Laramie County Community
College (LCCC) in Wyoming works to
ensure broad, high-level communica-
tion about any potential cyber-dangers
to students or employees, CTO Chad
Marley says. “We like to go to the pres-
ident’s cabinet and make sure they’re
informed,” he says. “We want to make
sure everybody is aware of the risks.”
The college also has strengthened
password policies, added encryption
services to e-mail, implemented new
training software, leveraged existing
tools in the Microsoft campus environ-
ment and then some.
The president of Michigan’s Lansing
Community College provides top-level
support for cybersecurity when it comes
to resources and budget, as well as
culture, says Paul Schwartz, director of
information security. “Then he dele-
gates the responsibility to the CIO, who
delegates it down to me, eventually, to
implement the various cybersecurity
tools and principles,” he says. “There is a
bit of cybersecurity in everybody’s job.”
Leadership teams at the executive and
directorship levels meet regularly to col-
laborate and discuss the issue, Schwartz
says. And the president sits on the board
of trustees, which helps communicate the
urgency to them, as well.
College executives and their boards
need to talk about cybersecurity risk
in terms of the impact on the college’s
mission, Hernandez says. The pitch
should be something like, “If you fund
an information security program,
we can get down to a low area of risk.
Whereas if you’re not going to support
us at a certain level, you have done less
due diligence, less due care,” he says.
“And the public and any regulatory
agencies are going to ask the board,
if there’s a breach: ‘You knew about
this, you chose a path of higher risk.
Talk to us about that decision-making.’
That’s going to help the board make a
LCCC senior staff have presented to
the board about the potential risks and
how they have been able to mitigate
them, which has helped earn invest-
ments in cybersecurity, Marley says.
“We just provided the cost-benefit, and
what it will allow us to do if we have
an attack or a ransomware situation,”
he says. “We try to manage our security
footprint within our operating budget.
So far, we’ve been able to do that.”
Henningsen says he’s had no issues
convincing his board members. “This is
a very serious situation. A lot of people
are already aware,” he says.
Anyone having difficulty convincing their board just needs to do
a Google search on data breaches,
DesPlas says. “You can produce pages
upon pages of different educational
institutions, healthcare facilities—
heck, look at Facebook,” he says. The
real-world examples are out there, and
they are stunning.”
REACTING TO A BREACH
While being proactive hopefully will
stop any breaches, there are no guarantees. Containment of the breach is
always the first step, Hernandez says.
That means knowing “that we have
data flying out of the organization and
having a plan in place where people
who are authorized to do so can stop the
leak,” he says.
Members of San Juan
College's network services
team meet with President
Toni Hopper Pendergrass.
“People understand that breaches happen.
They’re used to it. But folks are unforgiving
when they feel lied to, when the timeliness is
STEVEN HERNANDEZ, chief information security officer, U.S. Department of Education