Don Welch, the Chief Information Security Officer (CISO) at Penn State published a nice write-up on the need for strategy. Cybersecurity in academia is more challenging than most understand and it requires forethought, planning, and good metrics to keep it on the risk management tracks.
Don explains:
"Cybersecurity in education is hard, we face the same threats that industries like finance and the defense industrial base do, except we face them with a culture that prizes openness, privacy and agility as well as decentralized operations"
I have overseen security at a few university co-location sites and everything Don Welch describes resonates. I would add one bit that he was kind to omit: that the users (students) themselves can be major risks and even purposely attack the system (sometimes maliciously, sometimes out of curiosity). It makes for a difficult environment to manage!
Long term success requires strategy and the metrics for operational vigilance to align to evolving risks and goals.