By Joanna Grama, Director of Cybersecurity and IT GRC Programs, EDUCAUSE


When information security professionals get together, there is no shortage of conversation. From sharing points-of-view on the latest hot topic to swapping technology implementation tips, information security professionals are determined to learn from one another to advance the profession. This shared commitment to improving information security was on full display during the Peer2Peer Session Advancing Information Security Strategies in Higher Education at the 2016 RSA Conference.

The session was filled to capacity and was attended by information security professionals from large and small, public and private institutions. A majority of the participants were not new to higher education information security units, and roles from CISO to information security analyst were represented. In addition to higher education information security practitioners, the session was attended by representatives of higher education partner organizations (such as Internet2) and partner-vendors interested in better understanding information security concerns in higher education.

Three main themes emerged from the conversation: budget cuts; cloud security; and the proliferation of data breaches across all industries.

Session participants expressed that it is hard to prioritize and communicate about information security projects and operations in an era of ongoing limited budgets. Most participants felt that as institutions continue to investigate moving campus IT services to the cloud, issues of budget and data security become even more acute. Finally, session participants agreed that it was imperative that information security departments find ways to learn from other industry data breaches in order to elevate information security discussions at their own institutions.

How should people be applying things they’ve learned in their jobs today?

Session participants offered two actionable steps that all information security practitioners in higher education should take:

  1. Be prepared with your elevator speech. What do you do? What is the number one thing that you need to elevate information security on your campus? Use this speech to communicate with executives about information security.
  2. Keep sharing. In addition to informal sharing between colleagues, there are a number of higher education specific IT organizations and information security resources. Get involved with those organizations and contribute to the collaborative resources that are being created. See more at


Joanna Grama, JD, CISSP, CIPP/IT, CRISC, directs the EDUCAUSE Cybersecurity Initiative and the IT GRC program. Grama has higher education information technology experience and previously held the position of Information Security Policy and Compliance Director at Purdue University. A member of numerous information security and privacy associations, Grama is also a member of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee where she serves as the chairperson of its technology subcommittee. Grama graduated from the University of Illinois College of Law with honors.