We’ve all seen the same letter repeated a thousand times: “We have recently experienced a sophisticated cyberattack performed by highly skilled threat actors. There is no evidence that your data has been misused. We take your privacy and security very seriously.”
It’s not so much a notification as it is corporate Mad Libs… and it certainly reads better than “We were hacked because our budget was tight, and we couldn’t tie cybersecurity investments to improvements in enrollment.”
Too much truth for you? Let me lay on another: Most higher education data breaches don’t start in the server room; they start in the boardroom.
Don’t get me wrong, leadership and IT both want the same thing: A college that serves its students. Furthermore, both leadership and IT staff are some of the most dedicated, tenacious and overworked people I’ve met in my long career.
It isn’t a technology problem; it’s a communication problem.
The truth is, IT staff usually see a cyberattack coming well in advance, but the lack the business language to translate technical problems like “unpatched vulnerabilities” or “end-of-life software” into student-focused metrics like “lost enrollment” or “risk to accreditation.” Without someone who can bridge that language gap, investments don’t get made, or worse, tools get purchased with no strategy because a capital expense for a new widget is easier to justify than operational expense for cybersecurity staff.
Here’s the kicker: experienced cybersecurity leaders who can bridge that gap are scarce. And even if you can find a chief information security officer (CISO), most community colleges can’t afford to retain one.
This is where I have seen fractional leadership change the game. A part-time or virtual CISO brings that missing voice to the table: translating cyber risks into business terms, prioritizing investments, and making sure cybersecurity isn’t just another line item, it’s part of the college’s overall strategy.
The term “virtual CISO” can sound abstract, but in practice, it’s very concrete. A vCISO isn’t just another consultant. They operate as a security strategist, translator and advisor rolled into one.
As an example, a community college recently reached out to me after receiving official letters from the Department of Education threating sanctions for not being GLBA compliant. Before advising specific steps, I started by understanding their immediate needs, available resources, and the most critical action steps to achieve compliance. As their vCISO, I took on the responsibilities of:
- creating a plan for achieving GLBA
- writing a letter to the DOE advising them of our plan and buying time for the college to execute the plan
- updating or creating all the policies and administrative procedures necessary to meet GLBA
- creating a GLBA compliant risk assessment identifying the most critical remaining risks
- crafting business-focused messaging around these risks to the board to receive additional budget remediate them
Your vCISO should be able to provide both technical and soft skills necessary to support institutional initiatives. For example, I was brought into a different community college at a time when the CIO was struggling with a difficult change management process. IT had purchased expensive security monitoring hardware whose implementation had stalled due to time constraints and knowledge silos. The CIO was in danger of losing credibility with the board but couldn’t find a way to get the internal buy-in necessary to complete the effort. As his cyber expert, I was able to:
- host an IT-wide cybersecurity incident simulation that illustrated the importance of the solution and identified significant gaps in incident preparedness
- coordinate a cross-functional team to complete the implementation before the CIO had to report to the board
- complete a federal grant application to receive funding to update the disaster recovery and incident response plans
The scope of what a proactive vCISO can help with is limited only by imagination, costs a fraction of a full-time CISO’s salary, and (let’s be honest) is way more fun than writing data breach apology letters.
But, hey, if you need one of those?
