How Do University CISO’s Share Threat Intelligence? – Research Paper

For anyone who works in one, universities are a particularly challenging space to protect from cyber-attacks. Indeed, in 2021, the National Cyber Security Centre (NCSC) reported that universities and higher education institutions (HEI) had been exponentially targeted by cybercriminals. There are a myriad of reasons for this ranging from traditional under-investment in the digital estate, the volume of high value data held in university systems, and a diverse, complex digital footprint and workforce. We wanted to understand this context better and to do so, we needed to speak directly with those who work to secure universities every day.

Over two years, during the midst of the pandemic, we carried out a collaborative research project with UCISA and researchers from University College London. Together, we interviewed and surveyed 130 cybersecurity practitioners working at universities across the UK. The findings were fascinating and we wanted to share them with you all – and thank those of you who engaged with us on this project.

The first paper to be published from this project is specifically about how university CISOs (or equivalent) share threat intelligence – and what prevents them from doing it more. In research into other sector specific cybersecurity, the extent to which collaboration and information sharing has been effectively implemented within the ecosystem has been identified as an important factor in mitigating against cyber risk.

For anyone who would like to read the full article, you can access it for free here.

Key Findings On Threat Intelligence For CISOs

Below, we’ve pulled out some of the key findings for quick consumption.

First, the good news. A significant majority of respondents agreed or strongly agreed that collaboration was important to them. 94% said that it encourages mutual learning, 91% felt that sharing threat intel encourages the development of sector wide solutions, 81% said it enables organisations to take collective action, and 95% said that it encourages a sense of community and more integrated responses to threats.

Although university CISOs are overwhelmingly in favour of sharing threat intelligence, there are real impediments to doing so.

The downsides of CISOs sharing threat intelligence cross-functionally with universities include:

• Concerns about being blocked by university management: “I think a lot of the time people are not sure if they should [share threat intelligence], so they ask… No one wants to say ‘yes’ because they’re not sure.” Eventually, we were told, these requests will land with someone who will say ‘no’ because they don’t really understand the benefits of sector wide intelligence sharing.
• Expectations of legal advisors and insurers in the case of cyber incidents: Many people told us that they would potentially be in breach of the university’s insurance policy if they shared threat intelligence with colleagues in a timely manner following an incident.
• Reputational risk: People spoke extensively about this and from many different perspectives. The reputation of the institution did come up frequently, either as a concern of the respondent or as a factor that they expected would lead to a managerial ‘no’ on requests to share threat intel (see above). But it also came up on a personal level that expressed some of the pressures that go along with this job; “When there is an attack, you felt you have failed in some way.”
• A lack of personal relationships within the network: People stressed this repeatedly. Personal relationships and trust make sharing threat intel in this context much, much easier and more likely. This is not all that surprising or unusual but it does raise the question of how to build stronger relationships across the sector – something that UCISA has been so active in pursuing and the benefits of which would very clearly translate to this point.

Recommendations:

• UK Research Council funding: Currently, a proportion of research funding goes towards university ‘estates’ but this refers to the university’s physical estate. The pandemic years of enforced remote teaching will have lasting repercussions and the big lesson to come out of that period was that despite decades of investment in buildings, the university model of the 21st century relies much more on its digital estate than it does on its physical estate. Investment should reflect that through a proportionate amount of research funding to properly secure and support it.
• Change from university senior management: Senior managers can work to better support their cybersecurity teams to collaborate with peers in other universities. This will help to minimise the number of organisations that suffer from a particular attack and, in some of those cases, their own university will be the beneficiary of this collaboration. They should also proactively support their security teams to build strong professional relationships within the network.
• Insurance: There is a conversation to be had about the extent to which insurance policies can or should preclude this type of collaboration because it is currently detrimental to the security of the overall ecosystem. Preventing sharing threat intelligence may protect one institution but it leaves others vulnerable for longer than they should be. As no organisation is impermeable from cyber-attacks, this practice will eventually come back to bite. The insurance sector should take a sector wide view and support practices that strengthen, rather than weaken, universities.

Thank you again to the research team at UCL (Anna Piazza, Srinidhi Vasudevan and Madeline Carr), the amazing team at UCISA (CEO Deborah Green and Siân Thomas) and of course, huge gratitude to the 130 people working in cybersecurity inside UK universities who engaged so honestly with us. We hope this is useful and that we can implement the insights gained from the project in ways that benefit you all.

To further discuss Threat Intelligence and its benefit to universities, book a consultation with us.