IT leaders at academic institutions face significant insider risks, strict compliance requirements, and universally tight budgets. Compared to the average commercial enterprise network, every user in a higher education environment represents a much higher level of risk.
At the same time, today’s security threats are more disruptive than ever. Executive decision-makers have to contend with cybersecurity risks that can cause catastrophic damage to campus equipment and operations. If hackers attack an unprepared university and demand half a million dollars in ransom, campus leadership may feel intense pressure to pay.1
Facing these risks in the unique security environment of a higher education institution comes with steep challenges. Instead of putting additional pressure on small IT teams with resources already stretched thin, some campus IT leaders proactively address security risks by leveraging reputable managed security service providers.
Higher education comes with unique security challenges
Higher education security threats span a wide spectrum. Security leaders must safeguard the institution from external threat actors, malicious insiders, and advanced persistent threats that bypass perimeter defenses.
Many security technologies are designed with commercial enterprises in mind. This makes for an uneasy fit into the unique context of a university campus.
Some of the unique security challenges that universities face include:
- High user throughput and turnover: Every year a university must create and provision user accounts for an incoming class, and de-provision accounts for the graduating class. This can confuse behavioral activity models developed for commercial enterprise environments, producing false positives.
- High levels of insider risk: Every individual student is a potential source of risk. These risks include negligent behaviors like sharing passwords and malicious behaviors like changing grades or disrupting routine operations.
- Tight budgetary constraints: Compared to the commercial enterprise sector, university leaders must secure a much wider attack surface with a much smaller budget. At the same time, campus leaders lack the comprehensive metrics they need to measure the impact of IT and security investment.
- Reactive processes: Without flexible budgeting, IT teams often find themselves under-equipped to support routine tasks. This leads to time-consuming manual processes, and keeps the team locked in a cycle of fixing things that break instead of proactively improving performance.
- Ad-hoc implementations: Many universities have senior staff who have spent years improvising solutions to problems as they occur. These solutions work, but they add complexity to any further investment in organization-wide security technologies like Identity Access Management (IAM)
- Strict compliance requirements: Institutions under Title IV must adhere to NIST 800-171 standards. As of June 2023, all higher education institutions that handle student aid data must comply with the Gramm-Leach-Bliley Act (GLBA) and establish policies that follow the FTC Safeguards Rule.
- Uncertainty about new security frameworks: While commercial enterprises adopt new security initiatives like zero trust, university IT leaders are less convinced they can meet these requirements, and may not know how.
- Lack of strategic security leadership: Many university IT leaders handle security on a case-by-case basis without a proactive strategy. Some institutions can’t afford a full-time dedicated CISO and lack a forward-thinking approach to mitigating risk.
These challenges set a standard for higher education security teams to meet. They all factor into the strategic decision between developing in-house security operations or delegating security to a reputable third-party service vendor.
Cost-benefit analysis of in-house vs. outsourced IT security
Defending against complex threats requires adopting a comprehensive approach to university security along zero trust principles. Before adopting best-in-class security solutions, university leaders must choose between developing their own internal capabilities and outsourcing security to managed service providers.
Achieving operational security excellence is an exercise in risk management. University IT leaders are used to making difficult decisions and accepting a certain level of risk due to time and resource constraints. However, third-party IT security partnerships supported by advanced technology may reduce overall security risk considerably.
In-house security operations provide visibility and control, but at high cost
University leaders who focus on developing security architecture internally gain total visibility and control over the process. The risk of vendor lock-in is significantly lower because the team chooses which technologies to implement based on their needs.
At the same time, internal security personnel gain deep knowledge of the unique characteristics of the university IT environment. They do not divide their time between multiple clients, ensuring the institution’s security needs always come first.
However, developing internal security capabilities means building and staffing your own Security Operations Center (SOC). Achieving 24/7 security coverage requires hiring at least eight analysts. According to US Bureau of Labor Statistics payroll data, that means paying $1.2 million in salaries, taxes, and benefits in the first year alone.2
This calculation doesn’t include additional costs for technological implementation and licensing. For a campus with 5000 users, basic security implementation can run between $150,000 to $500,000. Some technology vendor pricing models may lead to higher costs since they’re designed for enterprise businesses instead of university campuses.
Choosing open-source technologies will not necessarily reduce these costs, either—they will transform them into higher staffing and personnel costs. Implementing open-source software means conducting your own code maintenance, assuming responsibility for open-source management, and performing legal and compliance checks on your own.
These aren’t activities your security analysts can do on their own. Instead, you’ll need to hire network security architects, which can cost an additional $127,000 per year per person.3
High costs may cause university leadership to take an ad hoc, piecemeal approach to information security. This dramatically increases the risks associated with security misconfigurations and incomplete implementations. Additionally, it introduces stubborn obstacles to achieving GLBA and NIST compliance.
Outsourced security providers alleviate internal burden and provide specialist expertise
Managed detection and response vendors provide SOC-as-a-service capabilities that scale according to the institution’s needs. They offer comprehensive solutions that include personnel, technology, and compliance in a single, unified package.
Unlike the internal strategy, these services come with a low, predictable cost. Managed security service providers can scale upwards on an as-needed basis—like diverting specialist expertise and resources to incident response the moment a critical threat is detected. This is not possible with a purely in-house approach.
A managed detection and response vendor that provides 24/7 monitoring and response allows universities to allocate internal resources more effectively. Instead of reacting to security alerts and ransomware threats, internal IT staff can proactively work on higher-impact strategic initiatives.
Limited visibility is one of the main drawbacks to working with a managed detection and response vendor, although different vendors offer varying levels of operational transparency. Institutions that partner with reputable, high-quality providers with experience in higher education are much more likely to gain visibility into security operations.
Similarly, not all vendors are equally familiar with GLBA and NIST compliance, especially in the education sector. Partnering with the wrong vendor can make achieving compliance an uphill battle.
Partnering with an experienced managed service provider drives long-term value
Experts predict the managed security service market to grow at 14% per year for the next decade. That makes a remarkably wide range of service offerings available to university leadership, with results that may vary dramatically from one vendor to the next.
Developing niche, sector-oriented security providers is part of this industry-wide expansion. There is no longer any need for a higher education institution to partner with a generalist security provider.
Partnering with a managed security service provider with experience in the education sector resolves many of the disadvantages of outsourcing:
- Compliance: Experienced vendors understand the need to meet strict compliance guidelines and know how to do it in a higher education context.
- Expertise: Properly configuring automated security tools according to the unique demands of a university campus is vital.
- Visibility: Transparent operations provide university leadership with in-depth visibility and control over security operations.
| Outsourced Security | In-house Security | ||
| Pros | Cons | Pros | Cons |
| Much lower staffing costs | Limited direct control over analysts | Direct control over analysts’ activities | High operating costs |
| Specialist expertise included in the service | May not know your organization’s security needs well. | Deep knowledge of internal security program | Hard to find specialist expertise |
| Implementation included in the service | Not all vendors and technologies may be supported | You choose which technologies you want to implement | Successful implementation requires specialist expertise |
| Able to attract and retain more experienced talent | Individual analysts are not dedicated to your company alone | Your security team does not divide its team between multiple clients | Your team has less experience handling a wide range of security issues |
| 24/7 coverage available with predictable low monthly cost | You may not be able to make direct changes to security policies at any moment. | You retain control over your security program, policies, and technologies. | 24/7 coverage requires managing full-time employees, with constantly increasing costs. |
| Scalability is built into the service. | Compliance may be easier to achieve, but harder to demonstrate. | Compliance may be easier to demonstrate, but harder to achieve. | Scalability means hiring new full-time employees and buying new licenses. |
Built upon more than two decades of exclusive service to higher education institutions, Apogee Security Services help university IT leaders overcome resource and expertise gaps to comprehensively address IT security and compliance requirements.
Apogee vCISO Services makes expert, higher ed-tailored security leadership and program oversight obtainable for budget and resource-strained teams. While essential tools like security risk assessments and managed detection and response help build the framework for maintaining compliance and a robust IT security posture.
1SC Media, “Separate ransomware attacks reported by Illinois county college,” March 2024. Accessed April 10 2024.
2US Bureau of Labor Statistics, “Occupational Outlook Handbook: Information Security Analysts,” September 2023. Accessed April 10 2024.
3US Bureau of Labor Statistics, “Occupational Outlook Handbook: Computer Network Architects,” September 2023. Accessed April 10 2024.
