CISO Interview Series: The challenges of being University of Oxford CISO
The job of a CISO is one of constant change and unexpected challenges. One of the most energetic environments to govern is that of a university. Universities function not only as academic institutions, but also as research hubs, hosting both curious students, as well as notable scholars. This is an audience not known for slow-motion progress. They need results, and they expect them quickly. At a large university, the responsibility of a CISO is dizzying.
The challenge is not one to be underestimated; the University of Oxford consists of 39 Oxford colleges, which are financially independent and self-governing, but relate to the central University in a kind of federal system. There are also six permanent private halls, which are similar to colleges except that they tend to be smaller. Therefore, the obligations for any CISO are immense.
I had the opportunity to speak with Graham Ingram, who serves as the CISO at the University of Oxford. Graham’s responsibilities include governance, risk and compliance, and security operations for the collegiate university, with additional involvement in counter-fraud, data governance, and digital transformation. Prior to this role Graham was the Chief of Staff for Deloitte Government and Public Sector cyber team. Throughout his life, Graham has also been my brother, which was another challenge for him to tackle as well!
Philip Ingram: What do you see as essential skills for a modern CISO?
Graham Ingram: A modern CISO must be business focused and able to move the cyber dialogue into the mainstream board discussions; one that balances benefits with the risks. Risk discussions can often be unduly negative and difficult to engage with. Being a security evangelist can be counterproductive. You come across as trying to promote a belief system rather than a realistic necessity. Again, with my first point, the modern CISO needs to a security realist.
PI: What are some of the main areas of focus for a new security programme?
GI: I’m going to cheat here by offering three pairs of security areas. Firstly, Culture and Awareness. Peter Drucker is said to have written that “culture eats strategy for breakfast.” Generating a cyber-aware culture can seem impossible, difficult to measure effectiveness, and problematic to define. But not doing something in this area will undermine the rest of your security programme. It is linked to employee awareness, but I must advise caution in this area. Many will think that we can train our employees out of the cyber risk. We can’t. The IT systems are designed for use by humans as humans chose to use them. Therefore, it is lazy to say that the main risk is “between the chair and keyboard.” It isn’t. If the human is getting it wrong, then there are deeper problems. You can’t train people to overcome systemic weaknesses.
Secondly, Risk and Assets. The objective of all cyber security professionals is to provide just enough cost-effective security controls to mitigate the risk to specific information assets to a pre-defined level of tolerance. That’s a big sentence. Start with asset identification, risk management, and then the deployment of controls across people, processes, and technologies.
Finally, Design and Automation. Security architecture is not a thing. Secure architecture is a thing. All IT architects must consider security and innovations in their thinking. Getting this architecture right will slate two things. Firstly, it meets the GDPR Article 32 “Security of Processing” requirements. Secondly, it sets the conditions for increasing security automation. The cyber world will only continue to get more complex. We must therefore automate what we do today to be ready for the challenges of tomorrow.
PI: What advice would you share with other CISOs when it comes to communicating the Return on Investment (ROI) on security investments to other stakeholders? How do they get buy-in?
GI: This remains a considerable challenge. Benefits-mapping is essential here. Not all benefits are measurable, but if the many-to-many relationships between the outputs of security services and projects are correctly mapped, then an objective assessment of benefits can be described.
The only other approach that I have tried is an actuarial approach. An insurance company can use data to create a risk value for cars, life and health. For information assets, some companies can produce a figure, but this expires quickly. It is useful to communicate to boards; even if they don’t understand cyber, they believe they understand insurance.
However, this has a short shelf life. The threat picture changes so quickly that these information asset risk values will increase rapidly, and, because they only ever increase, it can undermine the ROI argument on your mitigations.”
PI: Based on your experience and insights, how are cyberattacks changing at the moment? What are the biggest threats companies need to focus on?
GI: In Ukraine, for example, there are eight flavours of WIPER malware in circulation. Various sources have described a huge growth in ransomware (485% since 2019). The risk of a total loss both business data and technical configuration data is what companies need to focus on. In terms of mitigation, we need to aspire to the same level of performance of digital service providers in Ukraine; we need to be able to bounce back.
Disaster recovery needs to be part of the mainstream, where we can rebuild our systems from auto-provisioning based on securely backed-up configuration data. Only then can you begin the business recovery with restoration from immutable back-ups.
PI: What do you think about when you hear the word “integrity”? Particularly, system integrity. How important is that in security, compliance, or just operations?
GI: When I hear “integrity”, I will insist on filling in the gaps of “confidentiality” and “availability.” Information assets have different requirements against confidentiality, integrity, and availability. System Integrity is a term which is open to both interpretation and misinterpretation. The zero trust approach assumes that systems have no integrity. The secure IT castle doesn’t exist in the hybrid / cloud / mobility world. As a result, the final defensive line must be drawn around the asset, the data, and the digital identity of your consumers. Against each of these, think of integrity, availability, and confidentiality.
PI: Security frameworks are a vital part of any security program – where would you advise organisations to invest most of their time?
GI: Investing time in security frameworks is dependent on the type of business. In the university, we have need to meet National Health System (NHS) standards to win medical sciences research grants. Also, we have research sponsors who demand adherence to Cyber Essentials, NIST, ISO2700(1)(2)(5), as well as other guidance documents. We have business functions which require PCI-DSS. We don’t have a choice on investing our time on just one standard. In highly regulated industries, such as financial institutions, this is highly prescribed, such as SOX and the MIFID II Directive. Embrace the complexity and seek tools that help you manage the compliance challenge.
PI: We know supply chain risk management is a huge issue right now. How do universities typically manage this process? What best practices can you share?
GI: We have similar processes as many other organisations, which is to conduct an assessment of a supplier against our baseline and standards. But this is an area where we are seeking greater automation and rapid service fulfilment.
PI: What are the key threats in the research/education sector right now? What are the main challenges CISOs are facing?
GI: Research institutions are full of the world’s best thinkers in a multitude of disciplines. They have a desire to tackle the greatest challenges in the world with the greatest of global collaborations and then to rapidly publish or share their findings for peer review. In terms of a cultural approach, these are not all culturally attuned to the cyber threats; why hack that which is about to be published. The main challenge for University CISOs is developing a secure culture. Many will disagree and claim that the main challenge is a lack of funding; but my argument is I can’t build a case for more funding unless the institution is culturally aligned with the cyber need.
PI: Have you ever been involved directly in a data breach? What lessons did you learn?
GI: No comment.
PI: Thank you, Graham.
The advice from a CISO of a university is applicable to all industries. The importance of understanding risks, and addressing them with careful and well-thought approaches is key to success, whether attaining buy-in for a security project, to working well with all levels within an organization.
About the Author: Philip Ingram MBE is a former colonel in British military intelligence and is now a journalist and international commentator on all matters security and cyber.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.