Last week, I had the opportunity to speak at the URMIA (University Risk Management and Insurance Association) Northeast Regional Conference in Norwood, MA. It was a fantastic event with an incredibly engaged audience—and it gave me the chance to share the stage with David Marion, Director of Information Security at Bridgewater State University. Our session was titled “Under Siege: Cybersecurity Lessons Higher Education Must Learn Now,” and judging by the head-nods and post-session questions, the topic hit home for many attendees.
This wasn’t your typical cybersecurity conference. URMIA events bring together higher ed risk managers, insurance professionals, and compliance leaders—not necessarily cybersecurity practitioners. That made it especially valuable. Often, these are the people responsible for writing and managing institutional risk plans—everything from fire safety and health protocols to, more and more, cybersecurity strategies.
During our talk, one of the biggest themes we touched on was the importance of making cybersecurity real for non-technical leadership. For a lot of higher ed institutions, cybersecurity conversations are still siloed within IT or the CISO’s office. But the reality is that modern cyber risk stretches well beyond tech—it touches legal, financial aid, registrars, and every student and staff member who touches a connected device. Bringing in those voices is no longer optional. It’s essential.
Questions and Key Takeaways
After our session, we fielded a lot of questions—particularly for Dave about the cyber range at Bridgewater State. People were really curious about what it looked like, how it operated, and how it could be used for tabletop exercises and hands-on training. That resonated with the crowd, especially when we discussed involving senior leadership in incident response exercises. Far too often, tabletop exercises stop at IT. But cyber incidents affect the whole institution—meaning legal counsel, registrars, student affairs, and finance all need a seat at the table.
There was also a great deal of conversation around cyber insurance and legal representation. Specifically, we heard from a number of attendees who expressed a clear lack of faith in their campus legal teams when it came to data privacy and cybersecurity issues. Many felt their general counsel wasn’t equipped to advise them on what actually constitutes a reportable data breach or the definitions around PII and PHI. And a big part of that came down to poor communication—these risk leaders weren’t even sure who their cybersecurity leads were, let alone what the incident response plan looked like.
That disconnect was a recurring theme. In a lot of cases, the only time risk managers hear from their IT or security teams is when something goes wrong—or when a compliance obligation lands from the Department of Education or another regulatory body. There’s a massive opportunity here to build those bridges now, before the next incident forces the conversation.
Phishing Students and Measuring Risk
Another standout topic was phishing students. This one generated tons of interest, especially as people started thinking through how it impacts overall institutional risk. Are universities testing their student population? If not, why? If so, how are they approaching it, and what has the response been? I think what really resonated was the idea of framing cybersecurity in terms of organizational risk, not just IT controls.
That broader framing continued into other sessions I attended. Risk managers are starting to take a closer look at GRC tools—especially how their campuses track, score, and respond to cybersecurity risks. Many didn’t even know what systems they had in place for risk governance, which is a challenge in itself. But there was a growing interest in understanding the risks posed by various groups—students, faculty, staff, and even campus visitors.
Creative Solutions in a Tight Budget Environment
Budget cuts and shrinking resources were another hot topic. A lot of the conversations centered around how to make the most of what you already have. One idea that sparked some interest was leveraging computer science departments to support cybersecurity initiatives. With the right structure, these departments can offer valuable hands-on support while giving students real-world experience. It’s a creative way to stretch limited dollars—and it’s a win-win for both cybersecurity teams and academic programs.
Cyber Risk Doesn’t End at the Border
Lastly, international travel was another big focus at the conference. One session addressed how to manage cybersecurity risk when faculty, staff, or students travel abroad. Questions came up about using VPNs, whitelisting IPs, setting up MDM solutions, or even providing separate, hardened laptops for international use. It’s a great example of how cybersecurity needs to adapt to the realities of higher ed operations—especially in a global academic environment.
Closing Thoughts
All in all, it was an energizing event. The conversations we had confirmed what I’ve seen time and again: cybersecurity is no longer just an IT issue—it’s a campus-wide concern. And the more we can engage non-technical leaders in that conversation, the more resilient our institutions will become.
If you were at the conference and want to continue the conversation, don’t hesitate to reach out. And if your campus hasn't taken steps to bridge the gap between cybersecurity and enterprise risk management, now’s the time.
.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
No Comments Yet
Let us know what you think