"You can't leave one of them out," she says, noting that Georgia State was one of the first higher-education institutions to adopt the ISO 27000 series of standards for information security.
Clark says the school uses the usual technologies, such as encryption software and anti-malware tools. But she adds that Georgia State started beefing up its protections two years ago, because the latest malware -- which may be carried in email phishing links, website URLs or instant messages -- can evade traditional defenses.
Specifically, GSU is focusing on improving its architecture and training its data center employees (who are on a 24/7 schedule) to monitor reports coming from the school's suite of security software and to handle first-level incidence response regardless of when hackers launch their attacks.
As part of this effort, the college last year deployed a vulnerability assessment system, QualysGuard from Qualys Inc., to get an overall view of the school's IT security status. In addition, the school invested in a penetration testing platform, Core Impact Pro from Core Security Technologies, to probe for vulnerabilities.
And late last year, Georgia State installed a bot detection program that analyzes traffic and can, for example, display command-and-control activity originating in regions of the world that spawn a high level of malware, such as Russia.
Beyond that, Clark is in the process of deploying security information and event management (SIEM) software from ArcSight that will analyze all logs and produce reports, offering visibility into what's happening with Georgia State's hundreds of servers, thousands of workstations and 40,000 network nodes.
"We want robust and scalable and security, and this is what we need to do," Clark says, of GSU's multiple, ongoing efforts.
Baylor and others: Shift focus from device to data
At Baylor University in Waco, Texas, Jon Allen is shifting his attention from device to data.
To be sure, the school's information security officer still uses firewalls and anti-malware tools to try and keep all desktops, laptops and handheld devices safe. But he's most interested in concentrating on data itself. "We're looking at wrapping security around data," he says -- classifying data and assigning it escalating levels of security that stay with it as it travels.
"It's not [just] looking at how to secure a new device on the network," Allen explains. "I have to look at how information flows, because the most fundamental piece we need to control is the data."
Sign up for CIO Asia eNewsletters.