Confronting cybersecurity risk is a challenge that looks much the same to all
Contributed by Bob Gagné, Cybersecurity Advisory Committee Chair
As I write this, in mid-December 2020, news is rolling out about the Solar Winds breach – a security compromise of seemingly unprecedented scope and scale. While this incident is uniquely significant, it is only one prominent tip of a very large iceberg of a problem. And one that has grown steadily over the years with no sign of stopping. Today, information security risk has become a dominant (perhaps ‘the’ dominant) issue for information technology leaders and one that almost always commands the attention of governing boards.
Any CIO in our research and education community will also know the structural challenges of effectively managing information security risk – large, diverse groups of often transient computer users; a culture of openness; limited “command and control”; and — a persistent and often acute shortage of resources (human and otherwise). Add to this the heightened potential impact of any cybersecurity incident as information technology becomes increasingly critical to the success of our organizations – something very evident in the pandemic response and moves to online learning and remote work.
What are we to do?
When I joined York University in 1999, I quickly came to appreciate that one of the most powerful and unique strengths of the R&E community was the nature of that community itself. The sharing, support and collaboration that exists within higher education I.T. is exceptional and something that I valued and relied upon throughout my 18 years at York.
While every institution in the R&E sector is unique, confronting cybersecurity risk is a challenge that looks much the same to all, whether a larger research university or a small regional college, the means and strategies to meet the challenge and our progress in doing so differ, but fundamentally we are all on the same path and in facing the challenges of information security management, I believe we can all find strength within our community.
CANARIE’s current mandate includes an increased and significant commitment to supporting cybersecurity related initiatives within the R&E community through investments in cybersecurity capability and capacity – guided by a unifying national vision and strategy developed along with the community. I was a very strong supporter of this work during my time on the CANARIE board (2014-2020) and we on the board recognized the important role that CANARIE could play through broad national alignment and providing funding for cybersecurity initiatives; however, we also knew that CANARIE can only complement, not replace, the ongoing rigorous work being done by IT teams at institutions across the country.
There have been and will continue to be diverse and separate strategies pursued by institutions and groups within the R&E community; however, there is great potential in coming together to share best practices, experiences and leverage common resources and services. The national partnership that we know as the NREN (National Research and Education Network) is one example of how the national R&E community can work together, accommodate the diversity of size and geography to benefit us all. Indeed building on the relationships and services of the NREN will be an important part of any collective cybersecurity effort.
As I was leaving the CANARIE board I was asked to join the Cybersecurity Advisory Committee as its inaugural chair and agreed to take on the role because I believe that CANARIE’s work, while important and impactful on its own, will also be the catalyst for a broad-based, national, collaborative cybersecurity effort – one that leverages the diversity and strengths of the community itself and builds on past and current efforts to become an important buttress against the risks that we all share and one more way to make each of our organizations more secure. An incredible amount of foundational work has already been done and I think that it will be exciting this year to watch our initial collective efforts really take root and see new ideas and possibilities emerge from our collaboration.