When it comes to educational institutions, they face a unique challenge to manage cyber risk: The very organizational structure that supports education and research can be detrimental to risk management. While the decentralized nature of educational institutions works well for research and learning it can create silos from a risk-management perspective. It is then required to quantify risk in a nomenclature that matters to the risk manager as well as to finance, the board of trustees and the provost.
This can be achieved by undergoing the following exercise:
Everything translates into financial terms at the end of the day, so maintain the resources and financial ability to recover from a meaningful event. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others
Since cyber risk management is a shared responsibility, benchmark against peers when possible. The rising tide dynamic is the only means to stay as close to or as ahead of the curve as possible in a world where standards and certifications can only provide a floor. All of the aforementioned components contribute to that dynamic: Are you as good as, or ideally better than, the median marker for the maturity of your cyber program? What’s at risk from an exposure standpoint? Do you have appropriate abilities and financial resources to recover from an event?
These steps can provide CISOs with a means of communicating cyber risk to various stakeholders. By articulating the financial impact of an incident and presenting maturity levels in comparison to other institutions, CISOs can give a framework to the higher education for making cybersecurity and risk management meaningful.