Higher ed has a cybersecurity problem and technology won’t fix it
Higher ed has a cybersecurity problem and technology won’t fix it
https://thekoalanews.com/higher-ed-has-a-cybersecurity-problem-and-technology-wont-fix-it/
Publish Date: 2026-05-17 16:45:00
Source Domain: thekoalanews.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Universities are hard up against a cybersecurity problem and it’s more than a simple technology problem. It’s a structural one. And in many ways, a human one.
Across the entire education sector, security leaders are contending with environments that have grown organically over decades. Sprawling multi-cloud architectures, legacy infrastructure, decentralised faculties, and a constantly growing catalogue of applications and integrations. These environments were never designed to function as a unified whole, and yet the expectation – from regulators, leadership, researchers, and event students – is that they must be secured as if they were.
The result is tension. Tension between ambition and reality.
Without a clear view of what exists across the environment, security becomes reactive rather than strategic. And in institutions where new tools, platforms, and research applications are introduced constantly, achieving that visibility is itself a moving target. The goal, as many in the field recognise, is not simply to add more controls, but to create a model that actually works at scale.
That is harder than it sounds.
Universities operate in inherently decentralised environments. Faculties pursue their own priorities. Research teams move at their own pace. IT and security functions are expected to provide consistent protection across a landscape they do not fully control. This isn’t a failure of planning, rather the nature of the institutions. But it creates real complexity for anyone trying to enforce policy uniformly or build a coherent security posture.
What makes this challenge particularly difficult is that the technology layer is only part of the equation. The bigger challenge lies in managing change. Bringing together a wide spectrum, from highly capable developers to researchers and educators who don’t have the time and resources to devote additional time outside of the classroom under a shared security culture requires something that no platform or product can provide: influence, communication, and sustained organisational effort.
At the same time, the environments themselves keep expanding. The rise of AI has added another dimension of risk that many institutions are still working to understand. In some cases, tools are being deployed at speed, with governance and security considerations following behind.
Meanwhile, budget and resource limitations were never far from any serious conversation about institutional security. Security teams are not growing at the same rate as the environments they manage. The instinct to add new tools in response to new risks is understandable, but it often compounds the problem. Many organisations are now dealing with too many vendors doing too many things, creating unnecessary complexity and stretching already thin teams even further.
The response to this – and it is the correct one – is to shift toward simplification, consolidation, and automation. A focus on doing fewer things well, rather than more things poorly.
But before any of that can be effective, the fundamentals must be in place. Identity and access management. Data classification. API security. Governance frameworks. These are not glamorous priorities, but they are the foundation on which everything else depends.
Layering advanced capabilities – AI-driven security tools, for example – over top of unstable or inconsistent foundations is a risk in itself.
There is also the question of resilience. Preventing incidents will always be the priority, but the honest question for any institution is this: What happens when something goes wrong? Not if. When. Do you have a plan, and have you actually tested it? The organisations that weather disruption most effectively are those that have worked through failure scenarios in practice, not just in theory.
So, the answer is not a single product or platform. It is a commitment to getting the basics right, building shared understanding across the institution, and investing in the human infrastructure – the relationships, the communications, the cultural change – that technology alone cannot provide.
Jason Baden is regional VP A/NZ at F5
