Culture shock? Academia vs industry
•Download as PPTX, PDF•
0 likes•1,220 views
A presentation from the Jisc security conference 2018 by Bridget Kenyon.
Recommended
Recommended
More Related Content
Similar to Culture shock? Academia vs industry
Similar to Culture shock? Academia vs industry (20)
More from Jisc
More from Jisc (20)
Recently uploaded
Recently uploaded (20)
Culture shock? Academia vs industry
- 1. www.thalesgroup.com OPEN Culture shock? Academia vs industry Bridget Kenyon Global CISO Thales eSecurity
- 2. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 2 Content ▌My background ▌Academic and industry approaches to information security: Similarities Differences ▌Methods to achieve security improvements in both sectors ▌Getting traction with senior management teams
- 3. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 3 ▌4 private sector organisations: Lucas Varity (aerospace) 7Safe (security consultancy) Thales eSecurity (engineering) Travelex (finance) ▌5 universities: Aston Birmingham Warwick Cambridge UCL ▌Other: British Standards Organisation DERA My background
- 4. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 4 How we view each other Industry view of academia Academic view of industry
- 5. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 5 Similarities 1/2 ▌Top management have a short attention span ▌Spectrum of attitudes to home working ▌“Customers” Academia has students and the staff community Industry has customers and employees ▌Agility and speed depend on size and complexity ▌Everyone is worried about (GDPR) breaches
- 6. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 6 Similarities 2/2 ▌Limited resources available for security ▌Silos between security operations/support and security research/product delivery ▌Challenge with getting internal marketing bandwidth ▌People are still people: Same problems with passwords Culture drives behaviour Trying to solve problems in isolation doesn’t work
- 7. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 7 Worked Example: Creating a Policy Password Policy Dear all, here is a draft Policy Dear CISO, about your password policy… The NCSC doesn’t believe in passwords!! Why haven’t we bought Technology X? I share all my passwords! It’s VITAL Here’s my 100 page summary of what we should do You’ve violated Process 56 para 23 I’m INCENSED you didn’t consult me first
- 8. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 8 Differences 1/2 ▌Sharing of information about security Academia is good at it Some private sector organisations do it well (e.g. media) Some don’t (e.g. banking) ▌Mergers, acquisitions More frequent in industry ▌Focus Governance (e.g. large multinationals) Risk (e.g. loss of trust > loss of revenue) Compliance (e.g. financial sector)
- 9. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 9 Differences 2/2 ▌More iconoclasts in academia ▌Top-down initiatives work better in industry ▌Industry may have more toys ▌Industry is still struggling with BYOD ▌Not as much “sales” in academia ▌Academics thrive on reputation
- 10. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 10 Industry infosec staffing challenges ▌Huge difficulty in recruiting and retaining infosec staff: No qualified recruits Hiring freeze ▌Large salaries ▌Focus on work-life balance to retain staff ▌Lots of churn (recent event, 90% of the 25 CISO attendees had been in their role <1 year) ▌School leavers don’t consider infosec careers (9 in 10) ▌No problem in Israel!
- 11. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 11 Approaches which work in any sector to improve security ▌People are people: Social contract Personal networks Get people involved via special interest groups/Champions “Gamify” Keep content fresh and relevant ▌Take the initiative after an incident or audit: Have a checklist of wants Keep quotes up to date
- 12. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 12 Successful liaison with senior management ▌Know the “business” and help it get what it wants: Understand the drivers (e.g. revenue, number of students, academic rankings, share price) Know the key players and what they want Make common cause with other business areas (e.g. Legal, Quality/Audit) Speak “non-tech” ▌Get in front of business/academic leaders Make your point clearly and briefly Learn from their choice of words Look at alternative solutions if you reach an impasse Aim to be invited back
- 13. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 13 Finally… get people onside!
- 14. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved. REF xxxxxxxxxxxx rev xxx - date Name of the company / template : 87211168-GRP-EN-004 OPEN 14 In conclusion ▌Not so much culture shock as a brief translation period ▌Skills and solutions are portable ▌Depends on your perspective as to what the differences are ▌Business drivers and relationships are key