Re: Please bear with me - this is an odd request ...

[Brian Basgen <brian_basgen () EMERSON EDU>]

Hi Chad,

 Sounds like an interesting opportunity from an engaged board. :)

 I suspect your easiest and best path is engaging a consultant who does
remediation work. While it would be problematic to ask them to report on a
past client for obvious reasons, I wonder if you could ask them to
reconstruct some incident from a school similar to yours for which there is
sufficient public information. If they've worked to remediate higher ed in
the past, they could fill in some blanks prospectively and probably put
together a pretty compelling story. It wouldn't be accurate without
verification with the institution being researched, but a possible
acceptable goal for your Board is for a theoretical scenario that is
reasonable and realistic. That said, as you say, it would be an atypical
request to make of a consultant, but I suspect you could find someone who
would see it for what it is: as an interesting challenge!

--------------
Brian Basgen
Associate Vice President, Information Technology
Emerson College | 120 Boylston Street | Boston, MA 02116



On Mon, Nov 26, 2018 at 12:32 PM Chad Tracy <ctracy () bates edu> wrote:

> Hope everyone had a much deserved Thanksgiving break.
>
> I am three months into a newly created security position at an institution
> that never had a dedicated person to fill the role. I have been asked to
> put together a reading for the Board of Trustees regarding a case study or
> some in depth description of a security incident that an institution in
> higher education had and what the school did to right itself and any sort
> of cost associated with it? The end game is to show the members of the
> board the importance of this area. *There may be easier ways to show the
> importance but I am sure some of you can probably raise their hand to
> having to fulfill a request for the board... :) *
>
> Has anyone ever seen such a report or maybe even completed one themselves?
> Maybe the report covered such things as:
>
> How the institution dealt with possible:
>
> reduced donations after the breach,
> reputational damage (*I am not sure if this can be measured anymore...
> are people becoming so desensitized by breaches that they just shrug them
> off nowadays?*),
> reduced enrollment.
>
> Costs of remediation:
>
> purchasing technology/services to remediate
>
> hiring of staff
>
> Thank you for your time and feel free to reach out offline either through
> email or phone.
>
> Cheers,
>
> Chad
>
>
>
> --
> Chad Tracy
> Director of Information Security, Policy and Compliance
> Bates College
> 207 786-6491