Cybersecurity Governance: Why it Pays to Involve Decision-Makers in Protecting Your Institution

For educational and research institutions, cybersecurity breaches are costly. In 2020, IBM estimated that a single attack costs institutions an average of $5 million. And moreover, these attacks can have far-reaching implications: compromising researcher’s data, interrupting exams for class time, or exposing users’ sensitive private academic data.

These challenges have only increased during the pandemic. In the spring, IT teams were thrust into high-gear, as they were called to provide tens of thousands of users with remote access to vast institutional infrastructure; all whilst managing an increase in phishing attacks, up by 600 per cent, according to one report. Seizing the moment, cyber attackers tried to wreak havoc on newly-established work-from-home tech infrastructure, and sought to capitalize on users’ increased willingness to click on unfamiliar links with information related to COVID-19, among other strategies.

To respond to these challenges, ORION staff worked closely with members of the Ontario Cybersecurity Higher Education Consortium (ON-CHEC). Through this forum, ORION provides member organizations, such as Laurentian University, OCAD University, Wilfrid Laurier University and Cambrian College, with expert cybersecurity advice and support as well as co-created, shared templates and frameworks.

At the outset of the pandemic, the consortium deepened its focus on one key aspect of the work – strong cybersecurity governance. In this blog post, we’ll outline some of the cybersecurity governance supports available to ON-CHEC members; and in a subsequent post, we’ll outline the supports available to all ORION constituents.

Why cybersecurity governance?

When it comes to protecting digital infrastructure, we often focus on security management: the specific tools, practices and processes that protect cyber infrastructure.

But cyber governance – the decision-making practices related to digital infrastructure – are just as important. Effective cyber governance means clearly defined roles and accountability for digital infrastructure and information assets. It also means providing boards and senior leadership with the information they need to make good decisions about protecting digital infrastructure and the crown jewels of the organization.

During the pandemic and beyond, the difference between effective and ineffective cybersecurity governance is significant – and can be measured in dollars and reputational impacts.

How ORION’s ON-CHEC program is helping institutions to improve their cybersecurity governance

Over the last year, ORION has worked together with ON-CHEC members, offering improved communications tools and expert cybersecurity advice to support strong security governance. These initiatives have paid off considerably for members, increasing leadership’s knowledge of risks, increasing budgets for IT infrastructure, and creating mandates for new and improved processes.

An infographic about cybersecurity services provided by ON-CHEC

Click to read more about the benefits that ON-CHEC is providing to higher education members.

Communication Tools: Executive Security Dashboard – Laurentian University

In Sudbury, the IT team at Laurentian University realized that they needed a better way to communicate cybersecurity risks to the institution’s executive leadership. With ORION’s support through the ON-CHEC program, they adopted ON-CHEC’s executive security dashboard, a tool that captures cybersecurity key performance indicators (KPIs), providing the leadership with a plain language snapshot to help make evidence-based decisions.

“I have been using the executive security dashboard as a means to report on security risks and KPIs to the executive leadership,” said Luc Roy, Associate Vice President of IT at Laurentian University. “This has provided our executive leadership with more visibility into the state of our cybersecurity and laid the foundation for an increase of our cybersecurity budget.”

Expert Advice: Business Case & Presentation – OCAD University

At Canada’s largest art, design and media university, the IT team knew they needed to convey the operational risks and opportunities associated with an improved cybersecurity posture. To help, they leveraged the support of Farooq Naiyer, ORION’s Chief Information Security Officer through the ON-CHEC program. While all ON-CHEC members have access to a technology risk management framework and tools, Naiyer’s advisory time supported the creation of a business case for the development of a new technology risk framework for OCAD University. Naiyer also presented the benefits of such an initiative to OCAD’s top brass.

“Farooq provides tremendous value as a shared CISO,” said Alastair MacLeod, CIO of OCAD U. “He provided important guidance and advice that will help planning for our institutional risk assessment review.”

Communication Tools: Cybersecurity Project Prioritization Template – Cambrian College

At Cambrian College, the IT team needed support in communicating critical cybersecurity priorities to top leadership. To do so, through their ON-CHEC membership, they leveraged advisory support to create a template for prioritizing cybersecurity projects, which codes risks by threat severity and alignment with organizational strategy.

“This tool gives me the information that we need to move forward on the projects of greatest value for the college,” said Rick Daoust, CIO of Cambrian College. “I credit the Ontario Cybersecurity Higher Education Consortium with the guidance for improving our ability to make data-informed decisions – a key component of governance.”

Frameworks: Cybersecurity Controls Selection – Wilfrid Laurier University

Wilfrid Laurier University was looking to leverage a cybersecurity framework to develop their cybersecurity roadmap. They used their ON-CHEC advisory time to get assistance with it. Farooq Naiyer worked with the security team to assess their options and consider the best fit given the size and type of their organization, as well as their cybersecurity posture. They finally settled on the CIS 20 Controls, a manageable, prioritized set of 20 best practices.

“It has helped us prioritize our projects and effectively communicate to senior leadership,” said Greg Cudmore, Information Security Officer and Team Lead, at Laurier.

ON-CHEC Skill-Building Webinar

After reviewing ON-CHEC member cybersecurity self-assessments and recognizing a need, we decided to host a webinar in December to support all members in building their governance skills. Through the webinar, participants were invited to revisit their existing cybersecurity governance strategy, and to develop an improved approach for managing their programs. Participants were also supported to create a security matrix for each program or project, supporting ON-CHEC members to report on key initiatives. This helped the more than 30 members move the needle on their cybersecurity governance in their institutions.

Looking Ahead: Cybersecurity Governance in 2021

Through the pandemic and beyond, institutional leaders must confront the reality that cyber attacks will remain a constant and ever-evolving threat. Being the target of an attack is thus not a question of “if” but “when” and “with what level of sophistication”.

Fortunately, institutions do not have to battle this threat alone. Through ORION, our sector supports one another to develop the skills, knowledge and processes to protect themselves and their constituents.

As you firm up your plans for the coming year, we invite you to learn more about ORION’s cybersecurity services and how we can support your leadership to practice good cybersecurity governance in 2021.