The choices we make
Cybersecurity without institutional translation is operationally busy but strategically invisible
When I started in cybersecurity, the CIO who recruited me asked me to hire a firm to evaluate the campus security posture. He even had some funds earmarked for this engagement and was hoping I’d get moving on it soon after I started. In the end, I never did. At first, I demurred with language about wanting to get to know the environment, get to know the terrain and the people. Which was a reasonable position to take - I was new to the campus, new to cybersecurity, and hadn’t much experience working with any of the large consulting outfits.
But in fact, as I quickly found, we didn’t need to spend a quarter of a million dollars to tell me the obvious: we had a very weak security posture. That’s not to say we were doing nothing. The networking team was terrific and had installed firewalls and an IPS at our internet border. We bought antivirus software and made it free for all faculty and staff. We even provided vulnerability scanning on request1. However, most of what the security team (consisting of two people) did was respond to tickets when networking took someone offline. There was no cybersecurity governance and few established processes, nor much in the way of tools or staff. We had no plans or any of the accoutrements that we, today, would recognize as part and parcel of a mature cybersecurity office. Of course, this was 2003, and we really weren’t that far behind most of our peers.
So it’s reasonable to ask how I responded to this situation. What I did, rather instinctively, was focus on services and functions. What were the things a modern office should be doing and could we get started on that? Naturally, your activities are shaped by the skills and inclinations of the people you hire. I, being naive to the breadth of cybersecurity, hired engineers. So we focused on engineering. Things like intrusion detection, log management and analysis, certificate and credential management. We tried to raise our game on managing our (god help me) McAfee antivirus solution and deployed a modern anti-spam solution. Over time, we did become increasingly involved in campus risk management and governance, but even outside of cybersecurity those were fairly new and immature functions, thus offering few opportunities for partnership.
I did try to pay attention to the literature - though it too leaned technical. I internally codified this approach - engineering-first security vs. governance-first security. To me, it only made sense that if you’re starving and thirsty it’s more important to eat and drink than to buy a cookbook and plan a set course. To some degree, I still feel this way. And I see this very often when I meet with schools and discuss what their internal roadmap looks like. For most universities it looks more like a laundry list of operational enhancements and control deployments than a road map for an organization trying to get off the endless treadmill of cybersecurity controls.
Which finally brings me to the point of today’s post: is this choice I made still the right one or has cybersecurity matured to the point where it’s explicitly the wrong one? And if it is the wrong one, how do we pivot without losing operational momentum?
The challenge I’m describing can be found in many parts of an organization. Operational activities offer less friction in their establishment than those of governance, policy, and strategy. For a cybersecurity example, think of an intrusion detection system. The “sell” to management is straightforward, and the hurdles are simply cost: equipment and staff. It’s understandable, an ROI can be calculated, and it requires little or nothing of management except to find the resources. In contrast, imagine establishing and managing an oversight or governing committee. Now resources (people’s time) must be drawn from outside anyone’s span of control. And not everyone is a good faith actor. They smile and show up, but so many of these sorts of committees die of neglect like shriveled grapes on a vine.
Historically, enterprise risk management (ERM) tended to focus on facilities and is tightly coupled to questions of insurance. Buildings, life safety, and utilities get the most attention. Obviously that’s changing. I recall getting an email from our campus risk manager who had done a survey of senior leadership about what risks they put at the top of their own priorities. To my surprise, “cyberattack” was number one with a bullet. Many schools are now well down the path of seeing digital risks as paramount - I can’t imagine any hospital that doesn’t have ransomware as one of its top three threats.
But even with this shift it’s not immediately apparent where the payoff for cybersecurity lies. One could focus on developing and establishing cyber within the ERM context. The primary advantage of this is that ERM, almost by design, is tightly engaged with organizational leadership. Institutional-level risk truly needs institutional-level prioritization and leadership. This is why I’ll always argue for research security being owned by the research affairs office, and not IT or cybersecurity.
It took me some time to change my thinking on these issues. I knew and understood the traditional cyber risks; I knew that an absent control was a present risk. And of course, once you have ‘something’ your staff will want to enhance or optimise it, rather than turning to new and unaddressed risks. Expertise traps effort within its own domain.
But what was missing in this? Transparency, opportunity, and strategy. Transparency, since campus leadership, beyond an annual presentation or two, truly had no idea what we were doing, nor was it comprehensible. Saying “We’re using ACME to shorten the lifespan and ease management of SSL certificates” to an executive may as well be in Klingon. Without presenting risk in comprehensible terms - and engaging your leadership in prioritization and mitigation discussions - you remain opaque, and no one really likes wandering in a dark woods at night.
It’s precisely that engagement that creates opportunities for cybersecurity. To a large degree, organizational executives are nothing more than risk managers. But they need to recognize and be shown that cyber risk is a significant part of their risk portfolio. That won’t happen if they’re expected to dive deep into a small subunit of IT and wrestle with cybersecurity terms of art2. This doesn’t mean that we need to abandon all of those operational enhancements - on the contrary - they remain a critical dimension of our office’s activity, perhaps consuming the bulk of our resources.
Nevertheless, if we’re going to engage our leadership and include operational activities, we need to devote time to establishing our place in those ERM processes. We should package our operational activities in a succinct and comprehensible fashion3. Remember, cybersecurity without institutional translation is operationally busy but strategically invisible. In my past I’ve tried to aggregate my operational plans into one or two single lines, represented as “percentage of completion” of the annual work plan. Often breaking out one extraordinary initiative as a line item, but only if it warrants the regular attention of senior leadership. For example, when my office was establishing a CMMC program, which required staffing and funding outside of normal budgeting, it was broken out of the operational plan. However, even it was represented not as a risk, but as a mitigation to the risk, “ability to continue to receive DoD funding.” Naturally, that risk has a valence with your leadership that “we need a CMMC program” doesn’t.
There are a number of advantages to this approach. First, it allowed me to include operational activities in an ERM risk register as mitigations to long-term strategic risks. Thus the entire causal chain from threat to mitigation is laid out for others to see. Second, it established my operational plans not as an endless treadmill of costs, but as a series of stepwise goals (this year we’re tackling network architecture, next year, data security, the year after that account protections…) all of which are components of your comprehensive maturity posture. Third, ever since the appearance of ransomware as a common threat, institutions are waking up to the fact that cyber risks are truly threats to continuity of operations / instruction / patient care. You won’t need to argue that “ransomware” belongs on the risk register, but rather that ransomware protections are mitigations under the existing BCP/DR program. The work’s been done for you; you simply need to claim your seat on the bus.
You can tell that despite those codified inclinations towards operational activities, I’ve come around to the position that a primary focus of cybersecurity leadership should be on tight integration with institutional ERM and governance efforts. That is, ERM integration as strategic maturation. I’m not arguing for a loss of identity or an absorption into the ERM or related programs. Our community and our programs have distinctive characteristics and approaches to problem solving that we would be foolish to ignore. Our best relationship to ERM is one that informs and helps shape it, rather than being subsumed by it.
So if I were to step in the Wayback Machine with Peabody and Sherman, and return to 2003, would I do anything differently? Absolutely; I’ve learned a lot since then. It would be difficult since the security team was so small (we started with two and had permission to grow to four in addition to myself) so it’s not like I could delegate much of anything at that point. But the fundamental lesson of aggressively pursuing outreach to senior and executive leadership - establishing standing bodies on cyber risk - is surely one I would tackle much earlier than I did. The real mistake wasn’t prioritizing engineering. It was assuming engineering alone would eventually create strategic influence.
The maturation of cybersecurity is not measured by the sophistication of its tools, but by the degree to which institutional leadership understands, prioritizes, and owns cyber risk. This is why I’m so discouraged by organizations that assemble their strategic plans from operational components. In 2003, engineering-first was survival. In 2026, engineering-only is immaturity. The inflection point is when cyber risk becomes institutional risk - that is, when cyber risk becomes a governance concern. That is where legitimacy is built.
An early lesson I learned was how to alienate people. My predecessor had decided to aggressively scan our entire IP space without warning - knocking armfuls of machines offline - and then sent departmental admins the (paper) scan reports for their network segments with merely a note saying “go fix these”. As I’ve often said, “How matters” and this wasn’t how this should be done.
It would be interesting to know if the training for CFOs and COOs now includes elements of managing cyber risks - I would certainly hope they’d have some facility in the space.
My mental model here assumes your institution has some sort of institutional risk register - as a cornerstone of your ERM process. Your goal is to ensure cybersecurity is represented on it.