The education sector is one of the most prone to cyberattacks in the world, heightened in recent years due to the fast-paced, ever-evolving technological field. Sarah Lawson, CISO and Deputy CIO for the University College London (UCL), has been at the institution for three years and with 20 years’ experience in cybersecurity under her belt, she offers her advice for those in education cybersecurity. She covers poignant topics such as the unique cybersecurity challenges faced by the education sector, the talent shortage which is still so prominent and the importance of diversity in the cybersecurity space.
How has your role as a CISO evolved with the coming of Artificial Intelligence?
The main change is AI has become very ubiquitous for everybody. In the past, we’ve had new innovations come into play and we’ve been able to legislate, consider and manage the risk of those innovations.
However, the hype around AI has been a lot bigger and a lot faster than it was before. Therefore, our risk management is a lot harder to keep up with. We’re almost not ready for it in terms of our business data management and data governance. It’s been challenging for most businesses to consider how they manage that – but ultimately it is unavoidable if we want to succeed. AI has meant that as a CISO, my demands on the business to solve issues has become more urgent; that’s the big difference with AI, we’re having to act fast.
What are the biggest challenges for CISOs in the education sector?
The challenge is enabling great innovation and smart research, but at the same time ensuring we remain as safe as possible. We don’t have a massive budget for this; however, we do think carefully about potential risks and how we manage and mitigate those risks. It’s a lot of fun trying to work on that challenge and that’s the reason I’m in higher education.
Why is effective communication useful for every cybersecurity professional?
Part of being a good CISO is being able to interpret the idea of cybersecurity for your intended audience and make it relevant to them. Only then will they be able to understand how to manage that cybersecurity problem. If you can’t communicate and talk in terms of risk or threat, it becomes irrelevant, and we don’t achieve our desired outcomes.
How can CISOs upskill performance amidst the current security talent shortage?
One thing we’ve been doing is upskilling people who are new to security. You don’t have to be a cybersecurity expert to take on a role in cybersecurity. If you have communication skills, analytics or an interest in the topic, you can be trained in cybersecurity. There are many courses to help people learn.
We often take on a cohort of junior staff who naturally start to move into their chosen areas of interest; some become good at risk, some become interested in threat intelligence, some find that incident response is most of interest to them. Then, we can start to help them diversify and move around into different roles. One of the greatest things I’ve witnessed as a CISO is seeing people evolve their own careers and move on to become CISOs themselves.
Why is diversity important in the cybersecurity space and what can the community do to better support women in this field?
UCL is a large, complex environment which has a diverse cohort of people. If my team doesn’t reflect that, then I can’t communicate effectively with those people and I’m not going to be able to find the risks right for them.
In terms of encouraging women into cybersecurity, it’s about ensuring they understand they don’t need to be the most technical person in the world. The skills women bring to the table are crucial to the development of this industry. Logical problem solving, juggling multiple opposing demands, having to consider risk proportionately are often strong female traits that fit easily into the world of cybersecurity.
I also think we ought to reconsider how some of the conferences and events are managed as they’re very geared towards male-orientated subjects. You often find that vendors will offer days at the football or golf. We need to be more conscious about those sorts of things.
How do you tailor your messaging to both staff and students?
We try to encourage security champions – people that are local to certain areas who understand the business risks in those areas and what’s important and relevant to them. Once you localise something, it becomes real. Threats can feel very unreal and by making it personal, you can help people understand what’s required. For example, live demonstrations showing how easily that coffee shop Wi-Fi could actually be disguised criminal activity can be very powerful.
Further to this, we make sure we encourage people to seek help as soon as they notice something is wrong. It’s really satisfying that people will contact us, even on behalf of family members, and ask what they should do. It’s not just our business, we hope that families and everybody will benefit from the information we can provide to those in our business.
How do you ensure a strong sense of well-being against a backdrop of increased pressure on CISOs?
I don’t think we looked at it in enough detail a few years ago – we’ve had burnouts from some CISOs, which is understandable.
We shouldn’t be measured by the number of incidents we have in our roles. While I think a good CISO takes accountability for the work they do, I also think part of our job is ensuring we have a good network of individuals and groups around us who can help when things go wrong.
How important is cybersecurity collaboration across the higher education sector?
In the Higher Education community, CISOs get together and talk with the National Cyber Security Centre (NCSC). We understand our threat landscapes in a way that is helpful to each of us so that we can measure our own risks internally. We might share what we’re using or doing to mitigate a threat across different organisations.
Additionally, we question how others are talking to their business about certain issues, because we might get little tips that will enable us to move faster or smarter. Having conversations can sometimes produce resolutions. I really value what my colleagues bring to the table and having those discussions.
How can vendors establish long-lasting relationships with CISOs?
I always want vendors to be partners. I want to be able to have dialogues with them, I want to be able to be honest with them if things aren’t working and in return, I want them to be honest with us if there is something not quite right. It needs to be a longevity trust partnership. Vendors not being clear about their journey, what they’re trying to achieve, or exactly what the product is for, tends to erode trust.
We need salespeople to acknowledge that I can’t buy everything every year – I have a limited budget. However, the reason long-lasting relationships are important is because I might then come back to a product. It is often a long game of getting to know a vendor over a period of time.
