I recently returned from yet another amazing time at the EDUCAUSE Security Professionals Conference. Out of all of the different security conferences that I have had the good fortune to attend, and out of all of the conferences that have taken pity and allowed me to talk, the SPC continues to be one of my favorite events. Not only does the SPC boast outstanding presentations, but the hallway conversations, informal roundtable discussions during meals, and Birds of a Feather gathers offer unparalleled opportunities to meet other security professionals in higher education and learn new, unique ways to address issues. I strongly urge all security professionals in higher education to beg, argue or barter for the funds needed to attend this yearly gathering.
The conference lineup this year was interesting. While there were the usual technically-focused talks, the majority of the talks did not center on specific technical topics. Instead, much of the conference was focused on building and maintaining a strategic information security program within higher education. There were sessions on building risk management programs, using frameworks to build information security policies and programs, creating standardized and measurable procedures, and even talks on how to leverage internal resources such as internal audits to help improve security posture.
Like many industries, information security grew up out of the IT departments at most colleges and universities. Unfortunately, many educational institutions still equate â€œnetwork securityâ€ with â€œinformation securityâ€, and information security is often still viewed as a technical issue. However, the presentations at this yearâ€™s conference clearly indicate that the viewpoint on information security is quickly changing at colleges and universities.
This shift in how information security is viewed within higher education speaks to the maturation of information security programs at many colleges and universities. Thankfully, the industry seems to be moving away from the misguided view that all institutions need is one staff member “doing securityâ€ to be secure. This type of growth and maturity of information security programs within higher education is a great sign that perhaps I will soon have nothing to report on Education Security Incidents.
Here, in no particular order, are the top three presentations out of the sessions I was able to attend. â€œAn Auditorâ€™s Perspective on Frameworks for Information System Security in Higher Educationâ€ by Erwin Carrow and Brian Markham were useful in teaching me that internal auditors can, in fact, be your friends. â€œUsing the EnCase Field Intelligence Model in Assisting with Forensic Examinationsâ€ by Yu Chang, Tammy Clark, and William Monahan were useful in showing how Georgia State University handles requests for forensic investigation. â€œMapping the Shifting Landscapeâ€ by Phillip Deneault and Brain Smith-Sweeney were useful in providing excellent quotes such as â€œReady-Fire-Aimâ€ and Brianâ€™s poorly rendered yet still amazing image on the drivers and functions of an information security program.
Congratulations and thanks are in order for this yearâ€™s SCP program committee. These folks did an outstanding job.
Image used with permission from FreeDigitalPhotos.net