Re: We're number one! (Is that a good thing?)

["Pitt, Sharon" <spitt () UDEL EDU>]

OK, partner in crime, I'll rant.


It's been a long time since we wrote our response to the Top Ten IT Issues list wrt to security and privacy and I've 
got something to add.


For context of this rant, I first applaud the organizers of the ELI Annual Meeting for inviting Jules Polonetsky of the 
Future of Privacy Forum to speak about navigating privacy and trust in an era of big data.  It was a great session and 
very important for our teaching and learning community to see.


At the end, I asked a question about our #1 Issue, with the thought that we should not lump security and privacy 
together.  In other words, moving forward, we should separate these as two concerns.  He agreed, and made a beautiful 
and respectful statement (that I cannot for the life of me recreate) about the distinct, but complementary, differences 
between these two concerns.  (I don't know if slides or a video is available, but it would certainly be great to share 
if that exists.)


It seems that both privacy concerns and security concerns are increasing and increasingly disruptive.  I don't see our 
community getting a handle on all of these issues unless we break them apart and begin to address them as separate 
issues.  And then, maybe then, Privacy will be the #1 issue.  Or not.


Sharon





Sharon P. Pitt
Vice President of Information Technologies
University of Delaware
030 Smith Hall
Newark, DE 19716
(302) 831-0221


spitt () udel edu<mailto:spitt () udel edu>
twitter@sppitt


________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Corn, Michael 
<mcorn () UCSD EDU>
Sent: Thursday, February 1, 2018 1:43:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] We're number one! (Is that a good thing?)

Good morning (at least on the west coast) everyone,

As you might have noticed, EDUCAUSE released the Top 10 IT Issues list yesterday. The article and associated resources 
are available here: https://www.educause.edu/research-and-publications/research/top-10-it-issues-technologies-and-trends

Information Security is #1 on the list again, and a number of materials have been published in conjunction with the 
main IT Issues article to talk about information security:

*       An interview with HEISC co-leaders about information security in higher education: 
http://er.educause.edu/articles/2018/1/the-third-times-the-charm-information-security-at-the-top-of-the-list-again

*       A new guide on developing a security strategy: 
https://www.educause.edu/guides/developing-a-risk-based-security-strategy-in-higher-education

I'm curious what this security community thinks of security showing up at the top of the list means. Personally, I go 
back and forth between believing it means we're doing a great job at keeping attention on InfoSec, and believing we 
must be doing a terrible job if it's still getting this kind of attention. It's also tempting to ask if this ranking 
has something to do about how CISOs and CIOs communicate and what we're saying to each other (and what it says about 
the different perspectives of each).

In addition - regardless of why we remain on the top of the list, is there more we should be doing as a community to 
evolve higher ed information security practices? Should we be doing things differently? Is there some collective way to 
bring our industry forward? What should we focus on? What are the resources that we need (publications, guides, time, 
money, etc.) to effect change? How can we make the security discussion strategic and not merely another discussion 
around the operational control du jour.

Thoughts? Rants? It'd be great to get a conversation going in this forum,
MC

----------------------
Michael Corn | Chief Information Security Officer
mcorn () ucsd edu
University of California San Diego | ITS - Information Technology Services
10280 N. Torrey Pines Road, Suite 255 | La Jolla CA 92093 MC 0928
cybersecurity.ucsd.edu | esr.ucsd.edu