Balancing cyber risk and digital citizenry in higher ed

Jason Stevens

Chief information security officers should refrain from imposing singular security policies on university environments as security boundaries shift to the users, a trend accelerated by the pandemic and breaches to identity management systems inside Optus and Medibank. 

In institutions like Flinders University, securing virtual borders requires balancing digital citizenry with a user-centric approach that puts identity management at the forefront of its strategy. 

Students, particularly young adults entering higher learning environments, need to be educated on cybersecurity best practices while not being limited in learning, discovery, and exploration of academic resources that define the creative openness of university institutions. 

“We must treat students as grown-ups and help them understand the consequences of compromised identities,” Flinders University CISO Kim Valois said. “This is a different setting than most other organisations face.” publisher Corrie McLeod, Flinders University CISO Kim Valois, and SailPoint A/NZ country manager Nam Lam

Students join staff, researchers, visitors, alums, donors, and third-party contractors, in a collaborative environment accessing internal and public academic platforms compelling a considerate, unique approach to securing sensitive data under zero trust frameworks.  

The third episode of the Inside/Out: Getting ID Right series, a collaboration between and SailPoint, delves into the Landscape of Education in an Online World, exploring the impact of cybersecurity on the student experience in higher education, including Flinders University.  

Ms Valois stressed that she does not believe security should be about saying no. “It’s about figuring out how to say yes and be able to protect, while also allowing the student or staff member to do the core things they need to do.” 

Managing expectations is another unique consideration in complex university settings, especially for those student digital natives who crave instant gratification when accessing online resources.  

“I think part of the answer lies in putting a firewall wrapper around each user, allowing CISOs to monitor who has access to all applications and systems while still giving students access to necessary resources,” SailPoint country manager for Australia & New Zealand, Nam Lam, said during the podcast.

Ms Valois confirms that since the pandemic, automation has played a more significant role in securing edgeless environments that assume students work on Bring Your Own Devices (BYOD) — both physically inside universities at library kiosks — and remotely in several diverse settings, including homes, airport lounges, and cafés. 

“We had to deploy cybersecurity controls to protect virtualised services and things not on campus. We also spent lots of time figuring out how to get staff productive in their virtual workspace,” Ms Valois said. 

“At the same time, we provide free internet connectivity for students and guests. All these use cases get considered when we implement cybersecurity controls.” 

These challenges call for an “inside-out approach” or mindset to keep the bad actors out with a hyper-focus on securing the user and their identity first and then extending the security outwards to protect the systems and applications they interact with.  

According to Mr Lam, Flinders University’s holistic and user-centric approach to security in a fluid, the dynamic environment offers essential lessons to private sector organisations.   

“We should give Kim and Flinders University a big pat on the back — they are well progressed compared to other verticals we work with, including healthcare which is ten years behind banking and playing catch-up,” he said. 

Mr Lam believes universities can serve as a model for other sectors in tackling secure identity management, especially since the next generation of the workforce will come from universities.  

Universities face challenges in protecting personal information while complying with complex regulations, including the General Data Protection Regulation (GDPR) and Family Educational Rights and Privacy Act (FERPA).    

“Third-party providers and cloud computing make my job even more complicated but equally make it interesting and challenging,” Ms Valois said.

CISOs must balance digital citizenry and cyber risk in university environments by providing minimal security privileges to students and faculty while allowing creative freedom to explore academic resources and platforms.  

Identity management, including MFA, is a critical component of this approach as it enables efficient automated access requests and password resets and ensures users access only the resources they need. 

This podcast series is being produced by in partnership with SailPoint. 

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories