University managers ‘don’t take cybersecurity seriously’

Sadie Creese says institutions’ leaders endanger research by not prioritising digital security

December 5, 2013

Source: Getty

Think about encrypting: digital security is a low priority for many academics

The overpromotion of academics who are brilliant in their field but “awful” managers is jeopardising the effectiveness of university cybersecurity policies, a conference has heard.

Sadie Creese, professor of cybersecurity at the University of Oxford, said that cyber-risk was not always taken seriously by all members of universities’ executive boards, meaning that digital security practices were “lagging behind” those employed in industry and government.

Speaking at the Cyber Security in Higher Education conference, held by Universities UK in London on 28 November, Professor Creese said that the “hierarchies and the style of management you find in academia” made it difficult to embed in institutions a culture of awareness regarding cyberthreats.

“We are definitely a sector that suffers, at times, from overpromoting people who are brilliant in their discipline, but who are just awful managers, into what amounts to a management role and then expecting them to deal with some of this stuff,” she said. “They are not equipped to do it.”

She added that the problem in many institutions was that “techies” were regarded as the “custodians” of cybersecurity, meaning that it was not always a high priority among senior management teams.

“In universities’ senior administrative bodies, cyber-risk is not something that everybody engages with in the same way they engage with any other material risk,” she said.

“That’s a problem for many reasons, not least because if you have people worrying about seeing the new risks as they evolve, who are all very similar in the way they think, then you won’t spot the new [developments].”

The key to minimising the negative impact of risks as they materialise, she said, was to “catch them early”.

At the conference, Universities UK released a report that outlines the management steps that universities should take to protect themselves from cyberthreats. According to Cyber Security and Universities: Managing the Risk, research with potential economic value is particularly at risk from targeted attacks.

However, Professor Creese said that it was a challenge for universities to identify exactly the material that was genuinely of interest to cybercriminals.

“For the professor who comes up with an idea, it’s like giving birth to a child. If you ask them, they will always value it highly, so if you are a large organisation, you are left with a huge list of stuff that is going to potentially change the world 10 or 20 years later on. The question is, how do you prioritise? That’s tricky.”

Times Higher Education free 30-day trial

You've reached your article limit.

Register to continue

Registration is free and only takes a moment. Once registered you can read a total of 3 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments

Have your say

Log in or register to post comments

Featured Jobs

Most Commented

Monster behind man at desk

Despite all that’s been done to improve doctoral study, horror stories keep coming. Here three students relate PhD nightmares while two academics advise on how to ensure a successful supervision

Female professor

New data show proportion of professors who are women has declined at some institutions

opinion illustration

Eliminating cheating services, even if it were possible, would do nothing to address students’ and universities’ lack of interest in learning, says Stuart Macdonald

John McEnroe arguing with umpire. Tennis

Robert MacIntosh and Kevin O’Gorman explain how to negotiate your annual performance and development review

But the highest value UK spin-out companies mainly come from research-intensives, latest figures show