Feature

Cyber security: whose job is it anyway?

Cyber security is a strategic priority at an increasing number of UK colleges and universities, as evidenced by data from Jisc’s cyber security posture surveys over the past six years.

Man using multi-factor authentication

However, not all technical teams have found it easy to convince senior leaders of the importance of continued investment in cyber security.

Q&A with Elaine Hartin and Mark Taglietti

Ulster University’s Elaine Hartin, chief strategy and finance officer, and Mark Taglietti, chief digital and information officer, explain how they engage their board members, students and staff in cyber security.

How does Ulster University go about establishing the oversight of cyber security and allocating responsibility and accountability?

Mark:

When I started at Ulster University we were in a good, but not a great place; we were quite good on technical controls, not too bad on admin controls, but there was not enough rigor around governance, compliance and accountability – and I was losing sleep over it.

Our approach was to assess the threat landscape, work with sector partners – including Jisc, UCISA, Queens University in Belfast and suppliers – to leverage those partnerships and share learning.

The real key, however, was engagement with the Ulster senior leadership team (SLT), the audit and risk committee, and university council.

We were very straight talking and had to assess the risk and clearly communicate that risk in easy-to-understand terms.

I remember sitting down with the SLT and saying, ‘If you don’t take this seriously and invest in a cyber response, not only could you lose all the university systems, but you’ll also lose the network, data, reputation and financial standing.’

We were very straight talking and had to assess the risk and clearly communicate that risk in easy-to-understand terms. It worked: we got buy-in from SLT and secured the business case for funding a large cyber security programme, which enables us to deploy enhanced technical and administrative controls to protect the entire institution.

It’s not just about senior leaders, though. I think the key to success is winning hearts and minds and that’s about how you communicate across the board. Everybody must understand that cyber security is everybody’s issue, in their personal and professional lives.

We threw the kitchen sink at it, so that everyone understands that responsibility for security is business-as-usual and it’s continual, and that not for one moment can any of us take our eye off the ball.

Building a good engagement strategy was key. It included emails, podcasts, videos, town halls, one-to-one discussions, and mandatory learning modules. We threw the kitchen sink at it, so that everyone understands that responsibility for security is business-as-usual and it’s continual, and that not for one moment can any of us take our eye off the ball.

Elaine:

I’ve been at Ulster University for a year, and I was delighted that I came into an organisation that was taking cyber security seriously. I was pleased at the level of investment and the support that was in place, particularly the success that Mark and his team have had putting cyber security as a standing agenda item with the audit and risk committee and SLT.

The committee is ready and willing, and has, in fact, called out parts of the business where we have had cyber-control issues. Parts of the business have to explain why they are not progressing things at pace so we can understand what support they need and how we work it through.

Some of our academics have in the past seen cyber security as a blocker to their jobs as teachers and researchers, but now they see it as a facilitator and they recognise it’s everyone’s responsibility.

We also have good relationships across the institution. Some of our academics have in the past seen cyber security as a blocker to their jobs as teachers and researchers, but now they see it as a facilitator and they recognise it’s everyone’s responsibility.
There’s also an awareness that cyber security is being scrutinised from the top.

Elaine, you’ve worked in the college sector as well. Have you noticed any differences in approach?

Elaine:

There is certainly a difference, but that may be down to the size and scale of Ulster University and where we are in our maturity of knowledge and awareness around cyber security compared to my experience in further education (FE).

I was in FE for 10 years and cyber security was in its infancy when I joined. I recall some quite challenging discussions in the early stages, for example bringing forward a proposal for a new role – an IT security officer – and being turned down. I was told it was unnecessary and would only block delivery to students.

This was a common view then, and thankfully the college quickly moved on from this view and made the necessary investment in security. I don’t believe I would encounter this problem today, given the knowledge and understanding of cyber.

The issues for HE and FE are similar, though, and I think the biggest challenge is bringing colleagues with us on the cyber security journey.

Good communication appears to be important, so how do you go about making a complex subject accessible to everyone?

Mark:

Keep it simple, to the point, concise and not overly technical. Be careful not to over communicate because people get fatigued, for example with too many emails.

We vary our communication and embed it into the culture of the university, so it becomes habitual.

For example, we have deployed multi-factor authentication (MFA) and initially people didn’t like that, but now we have number matching and location tracking, so it makes MFA easier for staff and for students to log on. And that’s important for all the measures we put in place for cyber security – they have to make things easier, not harder.

Nobody really wants to be the person who allows in a cyber-attack that brings down the entire university, so we make them think about the consequences of their actions, without catastrophising.

We are always open and honest. One of the approaches we’ve taken with our researchers and academics is access control, so they get only basic network access if their device doesn’t meet those controls, i.e. security posture checks.

Nobody really wants to be the person who allows in a cyber-attack that brings down the entire university, so we make them think about the consequences of their actions, without catastrophising.

How do you ensure the best level of investment in cyber security?

Elaine:

Largely that’s been done through risk management. The approach has been to identify the potential impact of a cyber-attack on the university. It’s been easy to do that through our own experience, for example of phishing attacks, which demonstrates just how easy it is for an attack to occur. That risk approach focuses minds and moves cyber security high up the list of priorities.

We are lucky in Northern Ireland in that we can access some capital funds and we’ve been able to make successful business cases internally too, so over the last three years, we’ve had a solid cyber investment plan. There is also an expectation now that we will continually have a cyber programme in play.

That investment – achieved through good risk assessment and management, impact planning and business case development – sounds like a lot of money, but it’s really not compared to what it would cost if we lost the entire digital estate.

Mark:

Over the last three-and-a-half years we have secured more than £3.5m for technical funding and we’ve been able to almost entirely rebuild cyber-related aspects of our technical architecture.

That investment – achieved through good risk assessment and management, impact planning and business case development – sounds like a lot of money, but it’s really not compared to what it would cost if we lost the entire digital estate.

So, it’s a good investment, but it’s a continual process and nobody should be under any illusion that’s it, because at some point we’re going to get attacked. The trick is how well prepared we are to respond and recover.

Support from Jisc