The overpromotion of academics who are brilliant in their field but “awful” managers is jeopardising the effectiveness of university cybersecurity policies, a conference has heard.
Sadie Creese, professor of cybersecurity at the University of Oxford, said that cyber-risk was not always taken seriously by all members of universities’ executive boards, meaning that digital security practices were “lagging behind” those employed in industry and government.
Speaking at the Cyber Security in Higher Education conference, held by Universities UK in London on 28 November, Professor Creese said that the “hierarchies and the style of management you find in academia” made it difficult to embed in institutions a culture of awareness regarding cyberthreats.
“We are definitely a sector that suffers, at times, from overpromoting people who are brilliant in their discipline, but who are just awful managers, into what amounts to a management role and then expecting them to deal with some of this stuff,” she said. “They are not equipped to do it.”
She added that the problem in many institutions was that “techies” were regarded as the “custodians” of cybersecurity, meaning that it was not always a high priority among senior management teams.
“In universities’ senior administrative bodies, cyber-risk is not something that everybody engages with in the same way they engage with any other material risk,” she said.
“That’s a problem for many reasons, not least because if you have people worrying about seeing the new risks as they evolve, who are all very similar in the way they think, then you won’t spot the new [developments].”
The key to minimising the negative impact of risks as they materialise, she said, was to “catch them early”.
At the conference, Universities UK released a report that outlines the management steps that universities should take to protect themselves from cyberthreats. According to Cyber Security and Universities: Managing the Risk, research with potential economic value is particularly at risk from targeted attacks.
However, Professor Creese said that it was a challenge for universities to identify exactly the material that was genuinely of interest to cybercriminals.
“For the professor who comes up with an idea, it’s like giving birth to a child. If you ask them, they will always value it highly, so if you are a large organisation, you are left with a huge list of stuff that is going to potentially change the world 10 or 20 years later on. The question is, how do you prioritise? That’s tricky.”