Mick Jenkins MBE, Chief Information Security Officer at Brunel University, had a core vision to build a unified cybersecurity platform. He explains his cybersecurity strategy.
Before I joined Brunel University as Chief Information Security Officer, I worked in counter-terrorism as an intelligence officer and bomb disposal officer. The journey from the world of intelligence to cybersecurity was a natural one for me, for many reasons. Nowadays, you could say that a lot of my role as a CISO focuses on counter-intelligence and that’s how my team operate within a cybersecurity operations centre (CSOC) designed specifically for that purpose.
One of my roles in defence intelligence was what was known as Intelligence Preparation of the Battlefield (IPB). Nowadays, I’m more interested in what other adversaries are doing in the intelligence preparation of cyberspace. This is where the adversary is plumbing into networks and digital environments, persistently gathering intelligence, waiting for the point in time when they can trigger a specific action to achieve an effect, conduct an exfiltration, or worse, a complete denial of service through ransomware or similar. So, we have to be familiar with their tactics, techniques and procedures (TTPs) and of course build capability to counter that.
My core role as CISO has always been to deliver the five-year strategy I designed, and one that was formally approved by the Executive Board in 2017, so we’re just over halfway through now. My daily tasks all relate in some way or the other to the delivery of that strategy. For example, at this moment in time, I’m focusing on the capability development plan for establishing safe data havens for our research and sensitive data, through a sequencing of functionality to achieve zero trust environments. This capability development programme and cyber and information security strategy is very important to the university, very much because they rightly see cybersecurity as one of their top five strategic threats.
To help me with delivering the strategy and building complex capability, I chose to recruit only a small number of strategic partners. Embarking on such an ambitious programme simply could not be done alone and one of my core visions was to build what I call a unified cybersecurity platform. Cisco provided the instrumentation, Exabeam delivered the next generation SIEM and Khipu act as our expansion of the analytical team to develop playbooks, conduct penetration testing and deliver other InfoSec services. I like to call them all my ‘critical friends’ as they’ve been superb at taking my intent and shaping it into a technical solution and roadmap, that is technically unique within our education sector.
One of the great lessons I learnt both in the military and in the world of cyber capability development is that you need a great team to make things happen and to make a difference. My internal team consist of a team of cyber analysts, privacy experts and matrixed IT architects and programme managers. It became clear early on that the programme manager was a vital aspect of that work and that’s where Expede, as the fourth partner helped to navigate the sequencing, tasking into IT teams and acting as the glue between me and my partners. The pace was slow initially but we now have a battle rhythm in place that is providing core intelligence, automated defensive measures and threat hunting through our CSOC. The next stages of the strategy are to implement data loss prevention and cloud monitoring as we move on towards creating zero trust environments.
Cisco and Exabeam have been magnificent in acting as the expansion of my team, and their critical thought, and positive attitude has made a difference. Teamwork has made a huge difference where I now see IT teams, privacy, cyber and programme teams all operating towards a common goal and that in itself has infiltrated our university community where security is now well embedded into everyone’s thinking.
In terms of my day job, all this has allowed me to provide accurate threat and risk metrics to the executive board on a regular basis. They are very keen to see that we invest in our IT and cyber infrastructure, not least because they want to future proof our environments to better protect our high-grade intellectual property and staff and student personal data. A data breach could have a huge impact on an organisation such as ours, mainly because we operate in a place of trust. Trust with our research and commercial partners, with our clients we serve, with the students and the staff whose data we store and process. A breach could have a severe impact on retaining trust and competitive edge with all our stakeholders as well as large fines. Investing early, was the university’s way of insuring against such strategic risk.
What has been insightful for me is that most of my counter-terrorist and bomb disposal work operated with the same doctrine as we use today to counter cybercrime. The ‘kill chain’ is a term used within cyberdefence to explain the varying phases of attack, from reconnaissance, deploying the payload, right through to executing the bomb or ‘cyber bomb’. Defenders seek to exploit the phases to predict, detect, mitigate and contain attacks. We now have an approach within the analysts and with our instrumentation, to operate in the space of the ‘kill chain’, to get head of the adversary through effects-based thinking. Predicting where nation state and organised crime attackers will seek to attack us, knowing our true vulnerability to those stages of the attack through red team simulation exercises, containing incidents through automation and responding through incident teams that have been well trained to react and deliver an effect quickly. The value of simulation exercises from an adversary such as advanced persistent threat groups, has significantly improved our joint team’s knowledge on TTP’s and our own vulnerability. The biggest challenge for the university has been the balance of investment versus return on investment. This balance has been achieved through the careful thought leadership, including from Cisco and Exabeam and the executive board are now seeing the ROI and more importantly, the enduring value of investment through metrics showing far fewer incidents and occurrences.
Skills-wise, it was important that the tech instrumentation and high-end capability was fully in tune with our cyber forensic analysts. Another core challenge was to make sure we invested appropriately in tech, process and people. The people part has always been the best part for me. Coaching and mentoring the teams to operate to a new doctrine, with new technical functionality to achieve an effect. The challenge, which is on-going, is in developing the analysts and our cyber apprentice through on-going formalised training and visiting other CSOCs. We’ve also been very grateful for the support of Exabeam in upskilling our team through varying innovative exchanges and visits from their teams. This is on-going, and a core part of my intent in the coming year, to further engrain the strategic partnership.
From a personal perspective, I have been monitoring nation state cyber actors for some time and often inject some of their tactics into my novels. The nexus between the nation state and proxies, plus organised crime has most certainly broadened of late. In Russia for example, the state will pretty much turn a blind eye to organised cybercrime gangs so long as they do not touch the state apparatus. And alongside hybrid warfare tactics, the use of proxies to conduct cyberattacks is now widely seen to mask attributability. It’s certainly an area to look out for, particularly as the TTP’s can be passed from one actor to another. Another example is where some nation states allow their cyber actors to generate income by stealing data and selling it on the dark web to self-fund their own criminal machinery.
It’s been a great journey at Brunel so far and in a sector that I quickly realised really needed executive board buy in. This top down approach is vital to cascade into the workforce about how important cybersecurity was for them. If it begins at the top, the behaviours and the culture changes much quicker and an enduring communications campaign into our community was a vital part of changing minds and improving practice to become more mature across all the strands of information assurance. It’s great to see that IT practitioners, our staff and our community now care about data. And as a result, data handling has improved.
Tips for aspiring CISOs? Well from my experience at Brunel, there are a few. Make friends with the executive board and relate all your narratives to crime, without any jargon. Then people get it. As a leader of people, invest heavily in your staff and give them a clear professional development pathway, as well as clear objectives, doctrine and process. Conduct regular simulation exercises, they really are vital and bring together great programme managers and strategic partners. The rest is well, simply hard graft to navigate the many perils along the roadmap. Finally, enjoy it. It’s been one of my most favourite leadership positions in a career spanning four decades.