DeVry CISO: Tackling Cybersecurity Risks in Higher Ed
▼ Summary
– DeVry University balances academic openness and cyber risk by physically separating student-facing systems from back-end operational systems to limit exposure.
– A dedicated Cyber Risk Committee, composed of cross-functional leaders, determines the institution’s risk threshold by evaluating likelihood and impact, then decides whether to mitigate or accept each risk.
– Centralized Learning Management Systems (LMS) now consolidate student data, which improves reporting but also increases the potential impact of a breach compared to the decentralized systems of a decade ago.
– The shift to hybrid learning has dissolved the traditional campus security perimeter, requiring a focus on strong authentication, continuous verification, and securing third-party connections and APIs.
– To protect accounts accessed from unmanaged devices worldwide, the university employs layered defenses including multi-factor authentication, AI-based anti-phishing, dark web monitoring, and direct student support for credential resets.
Balancing the need for open academic collaboration with robust cybersecurity is a defining challenge for modern universities. Fred Kwong, Vice President and Chief Information Security Officer at DeVry University, explains that the institution manages this by architecting a clear separation between the systems learners use and the backend operational infrastructure. This foundational strategy grants students the tools they need while allowing the security team to tightly control and monitor access to sensitive administrative systems.
Determining where to draw the line between openness and risk is a collaborative effort. A cross-functional Cyber Risk Committee, composed of university leadership, is tasked with evaluating threats. This group assesses risks by weighing the likelihood of an incident against its potential impact, considering factors like student confidence, brand reputation, and privacy implications. The security team provides data to quantify these risks, presenting leaders with options to either mitigate or accept them. When a risk surpasses the acceptable threshold, a formal exception process begins, mandating compensating controls, a designated risk owner, and an annual review to ensure ongoing management.
The nature of student data has transformed significantly. A decade ago, information was fragmented across disparate systems and even paper records, creating visibility gaps and inconsistent security controls. Today, centralized Learning Management Systems (LMS) consolidate this data, enabling richer analytics but also creating a more attractive target for attackers. To counter this, Kwong emphasizes the necessity of full visibility into data flows, enforcing strict data minimization and retention policies, and adhering to a “least privilege” access model. These measures shrink the potential attack surface and ensure that access is properly logged and monitored for anomalies.
The shift to hybrid learning has fundamentally altered the security perimeter, moving it from the campus boundary to wherever a student logs in. This distributed model demands a stronger focus on identity protection. AI-powered email security, phishing-resistant multi-factor authentication (MFA), and continuous identity verification have become essential defenses. Furthermore, the reliance on third-party providers for virtual labs and software introduces new cyber and operational risks. Securing the application programming interfaces (APIs) that connect these external services to university systems is now a critical priority.
Defending thousands of student accounts accessed from unmanaged devices worldwide requires a layered approach focused on the identity itself. Beyond robust MFA and anti-phishing tools, DeVry employs detective controls like threat hunting and dark web monitoring to spot compromised credentials. When an account breach is suspected, the team has playbooks to guide students through recovery, which includes resetting not only university passwords but often personal email accounts where compromises may have originated. Ongoing security awareness campaigns educate the community on recognizing phishing attempts and maintaining good digital hygiene.
Securing research computing environments presents its own unique balance between academic freedom and data protection. Encryption is applied to all sensitive data, both at rest and in transit. Systems are hardened with necessary security tools to guarantee visibility, and the network is segmented to prevent lateral movement. This strategy enforces the principle of least privilege, ensuring researchers have the access they need without exposing backend systems or regulated data. The ultimate objective is to foster an environment of innovation while rigorously minimizing the risk of data exposure or operational disruption.
(Source: HelpNet Security)
