By David Escalante, Director of Computer Policy & Security, Boston College
As part of a series on SecureThinking, we’ve recently focused on innovation. We’ve debated the pros and cons of innovation within large multinationals. One expert believed it was better to wait for a technology to be tried and proven before adoption. Another expert took the stance that organizations need to take the leap to get an edge on the competition. What impact does innovation have on other industries?
For this post, we are exploring innovation within the context of universities. We want to know if innovation in IT security is beneficial for universities — or is it better to wait until a technology becomes standard before implementing.
We took this question to an expert in the field and asked his opinion. David Escalante, Director of Computer Policy & Security at Boston College, asked if innovation doesn’t occur in Higher Education, then where else would it occur? Here is his opinion:
Innovation can indeed be a difficult subject to understand. One of the great dilemmas of innovation is the extent to which innovation is appropriate, dangerous or both when applied to one’s core business.
Higher education has, generally speaking, had a simple core business model for hundreds of years, with a teacher in front of a classroom. Innovation has occurred within the model in terms of how technology is used – think of copiers, whiteboards and more recently computers – but the subject at hand is not innovative teaching, but innovation within the security space. Also, it is worth noting that higher education has contributed significantly to basic research over many years, which has certainly spurred innovation in a variety of fields.
It sometimes seems that security vendors are buying other companies and coming out with new versions of their existing software rather than introducing interesting, innovative technologies to meet the continuously evolving security threats. And alas, major corporations seem to be busy doing the security compliance dance for their auditors and regulators rather than security innovation to better protect their assets and IP.
This leaves higher education as a sector that potentially can innovate in security. It has an audience of millions of students and faculty members to protect. And arguably, this audience neither expects nor requires the same level of security as say, a financial institution or the military, which allows some degree of flexibility in testing innovative approaches to security – a failure need not be catastrophic. Residential campuses also occupy a niche between needing to protect key assets like a business and to serve as an ISP for those living on-campus. In such an environment, some level of innovation is critical since the network and usage models meld classic business and ISP models.
Higher education has been innovating in network asset identification, doing primitive network asset identification and admission control before the term was even defined under the name, “NetReg.” It is also innovating in identity management, where the variety of campuses, individual roles, and joint research efforts has driven the need for federation. Some campuses are actively collaborating on new ways to combat malware. And the practice of removing users with malware from the network recently suggested by Scott Charney of Microsoft for ISPs has been used on many campuses for years now.
Curiously enough, however, much of this innovation is not driven by the specific recommendations one finds in texts on innovation. Rather, it is driven by a combination of intellectual curiosity, budget inequalities, a strong desire to mitigate the threat landscape, and, finally, by inter-institutional collaboration.
Security practitioners from various institutions get together, determine what their security issues are, and, depending upon their budget and abilities, attempt to develop solutions to the issues. Then they get together again, discuss what they’ve done and review new security issues that demand their attention. What works in some places will be tried in others, where it may or may not work.
In this way, innovation can proceed along the “just do it” approach while still being tested over time across multiple campuses where only the best solutions survive.