Re: Results for July HEISC Survey on Current Risks & Top Issues

["Corn, Michael" <mcorn () UCSD EDU>]

Thanks Val,

Out of curiosity, what's the oldest HEISC survey and what were the top 5 then? It's curious to see

 - training
 - funding
 - malware

so persistently appear, and while I'm sure the perceived importance of some of these have changed over the last 20 
years, they're so systemic that I wonder if it's time to ask why they keep appearing. It would be interesting to see if 
our actual commitment of resources aligns with the reported 'top' issues.

Similarly, since phishing so clearly rises to the top (as it did here in a conversation among the UC CISOs), and since 
almost everyone is presumably spending serious dollars fighting phishing, should the follow-up question be "why the 
heck haven't we solved this yet?" which could be interpreted any number of ways. Are we shifting spending to fight 
phishing or are we increasingly relying on the 'free' anti-phishing technologies provided by the big two? And thus 
getting what we paid for.

thanks for the summary, interesting as always,
MC

----------------------
Michael Corn | Chief Information Security Officer
mcorn () ucsd edu
University of California San Diego | ITS - Information Technology Services
10280 N. Torrey Pines Road, Suite 255 | La Jolla CA 92093 MC 0928

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Valerie Vogel 
<vvogel () EDUCAUSE EDU>
Sent: Tuesday, July 18, 2017 2:59:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Results for July HEISC Survey on Current Risks & Top Issues

Good afternoon,

Thank you for responding to our most recent quarterly HEISC survey on current risks and top issues in the higher 
education community.

The top 5 issues for Q3 (with 57 respondents):

1.       Phishing and social engineering

2.       Limited resources for the security program (too much work, not enough time or people)

3.       Addressing regulatory requirements (PCI, NIST 800-171, etc.)

4.       Malware, ransomware, APTs, and zero day vulnerabilities

5.       End user awareness, training, and education


And as a reminder, here are the top 5 issues for the first two quarters in 2017.

Top 5 issues for Q2 (with 101 respondents):

1.       Phishing and social engineering

2.       Limited resources for the security program (too much work, not enough time or people)

3.       End user awareness, training, and education

4.       Limited funding for the security program

5.       Protecting Personally Identifiable Information (reducing end-user storage and access to PII)

Top 5 issues for Q1 (with 114 respondents)

1.       Phishing and social engineering

2.       Limited resources for the security program (too much work, not enough time or people)

3.       End user awareness, training, and education

4.       Limited funding for the security program

5.       Malware, ransomware, APTs, and zero day vulnerabilities


Thank you,
Valerie


Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>

Attend the EDUCAUSE Metrics 
Mania!<https://events.educause.edu/webinar/2017/metrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program>
 online seminar, August 9, 2017.