15 October 2020

Security is an issue for everyone. That’s the overarching message pushed out by the team at Oxford Brookes University while implementing its first dedicated information and cyber security strategy.

To achieve success in sharing that ethos, securing the engagement of – and investment from – influencers across the organisation, especially senior leaders was vital.

Head of information security management Gareth Packham, who leads on the strategy, was clear from the outset that:

“[The information security strategy] is not merely a technical operational plan that just I and a few others in the IT department have ever seen or heard of – it affects the whole organisation.”

Thought process and approach

Importantly, although the three-year strategy was written at the end of 2019 and approved pre-pandemic, an early-lockdown review concluded that it did not require updating to take account of the mass shift to remote learning and working. Gareth says:

“Any strategy should be flexible enough to respond to the business drivers, organisational objectives and the evolving operating environment.”

That includes taking account of current threats. Reliable, timely and sector-specific intel is part of this, says Gareth, who cites the Jisc and NCSC advisories as helpful resources. As a member of various groups, including the NCSC cyber security information sharing platform and the University Alliance cyber security forum, Gareth also finds that discussing best practice with peers is useful.

First steps

At Oxford Brookes, a dedicated security team has been in place for a couple of years, which has helped drive change from what was previously a rather piecemeal approach “and not at all holistic”. Gaining certification is part of the plan. The team is now working towards the Cyber Essentials certifications, having already gained ISO 270001.

To guide the strategy, Gareth used the US National Institute of Standards and Technology cybersecurity framework of ‘identify, protect, detect, respond, and remediate’. During the first year, there’s a focus on governance – nailing down roles and responsibilities, policies and procedures, and compliance. Years two and three will tackle prevention, detection and response and beyond the life of the first strategy Gareth is looking to automate some of those functions too.

Groundwork

“There was a lot of groundwork,”

says Gareth.

“Even before the strategy was written, my team and I were working on cross-university join-up of security practice, and I do a lot of communications work around security and data protection.

“I spoke to many people across the university without being alarmist; I wasn’t going around telling people that if they didn’t get their house in order we’d get a £20m fine from the Information Commissioner’s Office, or we’d get hacked and lose all our data – even though both of those things are possible, in theory.

“My intention was to encourage people to work effectively but securely, and for that I needed to build and keep the trust of the staff and students. That’s about culture change, and it’s ongoing.”

Governance and responsibility

Security experts across the sector agree that a meaningful security strategy needs support at board level; senior leaders must understand the risks and be accountable, as indicated by security leaders in HE and FE, Mick Jenkins from Brunel University, and Jonathan Wison at Milton Keynes College.

As part of the approval process at Oxford Brookes, Gareth presented his strategy to senior leaders, the head of departments, and the board of governors.

“This included outlining the risks around data security and cyber attacks.

“That showed we were taking security seriously and helped when we submitted the investment plan.”

Security decision-making is two-fold at Oxford Brookes. There’s a technical board that meets monthly and an information governance working group, comprising senior staff who look at all reported information security incidents and data protection breaches. The senior staff are responsible for disseminating clear-up and preventative actions.

But responsibility doesn’t stop there, as Gareth explains:

“My remit, and the function of my team, is to provide people with specialist knowledge, tools and guidance, but I’m not responsible for anyone else’s data, whether that’s a research database or the student record system. We do the risk assessments and the security assessments, and we tell the person responsible how to make it better, but at the end of the day, it’s their responsibility.”

Communications

To share security messages, Gareth targets certain groups. “If I can win over influencers and get them to play ball, then others will follow.

“One of my tactics is to identify good practice and praise it. People respond to that. Bad things are more likely to happened if people don’t feel involved and engaged. To help, we support people to be vigilant for phishing emails and to set strong passwords.

“Because human error is a high-risk factor for cyber crimes, the need for security awareness is a massive part of keeping the sector safe. That’s why we have a comms plan as part of the security strategy, and all 2,800 members of staff are required to complete a 90-minute training.

“On top of that, we do regular training for managers. I’ll concentrate on a different thing each time, including ransomware, phishing awareness, password security and access control. But really, I use any opportunity I can to present to different departments and faculties on security issues.”

Managed systems

As the strategy matures, Gareth is looking at platforms to automate certain security functions and is currently piloting the Jisc managed SIEM service – but is conscious of striking a balance between generating potentially useful data and having enough analysts to gain best value from it.

“We’ll be looking for managed or automated services across a number of areas where we don’t have enough in-house resource, such as threat detection and response and cloud security. We do, however, want to retain some functions as a means of growing technical knowledge in our team, which allows our people to develop their skills.

“Managed services are never a panacea,”

Gareth concludes, because they require in-house technical knowledge to set up, and someone to manage the contracts.

“It’s a balancing act. The value is whether these services can deliver efficiencies by giving us better oversight than if we relied solely on enhanced resource in our team.”

To find out more, sign up for the free-to-attend Jisc security conference, 3-5 November 2020, where Gareth will be talking about implementing his strategy, at 13:00 on 3 November 2020.