IT and cyber security staff at colleges and universities accept that as part of the job they will sometimes have to deal with crisis situations such as cyber attacks. These intense though temporary events, contrast with the year-long pressure they’ve been under at the COVID coal-face. And the grind is starting to take its toll.
With the shift to remote working, team managers have had to find new ways to communicate with their people and many have put in place measures to help manage stress and fatigue.
There are positives though: many also report that IT and security has become more strategically important at their organisation, with senior leaders readily agreeing investment in long-overdue projects. Some are also finding they are more personally and emotionally engaged with their people than before, which has fostered closeness and greater cohesion.
Jim Nottingham, chief information officer at the University of the Arts London, highlights the impact of recurring lockdowns and shares the strategies his team has put in place to help staff cope. He says:
“This third lockdown has been really, really tough on everyone.
“A problem shared is a problem halved, and being really honest with teams about the challenges is good. Our teams have a meeting every morning, then in the afternoon have a cup of tea together online.
"We also shut down our service desk for a couple of hours every day to make sure that team, which has been under a lot of pressure, has a break.”
Paul Westmore, IT director at University of Plymouth, echoes:
“This third lockdown has been particularly tough and is psychological difficult on top of the fact that people are physically tired too, and the boundaries between work and personal life are blurred because everyone’s working at home.
“On the positive side, and in contrast to the intensity of a cyber attack, when tempers can fray, the environment has been generally more positive.”
Kevin Braim, director of IT service delivery at University of Surrey, says:
“In a previous role we dealt with a cyber attack and for three months everyone was focused and there was a lot of energy and purpose. We all came out of it fairly well and the same was true when COVID-19 initially struck last year.
“The difference between dealing with cyber attacks and COVID-19 as a whole is the long-term nature of the grind during the pandemic. We noticed that, in January, with the third lockdown, we were getting more cases of stress-related social behaviour issues in some teams.”
For Emma Woodcock, chief information officer at York St John University, there are positives and negatives:
“The team is more fatigued, but the level of sickness absence has decreased, and I think that’s because people feeling under par have felt able to continue working because they’ve been at home. That’s not always healthy, of course, and we’ve had to encourage people to take their days off, as well.
“Help desk staff are bearing the brunt of the frustrations of people across the organisation. There's been a lot to deal with there, and our HR department has provided training to help them cope with those tricky conversations.
“My team were already under quite a lot of pressure, but the pandemic took it up a notch and they've mostly coped with it extremely well. We’ve all suffered from stress and long hours, but we have been getting a lot of praise, too.”
“People in the team became more visible to the university because we had to work closely with a greater number of students and academics to find the best ways for them to work remotely. It was rather nice that we got recognition for people who would normally have been behind the scenes.”
Similar experiences are reported by Westmore:
“We have had more positive feedback in the last year than in the previous 10 put together, and that really helps. On the flipside, I worry that my tired and emotionally drained team will start to feel under-appreciated once things return to ‘normal’.”
“The university has been hugely supportive to all staff,” says Woodcock, “but what it boils down to for my team has been good management. That means understanding and allowing flexible working and setting up those all-important contact points. For example, we do a daily stand-up meeting for everyone.
“Lots of people in IT don’t use webcams but seeing people's faces in those get-togethers tells me so much about that individual, so we've encouraged that. And I encourage people to come forward if they've got problems, whether professional or personal. A number of people have done that, which is good, but it does put more stress on managers.
"I’m certainly dealing with more personal issues than before, but I've also got to know the team better, along with their personal situations, their children and pets!
“It has been an incredibly challenging sustained period of stress, and I think the higher up the chain you are, the more responsibility you have for keeping others going.”
Investment for new projects
The extra recognition has translated into extra money and support for IT and security projects, as several IT leaders acknowledge. Nottingham says:
“During the pandemic we introduced mandatory cyber security training for the whole university, which has helped reduce the risk of cyber attacks. When I took the proposal to the board, I didn’t think I’d get it agreed, but there wasn’t even a discussion.
"We are finding we can get things done now that we’ve been trying to do for years. My advice to peers is not to wait another six months to make such requests.”
“Last year we put multi-factor authentication (MFA) in place for students and made changes around cyber awareness training, which would have been a challenge to get agreed pre-COVID.”
For Woodcock, it’s about leveraging the new-found recognition her team is receiving.
“I’m using our COVID-19 response to expose weaknesses in our IT architecture and using those to get a roadmap and a schedule in place to fix them.
“I think a lot of IT professionals have historically had difficulty building a business case around something that is very technical and presenting it to people who don't understand tech-speak.
“Strategic decision-makers are much more aware of these kinds of technical issues and see them as blockers that need moving. It’s helpful that I attend the audit committee, and they really do listen.
“It’s important to have a seat at the decision-making table. If we are there at the start, we can steer the discussion from going in a direction that's unachievable and avoid being labelled the person from IT who says ‘the computer says no’.
“The demand for digital solutions has only increased in the past year, and things that were on the horizon suddenly became more pressing, so there’s been an acceleration in a number of projects. My staff are benefiting from being part of the process to change some of the issues that have, in the past, consistently caused us problems.
“When it comes to strategic decisions, we are being seen, particularly by the academics, less as a service, and more as essential collaborative partners.
“I think IT teams should be classified as essential workers - we’ve helped to keep the lights on. I'm very proud of my team and optimistic for the future because I think we can grasp the opportunities the pandemic has given us. I'm now having very rich conversations with VCs and academic colleagues about where we're going from here.”
- There's more about the effect of cyber attacks on staff resource, students, researchers, reputation and budget in Jisc's cyber impact report (2020)
- To hear about security in the sector, register for Jisc's free Networkshop49 event (27-29 April). The last day of the conference is dedicated to cyber security
- Find more general advice and information about cyber security