Too much old equipment: Universities are still over-reliant on a lot of traditional security such as firewalls and antivirus that wouldn't have been out of place in the 1990s, suggests VMWare's UK Government and Public Services director, Tim Hearn. Perhaps, then, it is about money, at least in part. Equipment will have to replaced in the immediate future, a time when budgets will be under huge pressure. A deeper question is whether universities have specialised needs - balancing a need to share but also protect - that can't easily be protected by general-purpose IT security architectures. University IT defeats simple models of perimeter security, especially as a rapid migration to cloud computing continues apace.
Security doesn't add enough obvious value: No student or staff member assesses a university's security posture before agreeing to study or work there. It is just assumed that security has been dealt with. This might be changing. Reputational damage seems remote for universities but that might no longer be the case with nearly eight in ten claiming to have suffered loss of reputation as the result of a cyberattack.
Reaching vice chancellors: Every enterprise security 101 implores organisations to bridge the culture gap between managers, in this case vice chancellors, and IT. In universities, which are complex organisations, that might be easier said than done. University management structures seem to vary from institution to institution.
Reconciling complex values such as openness: According to VMWare's Hearn, the problem is less about not having the money to fix problems as having to reconcile security with the understandably deeply-ingrained value of openness on which universities are founded.
"The whole idea of a university is to encourage openness. There has been a reluctance to invest in security that might compromise that," he told Computerworld UK. "It is incredibly difficult to get the balance right." This culture of openness also explains why valuable and sometimes sensitive data and code is sometimes posted on public forums when it shouldn't be.
Universities as businesses in denial: Are these values of openness out of date? In short, no, but the conception of how universities work is changing in subtle ways. Universities and researchers scramble for money in a funding market with finite resources and yet universities still struggle to think of themselves as full-fledged businesses. If they did, VMWare suggests, they might invest more in security and secure processes.
Sign up for CIO Asia eNewsletters.