In the military, you need to have a keen awareness of threat and risk management. The pressure is on informed leaders to direct their teams to make great decisions as part of protocol. Otherwise, mission success is at risk, which could cause serious damage to individuals, property, values, and beyond.
There are keen similarities in the world of information security, where there is a critical need to protect people and the information which, in the wrong hands, could do untold damage.
The best line of defence begins with identifying your own weaknesses, and then building them up with a team of experts and well-maintained infrastructure to fortify your position.
Without a doubt, strong leadership and goal-driven teams are imperative to achieving strong capabilities in both fields.
Journeying to civvy street
After 28 years as a military surveyor, intelligence officer, and a bomb disposal officer, I took up a post at an ultra-secure data centre start-up company, looking after its operations, ISO27001 physical security, cyber security, and service desk.
This propelled me into my next role as the lead security planner for the London 2012 Olympic park and athletes village, where I worked across business continuity, disaster recovery, security, data centre security design, information security, and more.
Eventually, I felt it was time to leave the corporate world and look for a new challenge. So, in 2013, I joined Brunel University London.
Building security from scratch
In 2013, the status of cyber protection and cyber resilience was not in good shape following decades of underinvestment in architecture, cyber tooling, process, and training skills.
It quickly became clear that much of the cyber operating model would need building from scratch, with a sound business-enabled capability development programme. It was a major undertaking.
As we drew into an era where the cyber risk and cyber threats were at an existential level, I realised that we needed to get a grip on security and privacy.
Data breaches at the university could lead to fines and putting its reputation at risk. Rightly, our students expect a high level of protection of their data, and our intellectual property is a valuable target, too.
Convincing the board
Once we had assessed and promulgated the gaps and risks, there was a new challenge: convincing our non-techy but savvy executive board that updating our info-security infrastructure, architecture, and processes was a worthy investment that would pay off.
In our pitch to the board we led with business benefits, resulting in a five-year strategy that had business enablement at its core.
Fortunately, we had an executive champion in our chief operating officer, who worked with me and my growing team to communicate the business value of the changes we needed to make to our infosec practice and the smart investment that was required. He helped prove that the thought leadership behind our initiatives was balanced, intelligence-driven, and commensurate with the risk.
With the executive board approval of my strategy came the investment for me to build capability: training the workforce, recruiting an infosec and privacy team, building a unified cyber security platform, embedding sound risk and governance practice, and making more people aware that we weren't just doing this for IT - this was across the whole university.
Developing strategic partnerships
I knew that we couldn’t achieve our goals alone, so we developed strategic partnerships with industry leaders Cisco, Exabeam, and Khipu, which have become ‘critical friends’.
They helped me steer the vision that I have for the university, especially in developing the technical ‘unified cyber security platform’ which was the first of its kind in the UK academic sector.
Jisc continues to be a vital component of our wider industry partnerships to support our posture. Its technical capabilities for cyber risk reduction, and ever-increasing intelligence and warn-and-inform capability via the computer security incident response team (CSIRT) and the security operations centre (SOC) is crucial to maintain our own level of situational awareness for the risk, threats and tactics, techniques and procedures (TTPs) from protagonists we face.
Alongside our other partners, Jisc is great to reach out to when we need to analyse information and threats. It provides a highly professional service for the education and research community that we’re keen to develop and mutually improve.
In addition, some of the tech instrumentation from our partners provided superb analytical intelligence for our analysts to work with, and our flash to bang time of threat to action is much reduced.
It’s not all done though; the next stages are crucial to mature the cyber security operations centre and include developing playbooks, maturing our incident management processes, and arranging joint exercises with incident response teams.
Another valuable lesson was the power of simulation exercises to find vulnerabilities that threat actors could exploit.
Setting a strong foundation
Together, we've conscientiously built upon basic foundations to establish next-generation technology in our data centres, cyber security operations centre, and across our digital environment.
We've shifted to a position of intelligence collection that allows us to monitor nefarious activity or anomalous activity and take swift action. That's a huge step because we're now able to interject and contain problems quickly.
It’s also crucial that the people operating all the instrumentation have training which keeps pace with both the technology and the tactics of potential attackers. Now, our staff appreciate their part in the process and the investment we're making in them.
Positive culture change
One of the biggest positive changes we saw was the boost to morale. It was important to show the university and the workforce that we could quickly transition from nothing to best-of-breed technology and the team of infosec analysts - who monitor 24/7 - are improving incident response rates.
One of the more tangible differences is in data handling. Business units are now recognising that we will support them to put security and privacy controls in place around their applications.
People are also better at reporting breaches; they're flagging privacy near-misses and causes for concern on the security of data. As a result, our security team now touches all parts of the university and staff have come to rely on us because we act as problem solvers, not policemen.
Our staff now understand the seriousness of infosec and the ramifications of failing to secure their data and the risk of data privacy breaches. Peer pressure is in full force; people are routinely checking themselves and their teams.
The executive team is happy because we have the metrics to show that we have reduced business risk quite considerably over the last two years and built a unified cyber security platform that our cyber researchers can use to collaborate with us
It's not been easy all the way. There have been a lot of challenges, but we fought through as a cohesive unit. It really will be worth it, I told the team, and I think they’re proud now of all that we’ve achieved, although there is still so much to do and two and a half years to go until our five-year strategy is complete in 2022.
Joining forces to achieve goals
Now, we're going into phase two, which focuses on optimisation and the implementation of zero trust environments, data loss prevention technology, and micro-segmentation to help create the safe data havens we envisage.
It was a profound moment when I realised just how much I trust the intentions, capabilities, and strategic insights of the team which helped shape the future for the university - everyone from the IT teams, our critical friends, the executives, project managers, procurement, privacy teams and each college and directorate. It’s always nice to have great people standing together to achieve big goals.
And so the mission continues to evolve and will become more complex, as we deal with the constant bombardment of new threats. But we act as one unified team, with strong leadership and excellent collaboration, so we can stand at ease knowing that we are the best line of defence for Brunel University.
As I write, a new risk challenge has come along requiring a shift in posture. COVID-19 has enhanced the cyber risk globally to all organisations, and now we must adjust to new working-at-home practice and new service deployments to support that.
This brings a security risk that must be identified and managed which most certainly for us is an ongoing effort to protect our assets in a new dimension of threat, and with an expansion of its threat surface.
Managing all this requires time, effort and a full organisational approach, with senior leaders recognising the very real risk we face through this period.
This story is featured as part of our annual review 2019-20. Read the other stories.