Challenges in Higher Education Security: Portfolio Administration

Security asset management in higher education face some of the more strenuous challenges in the security industry. Security systems at universities and colleges manage thousands of identities and devices, in open and accessible buildings for diverse and dynamic populations.

Technology portfolios include access control, video management, intercom and intrusion detection systems, communication and mass notification platforms. They also potentially integrate with multiple third-party applications, such as credentialing, point of sales, parking. Management of portfolios can range from day-to-day administration and maintenance to long-term planning and lifecycle management.

These multifaceted requirements make creating a project portfolio for management large and expensive to build, complex to manage, and challenging to maintain. Portfolios can therefore risk exposure to legacy systems, inefficient processes, and high costs of ownership.

The administrative challenges around identity management in higher education are particularly complex to manage. Data sources can be legacy, decentralized, or not under security’s purview. Student and staff ID badges are also often used for multiple applications downstream, such as parking, meal vouchers, point of sale, or housing assignments. This makes data integrity vital and badge security essential. Challenges may lead to unauthorized access and approval, inefficiencies and delays in processing, or administrative overhead.

Multifaceted requirements make creating a project portfolio for management large and expensive to build, complex to manage, and challenging to maintain.

Device lifecycle management—a detailed inventory and a device health and maintenance plan—is another critical administrative need, but there is a serious industrywide gap in implementing it. Most solutions focus on the health or status of networked and addressable devices. However, there are no true lifecycle management solutions available for all devices and processes. The result is often manual tracking via spreadsheets or an incomplete picture of the health of the data and technology portfolio. This affects the security department’s funding needs, exposes it to abrupt failure of critical devices, and risks longer operational hours to manage broken or malfunctioning systems.

Security departments can use tools and processes to manage these administrative challenges. To start, gaining awareness of the organization’s current asset inventory is a priority. Security departments can inquire about and leverage existing asset management solutions, particularly in facilities management. These solutions can often help create a lifecycle for their portfolio: cataloging devices and licenses, tallying costs, and documenting procedures. This process provides an organized roadmap to security departments, to proactively plan for ongoing maintenance, future deployments, upgrades and integrations. It can be an effective tool to manage and expand the portfolio while maintaining efficient cost of ownership throughout its lifecycle.

A cross-functional understanding of security operations and data flow can help streamline the process. Often, departments are unaware of each other’s program initiatives and can duplicate efforts or build redundant applications. If security is looking for identity management and IT services has an identity governance program in progress, this cross-functional awareness can enable security to leverage some aspects of the ongoing initiative instead of duplicating efforts. Similarly, security departments should partner with IT to collaborate on leveraging existing data lakes or stores for centralized data management. Most recent access control systems also offer basic identity and access management functionality, which may provide a credential provisioning means for the larger university population and set security on a roadmap to integrate with future solutions.

The largest and most long-lasting portfolio challenges for security are not technology or data but training, education, and historical knowledge. Siloed administrators are often unaware of each other’s operations, and database administrators are unable to keep down disciplines abreast of change management. Transitioning or retiring individuals can leave a knowledge gap. Lack of training can create extra overhead, service delays, and ineffective incident management.

Ongoing education keeps stakeholders on the same page about the university’s technology, systems, and operations.

Ongoing education keeps stakeholders on the same page about the university’s technology, systems, and operations. Training on systems and technology, cross-functional discussions about operations, and backup administrative resources can help build resiliency and business continuity within security operations. Staffing gaps during illnesses or large crises, such as a pandemic, are more easily mitigated. Training can also help standardize solutions and align objectives.

Administrative challenges require a consistent set of process, collaboration, and awareness tools. Building portfolio awareness, leveraging cross-functional resources and training staff form an effective start to address them and build a long-term, strategic technical roadmap for the higher education security portfolio.

Mohammed Atif Shehzad is the founder and managing director of Atriade, a full-service security consulting firm. He has extensive background in program development, strategic master planning, and executive-level program sponsorship. Shehzad also oversees program development and management efforts at several universities and colleges.