From the Battlefield to the Boardroom: Bolstering Infosec Across Industries
In the military, you need to have a keen awareness of threat and risk management. The pressure is on informed leaders to direct their teams to make great decisions as part of protocol. Otherwise, mission success is at risk, which could cause serious damage to individuals, property, values, and beyond.
There are keen similarities in the world of information security. In infosec, there is a critical need to protect people and the information which, in the wrong hands, could do untold damage. The best line of defence begins with identifying your own weaknesses, and then building them up with a team of experts and well-maintained infrastructure to fortify your position.
Without a doubt, strong leadership is imperative to achieving strong results in both instances. I ought to know—I’ve spent most of my life leading in both worlds.
After 28 years as a military surveyor, intelligence officer, and a bomb disposal officer in the military, I was very accustomed to working in what we call compartmented intelligence operations, which involved working with highly classified and protected data. As I left the service, my wonderful, lifelong mentor—who is a former SAS commander—playfully teased me and said I should come work for this ultra-secure data centre start-up company. He wanted me to take care of its operations, ISO27001 physical security, cybersecurity, and service desk.
So I did that for a couple of years in the private sector. This propelled me into my next role as the lead security planner for the London 2012 Olympic Park and Athletes Village. I was there for three and a half years working across business continuity, disaster recovery, security, data centre security design, information security, and more.
From the Military to Academia: Infosec Across Industries
Eventually, I felt it was time to leave the corporate world and look for a new challenge elsewhere. So, more than seven years ago, I joined Brunel University London in the role of Head of Security and Information Security and have since moved into the position of Chief Information Security Officer.
Brunel University’s infosec needs are what drew me to the role: they were originally very low in terms of maturity across many elements of infosec and information assurance, including cyber resilience and application of cybersecurity good practice. There was no one dealing with information security. There was no information security policy, and no deep culture for protecting data and information security.
When I first joined Brunel University London in 2013, the status of cyber protection and cyber resilience was not really in good shape at all. That was because of decades of underinvestment in architecture, cyber tooling, process, and training skills. It quickly became clear that we would have to build much of the cyber operating model from scratch, as there was no existing foundation. It was going to be a major undertaking, but one that I thrived on. Capability development from a blank piece of paper had been what I had been doing for my last four or five roles, both in the military and private sector.
As we grew into an era where the cyber risk and cyber threats were at an exponential level, people began to see that we truly needed to get a grip on security and privacy. Data breaches could have the university paying compliance fines and put its reputation at risk as well, and our students expect a high level of protection of their data
Implementing Business-Driven Infosec: Gaining an Executive Program Champion
The true impact of our internal audits and reports was finally admitting we were at risk. By 2015, it was all about getting buy-in and completing vulnerability and risk assessments. Some metrics supported my view that we weren't protecting the university intellectual property assets and personal or sensitive data particularly well.
We found that the culture of handling data was not as strong as it should be, which was especially concerning, considering that they had a number of incidents over the years, particularly phishing and network intrusion. Universities have valuable information assets that can also impact the nation because of our tremendous amounts of high-end research, intellectual property, patents, and personal data.
Once we knew the gaps and risks, we had a new challenge: convincing our non-tech but savvy executive board that updating our infosec infrastructure, architecture, and processes was a worthy investment that would yield return on investment and real value for the future.
Fortunately, we had an executive program champion in our Chief Operating Officer (who, I might add, also has a military background). He both formally and informally worked with me and my growing team to communicate the business value of the changes we needed to make to our infosec policies. He helped prove that the thought leadership behind our initiative was balanced and commensurate with the risk.
It took a while to get executive buy-in and for it to grow, but by 2017, I’d written a five-year strategy which was approved by the vice-chancellor. With that approval came the investment for me to build the capability of the program—training the workforce, recruiting an infosec and privacy team, and making more people aware that we weren't just doing this for IT. This was across the whole university to improve our maturity in information assurance in every business unit.
I spearheaded a new initiative to develop capability from scratch; I built a cybersecurity team, and got the investments to take the university on an infosec journey from out in the wilderness towards best-of-breed in the academic sector. I now have a matrix team of about nine people across information assurance, cyber, privacy, and Infosec. That’s as we were building strategy and the team, when we commenced our journey with Cisco to support us in this major, multi-year project.
The Key to Success: Developing a True Partnership with Cisco
I treat our relationship with Cisco as a pure partnership, because you can't build best-of-breed capability without strategic partners and what I call ‘critical friends’ when you’re establishing architecture for the long term.
I chose to stick to three strategic partners: Cisco, as well as Exabeam and Khipu. I coached them into how I wanted them to operate in this partnership, to help me steer the course and the intent and vision that I have for the university, especially in developing a technical ‘unified operating platform’ which was the first of its kind in the UK academic sector.
In the beginning, Cisco added huge value to my thought leadership that helped us chart a way forward—together. But it was more than that. Cisco also provided the security architecture, including Cisco Threat Response which we'd use to automate some of our product integrations and accelerate key security operations including incident management and simulation exercises.
We needed experts to support us whenever we had incidents or when we were training for incident responses. I used the Threat Response team to come in and coach our various teams—to do tabletop exercises, simulation attacks, playbooks, and more. Whenever we have incidents the Threat Response team is with us on the phone if we need any assistance.
It's nice to have them as a partner on standby to come in and support us both forensically and for incident management. Cisco’s assistance with premises, technology suggestions, and timely insights have deepened our partnership from the outset, which has helped my team in making strides towards establishing Brunel University as a leader in the infosec space.
A Careful and Considerate Build: Setting a Strong Foundation
Together, we've conscientiously built upon our basic foundations to establish next-generation firewalls in the data centres. On the perimeter edge, we have intruder detection systems (IDS). We have also implemented Cisco Umbrella, providing cloud-delivered DNS-layer security when and how we need it, as well as Cisco AMP for Endpoints, providing advanced malware protection on our endpoints. We've shifted to a position of intelligence collection that allows us to monitor nefarious activity or anomalous activity and therefore take actions. That's a huge step because we're now able to interject and contain much quicker once we see a threat.
The biggest concern I had was making sure the training of the people operating all the instrumentation kept pace with both the technology and the tactics of potential attackers. Our team appreciates their part in the process and the investment we're making in them.
None of this would have been possible without a clear vision, ambitious goals, powerful and engaging thought leadership, and a strong partnership with Cisco.
System Overhaul Successes
One of the biggest changes we saw was in morale. It was quite important to show the university and the workforce that we could quickly transition from nothing to best-of-breed technology.
We now have a team of infosec analysts who monitor 24/7 and are improving in incident response rates. One of the more tangible ways we’ve seen a difference is in data handling. Business units are now recognizing that they will get our support to better put security and privacy controls in place around their applications.
People are also reporting breaches better. They're reporting privacy near-misses and causes for concern on the security of their data. As a result, our security team now touches all parts of the university. These teams have come to rely on us because we can act as problem solvers—not policemen.
Our staff now see the seriousness of infosec. They understand the ramifications of not securing their data or of having privacy breaches on their data. Peer pressure is in full force, where people are checking themselves and their teams naturally.
For our executive team, they're happy because we have the metrics to show that we have reduced business risk quite considerably over the last two years and built a unified cybersecurity platform that our own cyber researchers can collaborate with us on.
We're finally in a position where we can begin to celebrate our security victories. I’m hoping to get all the partners together for a decent social event in the spring to recognise how far we’ve come. It's not been easy all the way. There have been a lot of challenges, but we fought through it as a cohesive unit. One of my mantras to my team was always ‘hog the pain’ as we came through the tough times. It really will be worth it, I told them. I think they’re proud now as we all should be—but there is still so much to do.
Cisco and our other partners understood what I was trying to achieve and so they had a common goal to support us. They have been true allies in our ambitious campaign, and that started with our executive board buying into our ambition and supporting us in helping adjust our community spirit to better protect our data as a shared responsibility.
At Ease: Charting a Course for Future Security as One Unit
There's still another two and a half years to go until our five-year strategy is complete in 2022. Now, we're going into Phase Two, which focuses on optimisation. Cisco has taken us on that journey to be, without a shadow of doubt, one of the most developed capabilities in the sector in a short time.
It’s a clear and profound moment when you realise just how much you trust the intentions, capabilities, and strategic insights of people standing beside you as you move forward to achieve big goals.
Keeping other people–and their data and information—safe is no small task. The mission continues to evolve and become more complex as those of us in the infosec industry are constantly bombarded with new threats to defend against. But when you act as one unified team with strong leadership and excellent collaboration, you can stand at ease knowing that you’re the best line of defense. As I move on to complete my third novel, all spy thrillers with a nod to state-sponsored cyber-crime, I’m delighted to have such a trusted ‘critical friend’ in Cisco that helped shape my work story, and inspired me in my fiction narratives.