School for spooks: Gloucestershire taps into cyber expertise

Cyber security is a growing concern for universities around the world. But when your partners include some of the UK’s most secretive organisations, it suddenly becomes a top priority.

This leaves the University of Gloucestershire’s School of Business and Technology facing an interesting dilemma: how does it maintain an open academic environment while having to give part of its campus to secure areas that only a handful of staff have access to?

Searching for an answer to this conundrum is Kamal Bechkoum, head of the school, which has built strong links with private security firms and government agencies in recent years.

Professor Bechkoum, previously executive dean of the School of Science and Technology at the University of Northampton, was hired in 2015 to improve the prospects of what was then an underperforming business school.

He did so by tapping into cyber security, a local strength. Cheltenham, where two of the university’s campuses are based, is a focal point in the UK’s cyber security effort. It is the home of GCHQ, the UK’s main surveillance agency, and a major site of activity for the National Cyber Security Centre. Soon it will be home to the government-backed Cheltenham Cyber Park, a £650 million business development set to create 7,000 jobs.

Professor Bechkoum said that, prior to his arrival, Gloucestershire had struggled to tap into its neighbours’ expertise.

“When I arrived we had only one cyber security course called forensic computing, which was not very good in terms of its content, designed by academics and delivered by academics with no industry experience,” he told Times Higher Education.

His response was to ask managers from GCHQ and major defence technologies – including Raytheon and Northrup Grumman – for guidance in designing curricula for new undergraduate courses in cyber and computer security, and computer and cyber forensics.

“They need the right kind of graduates and we want to produce them. We want the curriculum and study content to be flexible and up-to-date,” Professor Beckhoum explained. “Raytheon and Northrup Grumman were absolutely committed to that process and spent weeks with us designing the curriculum and supporting its delivery, while GCHQ had lots of advice about what the curriculum should contain.”

Professor Beckhoum now leads a £3 million cyber security project at Gloucestershire, working with GCHQ, the National Cyber Skills Centre and other organisations to produce highly skilled cyber professionals in Gloucestershire and beyond.

The project is already paying dividends, but the sensitivity of the work involved means that it is not always easy for the school to trumpet its successes.

“Three years ago if you had one student working in a network security company we would be smiling. Today, we have 100 per cent of graduates [from cyber security courses] employed by cyber security firms and around 65 per cent of those were in Gloucestershire,” Professor Bechkoum said.

“I can mention a few of those companies – such as Northrup Grumman and Raytheon – but some don’t want to be named [because of the work they do]. It can be frustrating. I want to say our courses are so good that x or y employed them, [but] we can only talk about some, not all.”

Partnerships with these sorts of organisations also mean that the university’s own security has to be strong.

“As soon as you say ‘we’re good in cyber security and doing great stuff’ you become a target [for cyberattacks],” Professor Bechkoum explained. “The university absolutely has to maintain an open academic environment because that’s how universities should be, that’s at the core of how they work, but at the same time we also have to be very vigilant about the fact that we work with sensitive organisations.”

There are two ways that the institution balances these responsibilities: the first is through the use of graded security clearance. At the Cyber Security and Digital Centre, “you can move from zone 1, for everyone, to zone 6, which is for high security clearance”, Professor Bechkoum said. There are certain activities that only two or three staff have clearance in.

The second is the human element. “Everyone in the organisation has to be trained, and by that I mean everyone, from the IT department to the executive team to academics working in the history department,” he said. Staff have to be vigilant for fraudulent emails that could result in a malware attack on the university system and even students get guest lectures on the topic.

Professor Beckhoum added: “The citizen is the first line of our defence.”

anna.mckie@timeshighereducation.com