Do you feel lost and wonder where to start with information security amidst a storm of demanding students, maverick academics, eroding perimeters and legacy systems?   

Tiny budgets, uncompetitive salaries, organically growing IT estates and a culture of ‘academic freedom’ can make universities a difficult place to provide good information security. Add in to the mix the recent challenges of student remote working and an ever-increasing wave of security questionnaires that you now need to complete in order to secure data or funding – it is very easy to feel totally overwhelmed!

With a few small changes to the way you think about security, it is possible to secure funding and build the momentum you need. Savanti’s top tips will help you transform your approach to information security within the university environment.

1. Hire a CISO (or the equivalent) and own security from the top

Information security needs to be part of the core make up of your senior management team. This does not necessarily mean breaking your budget to lure an experienced hire from the private sector, it could be an internal appointment, interim or even a part-time position. You do need someone with the right leadership skills and authority to motivate and influence colleagues and stakeholders.

2. Take people with you

Creating a hard-line approach to security might work in tightly controlled environments such as government departments or the financial sector, but in universities, success depends on getting the right people on board. You will need to work hard to build a positive perception of information security, spending both time and effort thinking about the key messages you want your stakeholders to absorb when they interact with you.  Finally, make sure all your actions conform to these same messages.

3. Define ‘secure’


It is all very well talking in terms of threats, vulnerabilities and risks, but the truth is the majority of people want to be told what ‘good security’ looks like in the context of the university environment. Be prescriptive, tell people what good security (by default) looks like and build your approach to security risk and compliance from here.

4. Present solutions that influence business decisions

It is the role of the CISO to influence the information security team about the business risk. Put yourself in the position of the business owner and present them with what ‘secure’ looks like. Give your stakeholders the choice of ‘good', ‘better’ and ‘best’, this can be a very good way to influence business decisions.

5. Concentrate on value and not just risk

If you want your security team to be successful and well received, you should be adding value in everything you do. If what you are working on is not demonstrably contributing to research, teaching or adding to the smooth administration of the university – then start focussing on activities that will.

6. Target the problems you can solve

You need to demonstrate progress if you want long-term success, so don’t try to ‘boil the ocean’. You might want to start by focussing on certain activities like training and awareness. Ask yourself questions like; are there critical research activities or high-risk systems that need attention first? Start small by focussing efforts where you can make a difference. Once you demonstrate success you can build momentum and start to target the more challenging problems.

7. Engage with the academics

Trying to impose controls and security standards on academics because it is ‘good practice’ will never work. Talk to them, be visible and get an understanding of their challenges and frustrations, ask yourself how you can help them solve their problems.  High-profile activities such as online awareness training and simulated phishing exercises can be a great way to reach large numbers of stakeholders but will turn people off if you have not thought carefully about the messages.


8. Use external support effectively

We all know that contractors and consultants seem to cost the earth and finding permanent staff with just the right skills and experience can be a real challenge. Do not use contractors and consultants just to fill a gap, they can help you develop the right skills within your team and set you up for long term success. Invest in junior team members and good people (think about transferable skills from other departments) that can be trained in security.

At Savanti we have proven experience of leading change and developing highly effective information security teams in the Higher Education sector. We would be happy to support you on your journey, please get in touch or visit our website: to find out more.

For more information about Savanti's cyber security services, please provide your details below: