Strengthening cybersecurity for higher ed in B.C. with Wency Lum

Thursday, October 5, 2017

We sat down with Wency Lum, the CIO at UVic and new chair of the BCNET Cybersecurity and Identity Management Committee to talk about the importance of cybersecurity in higher education, the role of the committee and the value in collaborating to find common solutions.

Q: According to EDUCAUSE, cybersecurity is the number one concern of CIOs. Do you see cybersecurity as a growing and important issue within the higher education community?

A: Yes, absolutely. I would say that cybersecurity is one of the top risks to manage today in any environment. And certainly, higher education is no different. In higher education, we have three key issues that make cybersecurity a greater challenge. 

First, we tend to have more open environments, because openness is needed to support research, collaboration, teaching and learning. This open environment creates cybersecurity issues, because it’s contrary to the principle of least privilege, which is a hallmark of good cybersecurity. 

Second, we are also very decentralized, and where you have decentralization, you may have areas where IT practices are inconsistent. Decentralization can contribute to challenges in managing cybersecurity in a large organization. 

The third issue is that institutions have a lot of attractive data such as research data, which can make higher education a greater target for cybersecurity threats.

Cybersecurity has received a great deal of media attention in the last 18 months. The positive effects of the media is it has created greater awareness at the board and executive level, which has helped to create a driver for change. The negative effects is that it creates fear, uncertainty and doubt. And so, it’s a matter of taking the recent media attention around cybersecurity as a call to action.

Q: What do you hope the Cybersecurity Committee will achieve?

A: My hope is the committee will go beyond service management and help to level the playing field among institutions. In British Columbia, there is a diversity in sizes of intuitions and all face the same challenge in building and retaining cybersecurity expertise. So, if we can develop these basic building blocks of services and influence new sector-wide practices and standards, we can help to strengthen cybersecurity for higher education in British Columbia.
Q: What do you envision as the committee’s role in shaping the direction and conversation around cybersecurity?

A: I think it’s very important to develop shared services in this domain, because much of the required resources at each institution will need to focus on implementing change. The technology and IT issues are only a small part of the cybersecurity equation; the rest is around people management, change management, and institutional culture. 

Q: Who are the Cybersecurity Committee members and what expertise do they bring to the table?

A: The committee is made up of CIOs, chief information security officers, information security managers as well as subject matter experts in identity management and cybersecurity. Members also come from many different sizes of institutions in British Columbia. Moreover, not all of us have spent our careers in higher ed, so we have a strong diversity of opinions and perspectives. I think diversity will help us to create better common services. There is also a great deal of industry knowledge, as well as higher education knowledge and expertise.
Q: Will the committee have a role in supporting cybersecurity awareness?
A: Yes, absolutely. Creating awareness is a holistic concept to help us share what practices are used across the sector and then using this knowledge to increase the cybersecurity maturity level of our organizations. The principle of social proof applies here. We can more effectively move things along when we have evidence of successful change in other similar types of organizations.
Q: What do you envision as possible shared services in this space?

A: We are still exploring service opportunities. For instance, we are talking about the possibility of a shared chief information security officer. We are also looking at next-generation, end-point protection and cybersecurity professional consulting services. Of course, all of these services are dependent on the collective needs of BCNET members to determine the types services needed and the order of priority.
Q: What value/impact could shared services in this domain offer members?
A: The big win is that a shared service helps to level the playing field, and it can provide access to a cybersecurity solution that perhaps a smaller institution wouldn’t have access to on its own. 
We can achieve that by working together.