Event Experience

Institutions face a complex risk environment, especially in the IT realm. Data security, cybersecurity, compliance, third-party vendors, and business continuity are just examples. What are some other IT-related risks that institutions worry about? During this session, we'll give a primer about other types of risk facing campuses, such as reputational and financial risk, how institutions finance risk, and partnering with campus risk managers to mitigate those risks from your seat at the table.

Drawing on higher education risk management practice, the session will broaden the conversation from technology controls to institutional assets and outcomes. Campus risk managers help identify, assess, and prioritize risks that may affect people, operations, finances, reputation, and mission. They also help leaders decide which risks should be avoided, reduced, retained, transferred through insurance or contracts, or escalated for broader discussion. Participants will learn how security and privacy teams can contribute to these conversations and connect IT risks to business continuity, financial impact, institutional reputation, and mitigation strategies.

Learning Objectives:

• Identify institutional risks that intersect with IT, including reputational, financial, compliance, third-party, and business-continuity risks.
• Explain how risk financing, transfer, mitigation, and escalation decisions can shape our responses to risks and incidents.
• Describe ways IT and security leaders can partner with campus risk managers to connect IT risks to mission, financial impact, reputation, and resilience.

Jack Voorhees, Senior Director of Education & Events, URMIA

Organizations that lack a formal Enterprise Risk Management department are not without options. By leveraging existing Governance, Risk, and Compliance infrastructure—particularly IT and cybersecurity risk programs—institutions can build a functioning risk foundation that supports executive decision-making and positions the organization for a mature ERM program when resources allow.

This presentation is given through the lens of a small GRC team tasked with identifying IT risk. Drawing on established standards, including NIST SP 800-37, NIST IR 8286, NIST SP 800-171, the Secure Controls Framework, and COSO ERM, it demonstrates how a minimal team can categorize and communicate risk across multiple domains, maintain a portable risk register designed for enterprise rollup, and map controls once across frameworks to reduce rework. Key outcomes include establishing a common risk language, achieving a formal Chief Risk Officer designation, and designing risk taxonomy that aligns with COSO categories for future enterprise consolidation.

The approach prioritizes sustainability and portability in order to build the ERM program the organization wants—not the one it currently has.

Learning Objectives:

• Explain how IT and cybersecurity risk programs can serve as a foundation for enterprise risk management.
• Describe reasons to develop a portable risk register that is sustainable and compatible with enterprise risk management.
• Describe how risk registers, control mappings, and framework alignment can reduce duplication and support enterprise rollup.

Raina Collins, Senior IT Risk & Compliance Analyst, University of Alaska Fairbanks

Many organizations do not struggle with knowing risks exist; they struggle with organizing, prioritizing, and acting on them consistently. Risks are often tracked in spreadsheets and disconnected from controls, compliance requirements, institutional priorities, and reporting needs.

As cybersecurity and privacy challenges grow more complex, effective risk management is essential to protecting mission, compliance, and operational resilience. This session demonstrates how a Governance, Risk, and Compliance (GRC) platform can help institutions build a structured, repeatable, and data-driven program. Virginia State University will share how they moved from endless spreadsheets into practical workflows for risk identification, impact analysis, mitigation, and monitoring. Participants will see how their program connects technical cybersecurity risks to broader institutional and strategic goals through executive dashboards, reporting, risk ratings, and control mapping. The goal is to make risk data actionable for both operational teams and institutional leaders.

Learning Objectives:

• Recognize the limitations of spreadsheet-based risk tracking for ownership, prioritization, reporting, and control alignment.
• Describe how a centralized GRC environment can support repeatable workflows for risk identification, analysis, mitigation, and monitoring.
• Connect technical risks to institutional priorities through dashboards, reporting, and executive-level communication.
• Explain how continuous monitoring and control mapping can move a risk program from reactive tracking to proactive governance.

Tabitha Rhodes, Director of IT Governance, Risk & Compliance, Virginia State University

Katie Johnson, Manager, Operations Support; Product Lead - Online Training, CampusGuard

Vulnerability management produces thousands of findings, but many institutions struggle to translate those findings into clear, actionable risk decisions and remediation. A Risk Operations Center, or ROC, provides the operational layer that connects security tools, institutional context, and governance, transforming technical exposure into a structured cyber-risk register aligned with business impact.

This session focuses on how institutions can establish ROC functions using their existing vulnerability management, IT, and governance processes. Attendees will learn methods to convert vulnerabilities into risk register entries and consistently apply risk rating systems relevant to institutional impact and data classification, and assign ownership and remediation timelines. The session will also share templates for risk registers, scoring models, and escalation thresholds that work across varying levels of institutional maturity, including ways automation and AI can help correlate technical findings to critical systems and institutional priorities.

Participants will leave with repeatable ROC workflows, templates, and governance approaches to immediately improve visibility and communication and reduce cyber risk. The session prioritizes practical, adaptable workflows for direct application.

Learning Objectives:

• Translate vulnerability management findings into risk register entries that reflect the institutional context and business impact.
• Describe how a Risk Operations Center can connect security tooling, governance processes, and institutional priorities.
• Identify opportunities to use templates, automation, and AI to improve visibility, communication, and reduce risk.

Neel Sata, SVP, Cyber Advisory Services, TekStream Solutions

Judd Robins, Executive Vice President, TekStream Solutions

Higher education institutions face growing cybersecurity, privacy, and compliance expectations, yet many campuses lack the staffing, tooling, or maturity to independently operate a fully developed Governance, Risk, and Compliance program.

The session begins with the experience of a single University of Tennessee campus that recognized the need to formalize governance and risk management practices. Rather than starting with a fully mature framework, the campus focused on building the foundational elements of a risk register, a GRC application, data classification, and a process to identify vendor risk.

Following early success, UT System Administration recognized the opportunity to reduce duplication of effort and improve consistency by adopting the model across all campuses and institutes. This led to the development of a shared services GRC model designed to support organizations of varying size, maturity, and regulatory exposure.

This session does not present UT as a fully mature GRC program. Instead, it offers an honest, practical look at how a large higher education system is laying the groundwork for shared governance, risk, and compliance capabilities.

Learning Objectives:

• Explain how early-stage GRC efforts can establish a foundation for broader institutional adoption.
• Apply practical strategies to launch shared risk and vendor review processes before full program maturity.
• Design an incremental approach to scaling GRC services across diverse campuses and organizational sizes

Ashton Jolley, Security Analyst, University of Tennessee at Chattanooga

Chris Madeksho, Senior Security Analyst, GRC

Many higher education institutions operate with decentralized technology environments where security practices evolve organically over time. While these homegrown approaches often meet immediate needs, they can create inconsistent controls, unclear accountability, and difficulty demonstrating compliance with recognized security standards.

In this session, leaders from Enterprise IT and Internal Audit at Minnesota State Colleges and Universities will share how a collaborative partnership helped transform a fragmented security landscape into a structured, enterprise-aligned program built around the NIST 800-171 framework.

Attendees will learn how the team assessed existing practices, mapped them to formal controls, and built a governance structure that balanced institutional autonomy with system-wide security expectations. Rather than positioning audit as an oversight function alone, this effort leveraged audit as a strategic partner to accelerate maturity, validate progress, and strengthen institutional confidence in the cybersecurity program.

Presenters will discuss the practical steps that enable progress, including gap assessments, cross-functional governance, transparent reporting, and executive engagement, as well as how to use lessons learned along the way. Participants will leave with practical ideas and repeatable approaches they can apply at their own institutions to move from informal or “best effort” security practices toward a sustainable, standards-aligned cybersecurity framework supported by collaboration, trust, and shared accountability.

Learning Objectives:

• Explain how internal and external audit partnerships can accelerate framework adoption.
• Describe real-world examples that build institutional alignment and sustained executive support.
• Describe methods for mapping existing practices to frameworks such as NIST SP 800-171.

Jackie Malcolm-Bailey, Vice Chancellor of Information Technology & CIO, Minnesota State Colleges and Universities

Security breaches in SaaS, PaaS, and IaaS platforms often occur in the configuration, identity, access, and monitoring controls managed by the institution, not solely within the third-party provider’s infrastructure. Yet many higher education third-party risk programs stop at vendor security reviews and SSO requirements, leaving important institutional security responsibilities underexamined.

This session presents a case study of a security review of a Salesforce instance after the platform became a target of the threat actor ShinyHunters. We will share how a holistic review of the platform's security uncovered opportunities to improve application configuration, access management, monitoring, and user awareness. In response to this security review, university IT implemented platform security best practices, a security awareness campaign, centralized identity controls, and the tracking of platform security metrics to protect the institution’s data in a hosted platform.

Learning Objectives:

• Explain why security reviews must include institutional configuration, identity, access control, and monitoring responsibilities.
• Identify controls and awareness practices that secure cloud-based platforms.
• Understand institutional and administrator responsibilities in securing data hosted in hosted solutions.

Paul Drake, IT Risk Management Associate Director, University of Notre Dame

Relying on static assessments leaves institutions vulnerable to threats that arise between audit cycles. By integrating real-time data into the risk lifecycle, institutions can move beyond "compliance snapshots" to gain a proactive view of their third-party ecosystem, protecting everything from the registrar’s office to the laboratory.

This presentation outlines a strategy to implement continuous vendor risk monitoring. We provide a strategic roadmap to evolve traditional vendor risk management from static, point-in-time assessments to a dynamic, continuous monitoring program. Participants will explore the full vendor risk lifecycle, from initial onboarding and approval through ongoing monitoring. The presentation will contrast the fundamental differences between asking "Is this vendor safe now?" and "Is this vendor remaining safe?"

Learning Objectives:

• Define and differentiate static vendor risk assessments from continuous monitoring to identify specific security gaps.
• Enhance collaborative security through active vendor communication and real-time data to promote transparency.
• Design a streamlined vendor risk workflow that balances decentralized agility with centralized security oversight

Mary Stewart Wimmer, Associate Director, IT Risk & Compliance, Virginia Tech

With the threat landscape continuing to expand, it is important to be precise in what you prioritize when it comes to reducing risk. A lot of security tools help us identify artifacts, exposures, vulnerabilities, and misconfigurations within our environments but identification alone is not enough to stop the modern-day attacker. With consistent reduction in budgets and security team personnel, organizations are needing to do more with less. This talk will discuss how utilizing a combination of tools and compliance frameworks helps organizations be more precise in tackling the biggest risks to their environment. In this discussion, I will be identifying how the threat landscape has evolved throughout the years and what risks have developed with these new technologies. After identifying the new risks, I will then discuss the different types of security tools that modern organizations are using today to tackle these novel challenges. The different types of technologies will incorporate both proactive and reactive security perspectives.

Gentry Seely, Security Solutions Engineer, Rapid7

As higher education institutions deploy AI across advising, financial aid, and compliance, the real risk isn't dramatic failure, it's quiet miscommunication. This session presents a practical framework for building confidence-aware AI systems that know their limits, escalate appropriately, and maintain institutional trust through design grounded in live deployment experience.

Higher education institutions deploy AI across some of their most sensitive environments, such as research administration, clinical services, federated identity, and compliance workflows. But confidence in a system that passed its security review is not the same as confidence in what that system outputs.

This session draws on deployment experience across federated identity infrastructure and access control, AI-assisted research administration, and campus-wide AI platforms to examine an underexamined risk: AI systems that operate correctly at the infrastructure level while producing confident, incorrect outputs at the decision layer.

We introduce confidence-aware design as a practical discipline for teams already managing complex platform environments. Attendees will examine how governance frameworks built for traditional SaaS and identity risk need to be extended, not replaced, to account for AI confidence failures. You will leave with design heuristics applicable across platforms regardless of institutional size or AI maturity.

Learning Objectives:

• Identify where AI confidence failures create security and compliance risk exposure.
• Describe how confidence-aware AI system design principles extend existing governance without requiring new tools or dedicated AI security.
• Evaluate monitoring and access control architectures for their ability to surface AI uncertainty before it can impact consequential decisions.

Chaitanya Gunupudi, Senior Cloud Platform Engineer, University of Maryland

Third-Party Risk Management (TPRM) programs in higher education often fail in predictable ways: every vendor gets a heavyweight review, urgent purchases bypass review. Meanwhile, procurement, IT/security, privacy, research, compliance, ERM, and business owners frequently lack a shared language for making risk-informed decisions.

This session presents a practical, framework-agnostic intake triage model that rightsizes review effort based on data sensitivity, access, criticality, and deployment pattern so that limited expert capacity is applied where it matters most. We’ll show how to translate triage outcomes into clear decision paths (approve, approve with conditions, negotiate contract terms, or accept risk), with routing, decision rights, and lightweight SLAs that work in decentralized environments—without new tools or large teams.

Learning Objectives:

• Review scenarios where reviews need expert review or and which can follow lighter-weight paths.
• Identify questions and decision-tree elements that support consistent risk-informed review.
• Use a triage blueprint to move from intake to tiering, routing, decision-making, and exception handling.
• Align contract review, security and privacy terms, and guardrails in reviewing security risks.

Alex Lindstrom, Manager, Risk Strategies, Stanford University

Technology risk in higher education rarely emerges as a single event. It accumulates through everyday decisions, decentralized tool adoption, competing priorities, and the need to get work done. As a result, institutions can struggle to create a shared language for what that risk means in operational terms.

The session will highlight common challenges institutions face in mobilizing and aligning with various stakeholders. Drawing on the principles that risk is relational, governance is cultural, and technology use is contextual, we will explore why risk is often interpreted differently across security, operations, and leadership.

We will introduce a tool to develop shared language that aligns conversations across stakeholders, prioritizes competing demands, and improves governance without adding complexity. The tool leverages four factors (compliance, risk reduction, value, and effort) and can be integrated immediately into existing processes.

Learning Objectives:

• Explain how institutional context and governance culture influence how technology risk is identified and interpreted across stakeholders.
• Use a common framework based on compliance, risk reduction, value, and effort to translate risk into clear and shared decision criteria.
• Apply a practical prioritization method to align stakeholders, evaluate competing demands, and enable faster, more consistent risk-informed decisions.

Perry Ahmed, Associate Director, Information Security Operations, Arizona State University

Joel Larson, Director of IT Support, Network Services & Disaster Recovery, Kalamazoo Valley Community College

A vendor discloses a breach. A new state privacy law takes effect. A critical system reaches the end of its life. A department deploys an AI tool without review.

Each of these events changes an institution's risk posture. However, not every change warrants a full reassessment. The challenge is knowing when to act and how deeply to dig. This session presents a lightweight approach to risk reassessment for institutions that cannot afford to treat every change as an emergency.

Drawing on the NIST Risk Management Framework and recurring themes from the EDUCAUSE cybersecurity and privacy community, this session will introduce a simple decision model for evaluating environmental changes: categorizing triggers by type and severity, determining whether existing risk decisions still hold, and escalating only when conditions materially shift. Attendees will walk through real-world trigger scenarios common in higher education, including vendor incidents, regulatory changes, and technology transitions, and apply the decision model to determine appropriate responses.

Isaac J. Galvan, Community Program Director, Cybersecurity and Privacy, EDUCAUSE