Educational Institution Cyber Strategy

Our Work: Client Story

Global educational institution redesigns cyber risk strategy as it expands its learning experience to students around the world

Strategic Challenge

Our client, a global educational institution, realized that the institution’s cyber risk posture was not strong enough to support their strategic growth and that the rapidly changing cyber threat landscape posed significant risks to their business strategy. An important part of their strategic plan was expanding the digital learning experience to more cities around the world. However cyber risks were expected to pose significant head winds for this strategy and we were, therefore, engaged to help

Outcomes Achieved

  • Global Expansion & Resiliency: Improved cyber resiliency roadmap elements required to sustain global expansion

  • Cyber Governance: Established enhanced cyber governance practices for better risk management and accountability

  • Brand Reputation: Enhanced institution’s brand reputation in alignment with it’s cyber educational degree programs and stakeholders

Background & Context

The business model and value-delivery models of universities and educational institutions is and has been changing for some time. The learning demands and requirements of prospective students continues to change as needs evolve from traditional degree programs to an omni-channel approach to support schedules of working individuals and a global workforce. Even before the covid-19 pandemic, change was in the air and our client, a large university, embarked on a compelling strategic journey to address the global workforce needs in multiple continents.

However, their cyber risk posture was not strong enough to support their strategic priorities. The ever evolving threat landscape posed significant risks to their business strategy. Working with the CIO, with support from the Provost and Chancellor, we were engaged to help address the anticipated cyber risk challenges, which were central and critical to the institutions’ long-term success.

The principal task given to us was to develop a strategy that will produce the following outcomes:

  • Reduce the cyber risks associated with their global expansion

  • Strengthen cyber security posture in accordance with industry best practices

  • Enable secure cloud adoption for critical business applications

  • Proactively increase cyber risk awareness among students, faculty and other relevant stakeholders.

Cyber Risk Strategy

We evaluated the risks of the organization with special concentration on the implications of their international presence and growth objectives. We analyzed current and future technology assets, governance structure, data and application services, network architecture, IT and security operations and business continuity. We aligned with industry best practices and frameworks such as NIST cyber framework and CIS controls and applied relevant elements from each to our analysis.

The institution convened a strategy board committee comprising the Provost, Chancellor, CIO, CFO and other officers to provide specific oversight over priority strategy initiatives. They believed it was important for this committee to provide additional context on the organization’s strategic direction as well as for the members to gain insights from vital elements of the cyber risk strategy that we developed.

In accordance with their request to provide a briefing, we, delivered an interactive and very engaging board briefing. The briefing covered the global threat landscape specific both to the the education vertical and to our client directly. It also presented tangible and practical recommendations for actionable awareness for the officers present. To paraphrase the words of the provost, this briefing was eye-opening.

Side Bar - Redefining Cyber Risk Strategy

An organization’s cyber strategy is not just the cyber framework, or the cyber practices and principles adopted by the organization. These elements are required and crucially important but they do not constitute an effective cyber strategy. They are quarter-inch drills that can make quarter-inch holes but missing a valued framed-picture

They are tools that facilitate and help achieve cyber outcomes but they do not purposefully shape or drive business outcomes themselves. We believe cyber strategy is about strategic choices that drive business outcomes and value and not  the toolsets (such as frameworks, maturity models, etc). See the guide below to learn more  

As part of our engagement we conducted a risk profile analysis that was aligned with the business need. This risk profile informed the risk tolerance decisions for the strategy board and the operational requirements for the cyber strategy. It also captured the business implications of the cyber risks facing the organization. The profile itself was influenced by several critical factors including:

  • Open environment to support increased collaboration

  • Business is powered by IT services that are critical to business operations.

  • Business operates in regulatory compliance environment (PCI, HIPAA, FERPA, GDPR)

  • Business expansion in foreign countries (The Netherlands, Switzerland, Austria, Georgia, China & Thailand)

  • Increased business focus on Cyber security program

The expanding attack surface (over 30K active email accounts and 170K total accounts) was a concern for our client as well as preserving the relatively open environment required by faculty and student research. The strategy we developed provided specific and practical recommendations for the following:

  • Security management and operations

  • Incident response and recovery

  • Security architecture and engineering

  • Secure Cloud migration and cyber governance

  • Vulnerability management and penetration testing

  • User awareness and cyber security training

  • Program structure, resource definition/allocation and staffing recommendations

The strategy helped our client understand their biggest cyber risk gaps and areas of improvement. It also provided an effective way for them to allocate resources (time, capital, talent) to mitigate these risks to achieve the maximum payoff. Last, it offered a blue print and roadmap for the near future with expected positive business outcomes.

Success Factor - The CIO

The CIO played an important role during this engagement by:

  • Taking the initiative to proactively seek an independent external perspective on cyber risks’ best practices and strategy

  • Effectively communicating the business benefits of building a cyber risk strategy aligned with the business

  • Engaging with other business leaders especially the dean of the business school and the cyber program

  • Building alignment of priorities with the Provost and Chancellor

Value Impact For Our Client

1

Enhanced Risk Mitigation

27 risk mitigation items for a better cyber posture

2

Improved Brand Protection

12 unknown critical gaps, previously undefined

3

Increased Operational Resilience

Cyber resilience for scaling global growth

This was a unique engagement for us because one of our consultants also had the opportunity to train some of the students enrolled in the cyber program. Below is a comment from one of the students.

“I have been taught by many instructors at this University, and none prepares better for their lessons than you do. That combined with the gift you have for teaching, your ability to explain difficult concepts, and your genuine interest in our success make your classes the best in the program”

Client’s Enrolled Cybersecurity Student

We love solving strategic challenges

Trust in the Lord with all your heart, and lean not on your own understanding; In all your ways acknowledge Him,
And He shall direct your paths. - Proverbs 3:5-6