The document discusses similarities and differences between information security approaches in academia and industry. Some key similarities include both sectors having limited security resources and challenges getting buy-in from top management. Differences include academia being better at sharing security information while industry focuses more on governance, risk, and compliance issues. The document provides recommendations for improving security in both sectors such as leveraging social networks and taking initiative after incidents.

1. www.thalesgroup.com OPEN
Culture shock?
Academia vs industry
Bridget Kenyon
Global CISO
Thales eSecurity

2. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
2
Content
▌My background
▌Academic and industry approaches to information security:
Similarities
Differences
▌Methods to achieve security improvements in both sectors
▌Getting traction with senior management teams

3. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
3
▌4 private sector organisations:
Lucas Varity (aerospace)
7Safe (security consultancy)
Thales eSecurity (engineering)
Travelex (finance)
▌5 universities:
Aston
Birmingham
Warwick
Cambridge
UCL
▌Other:
British Standards Organisation
DERA
My background

4. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
4
How we view each other
Industry view of
academia
Academic view
of industry

5. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
5
Similarities 1/2
▌Top management have a short attention span
▌Spectrum of attitudes to home working
▌“Customers”
Academia has students and the staff community
Industry has customers and employees
▌Agility and speed depend on size and complexity
▌Everyone is worried about (GDPR) breaches

6. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
6
Similarities 2/2
▌Limited resources available for security
▌Silos between security operations/support and security
research/product delivery
▌Challenge with getting internal marketing bandwidth
▌People are still people:
Same problems with passwords
Culture drives behaviour
Trying to solve problems in isolation doesn’t work

7. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
7
Worked Example: Creating a Policy
Password
Policy
Dear all,
here is a
draft Policy
Dear CISO,
about your
password
policy…
The NCSC
doesn’t believe
in passwords!!
Why haven’t we
bought
Technology X?
I share all my
passwords! It’s
VITAL
Here’s my 100
page summary of
what we should
do
You’ve violated
Process 56 para
23
I’m INCENSED
you didn’t consult
me first

8. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
8
Differences 1/2
▌Sharing of information about security
Academia is good at it
Some private sector organisations do it well (e.g. media)
Some don’t (e.g. banking)
▌Mergers, acquisitions
More frequent in industry
▌Focus
Governance (e.g. large multinationals)
Risk (e.g. loss of trust > loss of revenue)
Compliance (e.g. financial sector)

9. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
9
Differences 2/2
▌More iconoclasts in academia
▌Top-down initiatives work better in industry
▌Industry may have more toys
▌Industry is still struggling with BYOD
▌Not as much “sales” in academia
▌Academics thrive on reputation

10. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
10
Industry infosec staffing challenges
▌Huge difficulty in recruiting and retaining infosec staff:
No qualified recruits
Hiring freeze
▌Large salaries
▌Focus on work-life balance to retain staff
▌Lots of churn (recent event, 90% of the 25 CISO attendees had
been in their role <1 year)
▌School leavers don’t consider infosec careers (9 in 10)
▌No problem in Israel!

11. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
11
Approaches which work in any sector to improve security
▌People are people:
Social contract
Personal networks
Get people involved via special interest groups/Champions
“Gamify”
Keep content fresh and relevant
▌Take the initiative after an incident or audit:
Have a checklist of wants
Keep quotes up to date

12. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
12
Successful liaison with senior management
▌Know the “business” and help it get what it wants:
Understand the drivers (e.g. revenue, number of students, academic rankings,
share price)
Know the key players and what they want
Make common cause with other business areas (e.g. Legal, Quality/Audit)
Speak “non-tech”
▌Get in front of business/academic leaders
Make your point clearly and briefly
Learn from their choice of words
Look at alternative solutions if you reach an impasse
Aim to be invited back

13. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
13
Finally… get people onside!

14. Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorinpartor
disclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2018Allrightsreserved.
REF xxxxxxxxxxxx rev xxx - date
Name of the company / template : 87211168-GRP-EN-004
OPEN
14
In conclusion
▌Not so much culture shock as a brief
translation period
▌Skills and solutions are portable
▌Depends on your perspective as to what
the differences are
▌Business drivers and relationships are
key