Cyber Risk Strategy: Global Educational Institution

Enhancing security of PHI as well as increasing business continuity and focus for healthcare providers

Business Challenges

These challenges are adaptive and technical:

  • Fierce competition from digital online learning platforms and other online educational/degree programs

  • Declining revenues and profits from lower enrollment numbers in several programs.

  • Elevated cyber risks resulting from international global expansion to Europe, Asia and Africa

Working with the CIO with support from the Provost and Chancellor, we were engaged to help address the cyber risk challenges, which were central and critical to addressing the other business challenges.

Outcomes - Strategic Value

leverage cyber security as a strategic asset and lever to address these challenges

Working with the independent board chair, we executed on the following:

  • Enhanced cyber risk identification and definition

    • 12 critical gap areas previously undefined

  • Improved cyber risk mitigation

    • 27 improvement project recommendations over the course of 2 years

  • Sustaining speed to value

  • Increased resource effectiveness and productivity

  • Increased cyber resiliency to minimize business disruption

  • Positive brand impact

Background - Context: Disruptive Forces Shaping Landscape

Education industry was and arguably still in the midst of a transformation. Traditional educational institutions were facing competitive pressures from online educational programs driving down enrollment numbers and expected revenue. Challenging enrollment; digital online alternatives. Disruption of educational and learning programs. Push for more online digital learning options and platforms.

In response to these competitive forces and also to continue advancing the mission and vision of the institution, the provost and chancellor prioritized two important strategic initiatives.

First was the continued global expansion with international campus locations in Europe, Asia and Africa. These would be additive to existing locations in several US cities. A key element of this initiative is remote online learning capability. This was pre-covid pandemic times. The ideas was to provide high quality learning experiences for students regardless of their physical location.

Second, in response to the growing need for cyber security professionals and to meeting the increased demand for training, upskilling and reskilling, they launched a cyber security program that was designed to provide students with relevant cyber security skills. This cyber program had begun to show promise in enrollment numbers and was attracting new students

To support these business initiatives, the CIO had been anticipating this change and was already embarking on several digital transformation initiatives including a move to cloud-based services such as office365. He also realized however that this would require a more comprehensive and robust cyber strategy. They had some capabilities in house but needed more external and independent perspective. Multiple projects under the way

======================

, business expansion to Europe, Asia and Africa. Good brand reputation in the US and abroad. Expansion was top of mind, online learning platforms. Forward thinking that security would potentially inhibit growth and negatively impact speed to value. Additionally, negative headlines and press reports about potential cyber risks would not be particularly helpful in advancing the brand reputation and/or the enrollment in the cyber program

Narrative about the need and jobs to be done

30K active email accounts and a 170K total email accounts, across multiple international locations the cyber risk landscape is significant

The CEO and board chair believed a learning clinic would beneficial as a first step in aligning board members and the management officers

Role of the CIO

The CIO played an important role during this engagement by:

  • Taking the initiative to proactively seek an independent external perspective on cyber risks’ best practices and strategy

  • Effectively communicating the business benefits of building a cyber risk strategy aligned with the business

  • Engaging with other business leaders especially the dean of the business school and the cyber program

CEO Cyber Risk Guide

How We Helped

Our engagement with this client was meaningful in three board categories or dimensions:

Cyber Risk Analysis

Recommendations - Sequencing & Prioritization of Risk Mgt initiatives

Strategy Board briefing

Cyber Risk Analysis - We evaluated the risks of the organization with special concentration on the implications of their international presence and growth objectives. We analyzed current and future technology assets, governance structure, data and application services, network architecture, IT and security operations and business continuity. We aligned with industry best practices and frames such as NIST cyber framework and CIS controls and applied relevant elements from each to our analysis.

Recommendations - The expanding attack surface (over 30K active email accounts and 170K total accounts) was a concern for the leadership and analysis produced effective measures to manage and mitigate the risks, one of which was a proactive user awareness training, secure cloud migration to office365 and establishing a vulnerability/threat management program including penetration testing

Strategy Board Briefing - The institution convened a strategy board committee comprising the Provost, Chancellor, CIO, CFO and other officers to provide specific oversight over priority strategy initiatives. They believed it was important for this committee to provide additional context on the organization’s strategic direction as well as for the members to gain insights from vital elements of the cyber risk strategy that we developed. In accordance with their request to provide a briefing, we, therefore, delivered an interactive and very engaging board briefing. The briefing covered the global threat landscape specific both to the the education vertical and to our client directly. It also presented tangible and practical recommendations for actionable awareness for the officers present. To paraphrase the words of the provost, this briefing was eye-opening.

We believe you can really help us with our global cyber strategy
— CIO: Educational Institution

Lessons Learned

Maintain a global mindset with deliberate considerations for the local regions. Don’t underestimate this principle

The open nature of educational institutions poses an interesting challenge for risk management. Take care to maintain the right balance of security and usability

Be especially mindful of critical chain resources and client constraints. Anticipate client oversubscription before it happens

Make it

Side Note: This was a unique engagement for us because one of our consultants also had the opportunity to train some of the students enrolled in the cyber program. Below is a comment from one of the students.

I have been taught by many instructors at this University, and none prepares better for their lessons than you do. That combined with the gift you have for teaching, your ability to explain difficult concepts, and your genuine interest in our success make your classes the best in the program.
— Cory (University Student)

Outcomes - Business Value Added

Our engagement with this client was meaningful in three board categories or dimensions:

Risk visibility and definition

Risk reduction and avoidance

Cost efficiencies

Proactive support for global expansion

Foundational, expansion and maturity phases

Accelerate/Enabling The Business/Sustain Velocity for Global Expansion

Speed To Value of Global Expansion - The client was able to sustain growth with a cyber risk strategy as opposed to delaying or interrupting expansion because they didn’t have a plan for addressing cyber risks. Level of resilience in knowing there was a plan and that an execution strategy was also well defined

Advancing Brand Reputation - A strategic value derived from our strategy engagement was also the advancing of the institution’s brand as a top school for earning a degree from its cyber security program. The University had recently launched a cyber program and anticipated higher enrollment in this program. The thought was we have to eat our own dog food and to demonstrate credibility and model the right behavior for all our relevant stakeholders. evel of risk

A typical question was where do we start and what should we do

Cyber Risk Mitigation and Resiliency - The cyber risk to the business was amplified by the international presence and increase expansion of digital initiatives. Going forward without a cyber strategy would be unwise. The strategy helped our client understand their biggest cyber risk gaps and areas of improvement. It also provided an effective way for them to allocate resources (time, capital, talent) to mitigate these risks to achieve the maximum payoff. Last, it offered a blue print and roadmap for the near future with expected positive business outcomes.

For example, some of the international locations presented a disproportionate level of risk that required significant attention.

More than 10 critical strategic and operational gaps in our client’s cyber security posture were remediated, thus reducing the risk associated with these structural elements. These all included significant vulnerabilities that could all lead to material intrusions or data breaches.

Service Quality - Going from no NPS measurements to actually being intentional about quality. The strategy focused on balancing security and risk management with user experience

Contact Us