The college says it needs to spend nearly $3 million to fight cyber attacks.

Alissa Mahar, vice president of college services and Saby Waraich, information technology dean, chief information officer and chief information security officer asked the Clackamas Community College Board of Directors for $2.8 million over 3 years for cyber-security upgrades to the college’s current program.

Saby Waraich is the Dean and CEO of the Information Technology department. Photo courtesy of Saby Waraich.

The current state of CCC’s cyber security program is less than optimal. 

“Most organizations that have some level of sophistication do have a security program in place to protect systems and assets,” said Mahar, “as you can imagine, that’s something we’d like to do for CCC.”

Even with $2.8 million, it still won’t be. Part of that money would be spent on five employees to help implement proposed changes to the program as outlined in the department’s Information Security Strategy Roadmap. 

“I’m not even talking about level 5, which is optimized, I’m just saying the bare minimum, 3.2, to reach that number we need this number (of employees),”  said Waraich.

The numbers Waraich is referring to are a cyber security classification method called Security Target States. As part of this method cyber security programs are broken down into readiness levels 1 thru 5. Level 1 identifies Ad Hoc programs, which is to say no program at all. Level 2, where CCC is currently, identifies Developing programs. Level 3 is classified as Defined programs, this is where that $2.8 million will get the college. Level 4, Managed programs and level 5, Optimized programs, neither of which are goals during the next three years.

The need for a more robust cyber security program at CCC does more than simply secure student, faculty, staff and institutional information out of the hands of hackers and avoid a data breach which, according to Mahar, cost institutions an average of $3.9 million each year.  The upgrades to the current cyber security program are what allows the college to be insured against data breaches. 

So far the college IT department has taken small steps toward improving security. Waraich and his staff did something most of us wouldn’t think of; they ran a phishing scam of their own. Sort of.  They wanted to know how many system users would click on a suspicious link.  According to Waraich the number of people who clicked the link was staggering. They were then able to use that data to educate users on the dangers of phishing emails.  Then the team added a “Phish” button in Outlook so users could report suspicious emails to the IT department.

They also deleted nearly 50,000  administrator users. Most people don’t need to add and remove programs from a college computer and therefore don’t need admin privileges. By removing those un-needed user access levels they were able to close a rather large hole in what is already a fairly small fence. 

But that was just to get insurance, just to get someone to talk to the college about getting a quote in what has become a very shy market, with fewer insurance companies willing to write policies. The cost of insurance has risen three fold, according to Mahar, for less coverage. The upgrades made by Waraich and his team made getting insurance possible.

However, to meet compliance obligations the college cannot rest on its laurels and the work already done. The $2.8 million requested by Mahar and Waraich will get CCC up to the minimum level allowed.

Those five employees that the department needs to hire won’t be easy to find either. Cyber security is a growing field that is only now being planted with any serious efforts. But those efforts won’t pay off for years to come.  

According to Tim Cook, CCC president, Mt. Hood Community College is creating one of the first applied baccalaureate degrees in cyber security.  “One of the potential benefits,” he said, “is they’re going to need practicum opportunities and so we may be able to have some of those students working with us.”

In the meantime Clackamas Community College will not be optimized.  Even if the IT department gets the $2.8 million into the budget as requested, the college is only hitting the minimum standard over the next three years.  Not exactly the most reassuring state to find one’s personal information in.  But if not for Waraich and his team we wouldn’t even have that.