Governance & Risk Management,
Identity & Access Management,
Patch Management
Decentralization Challenges Complicate IT Security in Higher Education
Chief Information Officers (CIOs) in higher education navigate a landscape that celebrates openness and innovation. Yet, recent cyber breaches at elite universities underscore significant challenges in securing these systems. Notably, institutions like Harvard and Princeton suffered breaches in 2025 due to vulnerabilities in unpatched software and complex social engineering tactics.
In light of these escalating threats, university CIOs must reassess their operational models, governance structures, and IT management strategies, according to cybersecurity consultant Rob Belk of EY. He states, “This topic is one of the most fascinating discussions in cyber without directly involving AI, yet it remains largely underexplored.”
The existing decentralized nature of university infrastructures can resemble urban ecosystems, comprising multiple schools, departments, hospitals, and other facilities, all with fluctuating populations of students, researchers, and staff. This complexity is exacerbated by the fact that many of these entities manage their own IT systems, often with little oversight.
Belk emphasizes that CIOs often lack control over substantial portions of their IT infrastructures. With cyberattack vectors becoming increasingly rapid, the average time for organizations to identify and counteract intrusions has plummeted from about nine hours in 2019 to approximately 48 minutes today, raising serious concerns for IT security in educational contexts.
Research computing environments, traditionally governed by individual departments and funded through grants, pose unique risks as they are often perceived by researchers as personal assets. As universities shift to view research as a viable revenue stream, CIOs are increasingly tasked with securing these infrastructures, akin to enterprise systems.
Addressing Cybersecurity Fundamentals
To effectively address these challenges, Belk recommends that CIOs get back to basics, focusing on foundational security measures such as monitoring, access control, and consistent patching. According to research from Mandiant, approximately 33% of breaches occur due to known software vulnerabilities, making patch management critical to safeguarding IT environments.
Compounding these issues, many recent breaches have exploited weaknesses not through technical flaws but rather through social engineering techniques, emphasizing the urgent need for robust identity and access management systems. Many universities struggle with multiple Active Directories and fragmented IAM approaches, necessitating strategic modernization efforts.
Belk advises a phased implementation of passwordless systems, beginning with administrative staff and gradually extending to faculty and researchers, as well as aligning identity management with evolving security requirements. He sees potential in artificial intelligence to bridge staffing gaps in cybersecurity operations, facilitating compliance and improving response times.
CIOs are encouraged to forge collaborations with faculty engaged in cybersecurity research, providing hands-on opportunities for students and enhancing the institution’s cybersecurity posture. As Belk points out, “Researchers are often eager to demonstrate their work in real-world applications, benefiting both their academic pursuits and institutional security initiatives.”
