Blog

Cyber security is not just about the technical

Avatar headshot
by
David Batho

How to persuade senior management to invest in cyber protection, from avoiding acronyms to building a community.

Colleagues in discussion in the workplace.

There really is nothing fundamentally technical about cyber security.

It may seem counter-intuitive, but effective cyber security is actually more about people.

After all, it doesn’t matter how much technology you have in place if all it takes is one person who hasn’t fully understood the risks to click on a phishing email. But getting to the stage where cyber security awareness is built in at every level requires a major shift in organisational culture.

What’s needed is a willingness on the part of everyone – not just the IT department – to work together to do the right thing.

What’s needed is a willingness on the part of everyone – not just the IT department – to work together to do the right thing.

The importance of senior management buy-in

It all starts at the top: securing commitment at the highest levels is key. Not only does it ensure that the risks and proposed solutions are clearly understood from the outset, but it also gives the right signals to the whole organisation, making it easier to convince others to collaborate in a concerted effort to defend as one.

The best way to raise the issue of cyber security with senior management is by speaking in terms of business rather than technology. No-one on the senior leadership team wants to hear about RPZ feeds or port 3389, so avoid jargon and acronyms. It's not other people’s job to understand them.

What’s more important is understanding the institution’s needs, the business processes that need protecting, how they work, and what their correct outcomes should be. It's about taking a holistic view of the environment, knowing what data there is to protect and where it is.

Clarifying the risks

Any approach to cyber security needs to balance the often conflicting demands of confidentiality, integrity and availability. The whole point of universities and research institutions is openness, and that’s not always conducive to effective cyber security.

Senior management should therefore clarify the organisation’s goals to ensure cyber security is supporting them. Cyber security exists to enable an institution to conduct its learning, teaching and research activities in a secure, safe manner based on an acceptable risk appetite – which, in this sector, is usually low.

To really bring home the potential risks and the importance of being prepared, Jisc’s ransomware exercises are a useful tool. These simulate the problems that occur during a real-life incident in a safe environment and can be delivered at different levels for management and IT staff.

Prevention is better than cure

Once the risks and vision are clearly understood, the discussion inevitably moves to finance.

Preventing cyber attacks costs money. It requires investment in cyber professional staff, in training, in technical solutions. And, while senior management might be worried about cyber risk, they may not fully appreciate the situation and will – understandably – be reluctant to throw money at a problem that may never happen.

But prevention is always better than cure, and usually less costly.

But prevention is always better than cure, and usually less costly.

Remember that a serious cyber incident has other impacts as well as financial. Heather Lowrie at the University of Manchester has recently spoken about the human cost incurred not only during an attack but the recovery period as well, and how, with Jisc’s help, the situation was successfully resolved.

As part of their Jisc membership, any UK research or education institution connected to the Janet Network can avail themselves of the accredited expertise of Jisc’s cyber protection teams, along with essential core services to help maintain a safe digital environment.

Demystifying cyber security

Building a culture of cyber awareness throughout an entire institution and its staff and learners is an enormous task. But we are definitely seeing a change as cyber is demystified and integrated into the everyday use of technology in teaching and learning. Increasingly, cyber awareness is being included in student inductions and taught as part of non-IT-related courses.

A valuable resource for awareness building is Jisc's cyber security community group. With 1,700 members, this fast-growing community provides an open forum where peers can exchange knowledge and best practice.

By discussing and demystifying cyber security we can shift it from being a technology issue to being all about people.

By discussing and demystifying cyber security we can shift it from being a technology issue to being all about people.

And that’s key to building a culture of collaboration and common purpose which will make the sector safer for everyone.

About the author

Avatar headshot
David Batho
Director of security, Jisc