Educational Institution Cyber Strategy

Our Work: Client Story

Global educational institution redesigns cyber risk strategy as it expands its learning experience around the world

Strategic Challenge

An educational institution was focused on delivering a global learning experience for its students and all was going well, until digital competition and cyber threats intensified. The leaders realized that the institution’s cyber risk posture was not strong enough to support their strategic growth and that the rapidly changing cyber threat landscape posed significant risks to their business strategy.

Outcomes Achieved

  • Global Expansion & Resiliency: Improved clarity of cyber resiliency roadmap elements required to sustain global expansion

  • Cyber Governance: Established enhanced cyber governance practices for better risk management and accountability

  • Brand Reputation: Enhanced institution’s brand reputation in alignment with it’s cyber educational degree programs and stakeholders

Background & Context

The value that universities and educational institutions provide is and has been changing for sometime. The learning demands and requirements of prospective students continues to change as needs evolve from traditional degree programs to an omni-channel approach to support schedules of working individuals and a global workforce. Even before the pandemic change was in the air and our client, a large university, embarked on a unique strategic journey to address the global workforce needs in multiple continents.

However, their cyber risk posture was not strong enough to support their strategic priorities. The ever evolving threat landscape posed significant risks to their business strategy. Working with the CIO, with support from the Provost and Chancellor, we were engaged to help address the anticipated cyber risk challenges, which were central and critical to the institutions’ long-term success.

The principal task given to us was to develop a strategy that will produce the following outcomes:

  • Reduce the cyber risks associated with their global expansion

  • Strengthen cyber security posture in accordance with industry best practices

  • Enable secure cloud adoption for critical business applications

  • Proactively increase cyber risk awareness among students, faculty and other relevant users.

An educational institution was facing competitive pressures from digital online learning platforms and other online educational/degree programs. An important part of their business strategy was global expansion as well as expanded online learning experience. However, their cyber risk posture was not strong enough to support their strategic priorities. The ever evolving threat landscape posed significant risks to their business strategy. Working with the CIO, with support from the Provost and Chancellor, we were engaged to help address the cyber risk challenges, which were central and critical to addressing the other business challenges.

Working with the CIO, with support from the Provost and Chancellor, we were engaged to help address the cyber risk challenges, which were central and critical to addressing the other business challenges.

Our engagement with this client was meaningful in three board categories or dimensions:

Risk visibility and definition

Risk reduction and avoidance

Cost efficiencies

Proactive support for global expansion

Foundational, expansion and maturity phases

Accelerate/Enabling The Business/Sustain Velocity for Global Expansion

Speed To Value of Global Expansion - The client was able to sustain growth with a cyber risk strategy as opposed to delaying or interrupting expansion because they didn’t have a plan for addressing cyber risks. Level of resilience in knowing there was a plan and that an execution strategy was also well defined

Advancing Brand Reputation - A strategic value derived from our strategy engagement was also the advancing of the institution’s brand as a top school for earning a degree from its cyber security program. The University had recently launched a cyber program and anticipated higher enrollment in this program. The thought was we have to eat our own dog food and to demonstrate credibility and model the right behavior for all our relevant stakeholders. evel of risk

A typical question was where do we start and what should we do

Cyber Risk Mitigation and Resiliency - The cyber risk to the business was amplified by the international presence and increase expansion of digital initiatives. Going forward without a cyber strategy would be unwise. The strategy helped our client understand their biggest cyber risk gaps and areas of improvement. It also provided an effective way for them to allocate resources (time, capital, talent) to mitigate these risks to achieve the maximum payoff. Last, it offered a blue print and roadmap for the near future with expected positive business outcomes.

For example, some of the international locations presented a disproportionate level of risk that required significant attention.

More than 10 critical strategic and operational gaps in our client’s cyber security posture were remediated, thus reducing the risk associated with these structural elements. These all included significant vulnerabilities that could all lead to material intrusions or data breaches.

Service Quality - Going from no NPS measurements to actually being intentional about quality. The strategy focused on balancing security and risk management with user experience

Healthcare organizations are seeking to focus on patient care and service delivery quality. Information Technology (IT) and ever-changing cyber risks are a critical part of that patient-care and service delivery equation. Our client, a healthcare organization, was keenly aware of this critical role and as such prioritized cyber security as part of their strategic plan.

Although the institution had previously implemented what they believed was sufficient cyber risk controls and a strategy that included prevention, detection and response capabilities, they experienced a close call (a significant intrusion incident) that prompted a review and evaluation of the existing strategy and capabilities.

Fortunately, the intrusion didn’t compromise patient health records. After the incident, the organization engaged us to help with providing answers to some key questions including

  • How do we detect cyber intrusions proactively?

  • How do we know if we have the right solutions and strategy in place?

  • Where are our significant risk areas?

  • What should our future cyber security strategy look like given our growth trajectory?

  • How will our cloud migration and adoption change our risk profile?

Cyber Risk Strategy

We evaluated the risks of the organization with special concentration on the implications of their international presence and growth objectives. We analyzed current and future technology assets, governance structure, data and application services, network architecture, IT and security operations and business continuity. We aligned with industry best practices and frameworks such as NIST cyber framework and CIS controls and applied relevant elements from each to our analysis.

The institution convened a strategy board committee comprising the Provost, Chancellor, CIO, CFO and other officers to provide specific oversight over priority strategy initiatives. They believed it was important for this committee to provide additional context on the organization’s strategic direction as well as for the members to gain insights from vital elements of the cyber risk strategy that we developed. In accordance with their request to provide a briefing, we, therefore, delivered an interactive and very engaging board briefing. The briefing covered the global threat landscape specific both to the the education vertical and to our client directly. It also presented tangible and practical recommendations for actionable awareness for the officers present. To paraphrase the words of the provost, this briefing was eye-opening.

Side Bar - The expanding attack surface (over 30K active email accounts and 170K total accounts) was a concern for the leadership and analysis produced effective measures to manage and mitigate the risks, one of which was a proactive user awareness training, secure cloud migration to office365 and establishing a vulnerability/threat management program including penetration testing

=========================

To provide meaningful answers to these questions, we completed a comprehensive assessment and analysis of the functional areas, critical assets, digital services and operations processes including interviews with third-party service providers.

This assessment yielded some material gaps that were previously unknown to the client. Some of the gaps discovered were in the areas of asset management, cloud adoption/migration, cyber governance, threat/vulnerability management, data protection, cyber and user awareness training.

We developed a strategy with specific recommendations to help close these gaps in order of priority and in accordance with the organizations risk profile and business objectives. In essence, we helped them develop a good cyber risk strategy that strengthened their current and future security posture.

We’re very glad that you’re here. We’re getting way more value than we expected
— CEO: Healthcare Organization

Our engagement was extended to include the execution of critical elements of the strategy recommendations. These included significant outcomes such as improved recovery time from cyber incidents, that minimized disruptions in patient care and service delivery. Increased value from new cyber capabilities at a lower cost than previous years.

Our client clearly got more value for less money. Lastly, positive employee/user experience resulting in sustaining productivity gains from cloud services with enhanced security. The new strategy did not cripple employee productivity by making them jump through hurdles to get their work done but instead enhanced the experience for employees.

We achieved these outcomes by defining and guiding the implementation of cyber risk capabilities such as incident response and recovery, cloud security, cyber awareness, third-party providers risk management, security oversight and audits, penetration testing, architecture reviews and cyber insurance policy evaluations

Success Factors

Our client’s role in the success of their cyber risk strategy and its associated business outcomes was significant and these were the critical success factors that informed their role

  • The CEO: Prioritizing personal and proactive engagement with our team

  • The Board: Establishing and securing support from the board of directors

  • The Culture: Leaders modeling cyber-priority behaviors and culture for the rest of the organization

  • Employee Engagement: Employees desire to learn about cyber risks

Customer Impact

1

Operational Resilience

Improved recovery time from weeks/days to hours

Financial Value

Increased financial value for cyber capabilities

2

3

Cyber Security Culture

Elevated cyber cultural norms and values

“Omega316’s engagement with us exceeded my expectations as did the overall experience

They were engaged and committed to our project and outcomes and highly responsive to our needs and concerns

They had strong expertise and shared freely without condescension”

CEO - Healthcare Organization

More Stories You May Like

Educational Institutions

Commerical Property

Let’s Work Together

Technology Company

Contact Us