Trusteeship Podcast Episode 26: Cyber Risk Oversight for Higher Education Boards

Introduction:
Welcome to the Trusteeship Podcast from AGB, the Association of Governing Boards. We cover everything higher education leaders need to know about the challenges facing our nation’s colleges and universities. More important, we provide the facts and insight you need to solve those challenges and to be the storytellers and advocates higher education needs.

Today, we’re talking about AGB’s new publication, Cyber Risk Oversight for Higher Education Boards, which was developed in partnership with the Internet Security Alliance and AIG.

Higher education is not immune to cyber-attacks which, when successful, can compromise an institution’s reputation, result in substantial financial payouts, undermine its credit status, and foment legal challenges—to say nothing of impeding an institution’s fundamental capacities for teaching, learning, and research.

Given the seriousness of these potential harms, governing boards must recognize that cyber risks are enterprise-level risks, not simply an IT issue.

Henry Stoever is AGB’s president and CEO and today he’s talking with Morgan State University President Dr. David Wilson, and Internet Security Alliance President Larry Clinton, about what higher-education governing boards need to understand to adequately and successfully oversee their institution’s cybersecurity.

Henry:
My name is Henry Stoever and I’m the president and CEO of AGB, the Association of Governing Boards of Universities and Colleges. As you know, cyber attacks are a persistent threat to colleges, universities, and institutionally related foundations. The operations of colleges and universities involve a tremendous amount of valuable data such as academic and classroom data, financial information, health records, detailed research outcomes, donor information and gift agreements, delicate contract negotiations, and more.

These are but a few types of information that colleges, universities, and foundations collect and produce from millions of students, faculty, staff, alumni and donors every year.

The core functions of colleges and universities involve sharing information and collaborating across campus to educate students and develop research. The intrinsic qualities of higher education forced leaders to provide a nuanced balance between stakeholder needs and security requisites. AGB published this book to educate, empower and inspire board members to proactively engage in conversations with their chief executives and leadership teams around the topic of cyber risk.

I am honored today to be joined by Dr. David Wilson, the president of Morgan State University, and by Larry Clinton, the president of the Internet Security Alliance, i.e. the ISA. David and Larry, thank you both for participating in this podcast. I’ll start with a question first for Larry, who was instrumental in writing this new publication with AGB.

Larry, your team at the ISA and you have worked with boards and teams from organizations around the world to develop leading practices to help oversee and manage cyber risk. Why is a publication about cyber risk for higher education boards needed, and why now?

Larry:
Well first of all, Henry thank you for giving ISA the opportunity to work with AGB on this handbook. And I want to congratulate you and the AGB team for all the great work you’ve done. The reason that I believe that this handbook is particularly important at this moment is that all organizations, including colleges, universities, and other institutions, are currently under tremendous pressure from cyber attack.

There is a myth in some quarters that you can be small enough that the attackers will not notice you and they’ll leave you alone. That is a myth. All of these institutions, as you say have tremendously valuable data, intellectual property, cutting-edge research, student data, financial data, and this is all very valuable for the criminal community.

What we need to do now, is to engage colleges and universities at the top level and have a more comprehensive cyber risk management program instituted. In order to do this, just as the corporate boards needed greater education, so do colleges and university boards of governors.

There’s another myth that I think we need to lance with this particular program, and that is that cybersecurity is something that kind of bubbles up in an organization from the IT department. That’s a myth. It doesn’t work. Cyber risk management needs to come down from the board of directors through the entire organization.

Henry:
Thank you Larry, much appreciated. David, I’d love to hear your perspective as a university president. Why do you think that such guidance is needed now? And how can help it, to educate, empower, and inspire board members to proactively oversee cyber risk with you and your fellow presidents and chief executives, and their leadership teams?

David:
Henry that’s a very good question, and before I dive right in, let me also join Larry in thanking you and AGB for having me on a such a timely discussion, on this topic.

From my perspective as a university president, this guidance is needed now more than ever and the publication that Larry has put forth could not have come at a more opportune moment. With all the hacking situations that at least I have seen across the higher-ed circuit, it seems that of course, what’s the major motivation? It’s money.

And higher education institutions—be they big institutions, small institutions, or regional institutions—seem to be the right targets for some of these cyber attacks. And you asked a question, why?

It’s the research information, the intellectual property of that some of these hackers are thinking can be commoditized—this is very important guidance that is being provided to us, and of course, we have to ensure that our faculty, and staff, our board, that everyone’s aware of what these dangers are and that security awareness training is provided to all of our constituents. That’s essential because the security chain is only as strong as its weakest link.

I think it’s important for the higher-ed community to know that a hacker is always looking for that weakest link in order to gain access to our network. I think that board members need to be aware that cybersecurity is a strategic risk, and it’s not just an IT risk, it’s not a management problem, it’s not a personnel problem, and it’s important for the board to set that tone, that tone of expectation across the entire campus.

Henry:
Thank you David, I appreciate it. For our listeners this publication is on the AGB website, when you read it you’ll see that there’s five principles that are laid out in there. And the very first one defines cybersecurity from a board perspective as a strategic enterprise risk, and not an IT risk.

So, Larry, why do you think principle number one is what it is—to define cybersecurity as a strategic enterprise risk, and not an IT risk?

Larry:
Yeah, so it is not just an IT risk, obviously, cybersecurity has an IT component to it.

If you talk about vulnerabilities, and there’s a lot of talk that, about technical vulnerabilities, and there are a lot of technical vulnerabilities. But of all of these vulnerabilities in the system, the number one vulnerability is the people. So the human resources department is just as important in your overall cybersecurity program, as is the IT department.

It is an enterprise-wide, strategic function.

It needs to be woven into everything the university and college does because it is impacting everything that the college and university does. What the handbook does, is that it uses that first principle that it is not just an IT issue, it’s a strategic issue. And then develops how the organization from the board down needs to organize itself. And what are the appropriate roles and responsibilities so that the entire organization can take on, an effective role in assuring a comprehensive cybersecurity.

Henry:
Thanks Larry, appreciate it. And I take it back to some of my board meetings with the AGB board, when we talk about cyber risk oversight, or cybersecurity with the AGB board, at least semi-annually. So using that as a kind of a springboard, David, I’d love to get your perspective on the board’s level of engagement.

What I’m curious to hear from your perspective, David, is how involved should board members be, boards and their members be in cyber risk management? Clearly, the team manages the risk, the board oversees the risk, but how involved should a board be as it collaboratively manages that risk with the leadership team?

David:
Henry first of all, I really appreciate the prelude and the context, and because certainly from my perspective, I too do not believe that the board should be micromanaging this area.

The board’s role, it seems to me, is in approving the policies around an enterprise risk management approach that, I think would be consistent with what the university’s overall appetite is, and their university overall strategy is.

And so that’s keeping the board clearly in a policy lane, of making sure that they are understanding of the enterprise, and that the policies are being development that are in concert with the university’s appetite for risk. The president and the administration, they hold the primary responsibility for the identification, and the management of the risk, for implementing the ERM strategy, and then the administration must ensure along the way that, in my view, the implementation of the risk management principles are consistent across the entire institution.

The way I see it, in a lot of ways is, similar to how we handle that here at Morgan State. At the board level, we do have a committee, it’s called the Audit and Institutional Assessment Committee. And that committee functions much like I have just described. It is a committee that is asking us the right questions, and so it’s certainly, we have a responsibility as presidents and chancellors, to make sure that our board is well aware of what is happening in this space. And I think as a board member, they too have a responsibility to make sure that they understand what’s going on in this space.

And when you have that kind of understanding, I think it’s important for board members to know what questions to ask. And, therefore based on the feedback they get from their president, or chancellor, or  the administrators, they know what to do with that.

What’s the risk and how are we preparing, and then, if indeed, that is not happening, then perhaps some kind of outside expert initially could be brought in to help the university to develop and approach, to managing this risk. And then once that happens, I would think then that the president or chancellor could very well share that assessment, and share the recommendation in terms of the way forward, perhaps with the executive committee of the board, initially. And then, if you will, with the entire board. And then you need to come to some kind of consensus then, as to what would be a way forward, that would be applicable to that institution, with an understanding clearly that the role of the board is not, if you will, to administer the risk approach, it is oversight. And that’s where you start again.

 

Henry:
Well thank you so much, David, great perspectives. I really liked your approach that presidents should first engage with their cabinets, formulate an initial game plan, and then, share that with your executive committee, make sure that that game plan has support, and then bring it to the full board as well.

Larry, one of the things that David mentioned was having access to cybersecurity expertise. Do boards need to have a cybersecurity expert, one or more on their board? What are your thoughts on that Larry?

Larry:
Well, unfortunately, Henry first of all there aren’t enough cybersecurity experts for all of those boards. The other question that I would have is, what are you using as a definition for cybersecurity expert? If you have this controlled by an IT guy who you put on your board, you’re just going to get IT solutions. And you need a much broader perspective.

I think the way we would define it is we distinguish between the roles and responsibilities. And I think you’re right, you know, the board needs to get together and set up a game plan.

The way we put it is, a board member, not every board member needs to be a financial expert, but every board member needs to know how to read a financial statement. And they need to be able to ask the appropriate questions, to engage in that risk oversight process that David just described. And that’s what the AGB handbook does, is it provides board members with the right questions so that they can take in their role as, as the coaching team, if you will.

That’s the approach I would take, rather than trying to go out and find, some cybersecurity, so-called expert and put them on the board. Sometimes a little knowledge is a dangerous thing. And you get one board member who’s looked at as the expert, and, and everything gravitates towards that one person, and that takes it away from that full enterprise-wide, board-wide, perspective that David just described.

I would suggest that people read the AGB handbook, and follow through. Because what the handbook does is it illustrates the roles for the board as a board, and then what are the roles that the board needs to work with management on. And those two major roles are the board needs to be working with management to make sure that an appropriate structure, a structure digitally sensitive, is created to manage overall cyber risk, not just the IT component, but all those other components we’ve talked about.

And then the last thing that management needs to provide to the board is a sophisticated cyber risk assessment, that takes all these considerations into effect. So as David points out, the board can then properly assess the appropriate cyber risk appetite, and provide the appropriate resources to the management team, the players on the field, so that they can carry out the game plan.

I think that kind of approach is much more effective than just, defaulting to having, one individual pick this out. You need a leader of course, but not one individual who’s the expert. That’s, I think that’s the wrong way to go.

Henry:
Great insights, thank you, Larry. David and Larry, I want to wrap up here and, and thank you so much for your time. But before we wrap up, what do you think, and I’ll start with you, David, if you were, for your colleagues, your fellow, presidents and chief executives around the world, what would you suggest that they start do upon, you know, hitting the stop button, on the podcast?

David:
Well, first of all for institutions that have not done this, I would start with perhaps instituting a university-wide training program for all of the staff, and faculty at the institution. I would suggest that, perhaps, Larry’s handbook is required. And that each institution president or chancellor might give it to a board member to two to review, and that, of course, could lead to, I think, a healthy conversation at the board level about the readiness on the part of the institution to try and mitigate, you never really eliminate the risk.

And then perhaps use some of the strategies outlined in this incredible handbook, as a way of determining how best the university should approach this going forward.

Henry:
Thanks David, you really kind of caught me there, because I did if they haven’t done anything, what should they start doing?  I would imagine most of your presidents and boards have done quite a bit already. It’s about what should they do to elevate their game to the next level. So thank you so much for those insights.

Larry, closing thoughts sir. What would you suggest our readers do after they, hit the stop button on this podcast?

Larry:
I would say, read the handbook, the whole board should have a discussion about those five principles, so that the board understands what they need to be doing. There is virtually nothing I would assert that is a higher board responsibility for a college university than understanding and guiding the management of the cyber threat, because as I say, it affects absolutely every aspect of college and university life. This is what the board needs to focus on.

So that’s where I would go, before you hire the training program, before you bring in the outside consultants, before you buy new software, you may wind up doing all that kind of stuff. But the first thing the board needs to do is understand the problem from the board perspective and then begin to develop their own unique plan.

Henry:
Wow, thank you so much Larry and David. I sincerely appreciate your time, your wisdom and your insights that you’ve shared with our listeners today. And for our listeners, thank you for your time as well. Our goal is to help you, help boards and board members, to educate you, empower you, and inspire you to serve as strategic thought partners, and in this case, it’s all about overseeing cyber risk.

Thank you all again and have a great day.

Closing:
David, Larry, and Henry thank you for joining us today and for your thoughtful insights on the role of higher-education governing boards in approaching cybersecurity as an enterprise-level risk. Cyber Risk Oversight for Higher Education Boards is available to order and as a free ebook download for AGB members, at AGB.org/cyber.