Prioritizing Information Security

Q&A with Josh Sosnin, Senior Vice President and Chief Information Security Officer

As a software company, information security is of utmost importance to us. Improper access to data can result in negative consequences for our employees, customers, partners, and communities, and lead to a loss in revenue, trust, and privacy.

At Ellucian, we rely on information security policies and practices to drive behavior, enforce rules, and provide guardrails to ensure protection of our company and customer assets. Our global team of information security and cloud experts work 24/7 to keep our customers' data private and secure.

Ellucian's Senior Vice President and Chief Information Security Officer Josh Sosnin shares his view on critical information security questions across the software and higher ed industries.

How does transitioning to Software as a Service (SaaS) help a higher education institution reduce the potential of an impactful cyber incident?

When an institution moves to Ellucian SaaS, they get the benefit of controls implemented by an organization that manages security of data as a fundamental part of its business. This includes undeletable backups, best of breed threat detection and response from a dedicated team, and the ability to quickly identify and close a vulnerability. As an example, we recently closed a major vulnerability in less than two hours of it being detected and shared publicly. In that short span of time, we were alerted to the vulnerability, identified and tested the fix, and deployed the fix into production. SaaS automation makes expedient threat detection and resolution possible.

What information security and compliance challenges are unique to the higher education sector?

Higher education has perhaps the most diverse group of users you can imagine: prospective students, students themselves, faculty, staff, alumni and parents. In the U.S., higher education institutions are held to the same high standards for information security and compliance as regulated financial institutions, as well as the requirements of other laws such as FERPA, HIPAA, CCPA and state cybersecurity requirements. In other countries, they can be considered critical infrastructure, with compliance controls you might see for a power plant. Maintaining these high standards can be difficult with the limited budgets and staff that are a reality at many institutions. Ellucian helps our customers address this challenge with Ellucian SaaS.

What are the most important information security practices you recommend to higher education organizations?

Make sure you have the basics nailed. This includes maintaining viable, undeletable, tested back-ups. Multi-factor authentication (MFA) for everyone has never been more important, and institutions should be working toward phish-resistant MFA. Modern endpoint detection and response is critical, as is vulnerability detection, and a patch management program that lets you quickly address updates. And finally, education, education, education – make sure you are consistently sharing best practice with all of your users to protect them and your information systems from attack.

How did the cybersecurity landscape evolve in 2023?

The advancement of Artificial Intelligence (AI) was a game changer in 2023. While AI has and will continue to help defenders do their jobs, the use of AI will allow sophisticated attacks at scale. Unfortunately, attackers will have a head start, making education, awareness and controls like phish-resistant MFA even more important.