The ways in which CISOs should go about transforming the cybersecurity capabilities of an entire organization was discussed during the DTX Cyber Security Mini Summit by Michael Jenkins MBE, CISO at Brunel University.
Jenkins previously spent a long career in the military including positions in counter-intelligence, and also played a major role in planning security for the 2012 London Olympics. In 2017, he was tasked with turning Brunel University’s cybersecurity capabilities into one of the best in the entire sector, through a five-year strategy. “Ultimately, the goal is taking a business from a low level of maturity in cyber-resilience right the way through to the best in the sector,” he noted.
Around three years into the plan, Jenkins discussed the approach he has taken to try and fulfil this ambitious target. He said the first step was inspiring everyone in the organization, including researchers, staff and students, “to care about data, probably more than the criminal cares to steal it from us.”
This was achieved by engaging in regular conversations with people on campus, helping them to learn about how cyber-criminals operate and “to see that its a very credible goal that we needed to achieve together.” Jenkins added that it was also important for him to understand the work of academics and students at the institution to allow him to “help secure their data in a way that is acceptable to them but is also acceptable to us as a community.” This enables them to understand why particular security measures were in place, and be accepting of it.
The next element was developing the right strategic team and partners, including a small knit of vendors who are well versed with the individual needs of Brunel University and its cybersecurity strategy. This strategy included the development of compartmentalized “safe data havens” and the ability to monitor access control for threats in the network. Jenkins explained: “I had to mould that and balance it to the business that we were – we aren’t a bank, insurer or top end government department, we’re a university, so it’s all about proportionately and sensible risk-based intelligence driven activity.”
Such a capability has now been built, and is leading towards a zero-trust model at the end of the five years. He emphasized how important it has been to ensure everyone understands this end goal, and why it is needed in the face of the threats the university faces. He noted that major universities such as Brunel are a major target of sophisticated threat actors such as organized crime gangs and nation states.
To help get this buy-in from IT staff and the executive board, Jenkins utilizes regular simulated attack exercises to demonstrate just how damaging a successful attack could be. “It all goes back to everybody understanding the why – why do we want to do things this way,” he said. “One of the great things we’ve developed over the last couple of years is providing situational awareness to all our IT practitioners and major leaders and staff in how an attacker enters a network, their lateral movements, how they get the elevated privileges, how they conduct their actions on the objective – the entire end-to-end kill chain.”
There have been many advantages to such simulated exercises, according to Jenkins, and in particular, these are greater buy-in from the staff and board, as well as identifying weaknesses within the business. He added: “It gives confidence to the board that their money is being well spent.”