion

This year’s conference was a good one, and it was so refreshing to catch up in person with the community after two long years. The higher ed infosec community constantly inspires us, and we’re excited to continue supporting their mission through thought leadership, novel research, and software development.