University of Manchester’s CISO on Managing Major Cyber Incidents

Written by

In June 2023, the University of Manchester became a victim of a cyber incident in which systems were accessed by an unauthorized party and data compromised. The institution’s CISO, Heather Lowrie, had joined as the University’s cybersecurity lead just weeks before the cyber-attack and was faced with her first challenge.

With the incident now closed, Lowrie spoke to Infosecurity to discuss her main learnings around the response, how to enhance the resiliency of the higher education sector and advice for cyber professionals on fostering collaboration across the industry.

Infosecurity Magazine: What were your main learnings about effective incident response management following the cyber-attack against the University of Manchester in Summer 2023?

Heather Lowrie: Having the focus on building resilience was really key for us, and continuing to support critical services while also dealing with the response to a major incident was a significant achievement for the team.

Being able to continue to operate in the event of a significant cyber incident is key from both an organizational and whole of society perspective – that’s the main learning we took from the incident last summer.

Read here: University of Manchester CISO Speaks Out on Summer Cyber-Attack

IM: Have you adapted the University’s incident response plans or added new security measures following the attack?

HL: I’m always looking for ways of continuously improving our incident response plans, and we will continue to do that. We also have a big focus on cyber exercising and making sure our teams are prepared to deal with incidents. We exercise both internally and with external partners.

IM: What are the unique cybersecurity challenges in the education sector? How are you working to overcome these at the University of Manchester?

HL: Higher education faces a number of cybersecurity challenges and we align closely with UK government guidance for managing cyber risk in universities.

Universities are critical for economic prosperity and innovation and contribute significantly to society in the UK. We have to be very open and collaborative from a research perspective while protecting highly sensitive data and intellectual property.

It’s a challenging environment to operate in and we’re managing this by aligning with the Universities UK guidance which was developed with the National Cyber Security Centre (NCSC), Jisc and other leading industry experts. This has been really helpful in establishing a culture of cyber risk management within the university from the top down.

We also use the NCSC’s toolkit for boards to make sure that our board members are governing cyber risk effectively. That’s been really helpful as well as external advice and support.

IM: As someone who has worked in security roles in the financial sector and public sector, including in the Scottish government, are there any differences between how cybersecurity is approached between these types of institutions?

HL: It’s been really beneficial to have had that breadth of experience in the private and public sectors prior to my current role in higher education.

It’s important to be able to adapt to or tailor advice to the particular organization and cultural context that you’re working in, so it has been good to take my learnings and best practices I’ve picked up in my career and tailor those to the higher education environment.

IM: How do you think collaboration be improved between governments and private sector in cybersecurity?

HL: I always encourage my teams to consult authoritative guidance from government sources, which could be bodies like the NCSC or the Universities UK guidance was developed in collaboration between the sector and government.

That’s a critical first step, and also working closely with external partners, including governments.

Attend sector events and conferences to bring the latest thinking and best practices back to their day job. I encourage everyone that’s working within my team to build those external networks and participate in those external networks.

In terms of specific operational benefits, there’s a range of tools that are provided that security teams can use, from the NCSC for example.

IM: What are your biggest concerns within cybersecurity today?

HL: My biggest concern within the industry is how we professionalize and build capability as an industry. It's important as we move towards the chartered statuses that are that are being offered by institutions such as CIISec, that we really encourage people coming into the industry to take advantage of those professional and standard routes and work with professional bodies.

I’d like to see a future where everyone who’s coming in at entry level to one of my teams is working towards chartered status and is on that professional career path. It’s great to see a lot of the work that’s being done in that area, including by the UK Cyber Security Council.

IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?

HL: I'm a huge fan of security architecture and that's security by design – being able to build that kind of thinking into the design and development of new products or projects that are being managed internally.

I think there has been a real mindset shift in a lot of organizations towards engaging with security architecture and professional security practitioners more generally. That is really helping to shift the dial in terms of security and also the quality of services that are being developed.

IM: If you could give one piece of advice to fellow CISOs, what would it be?

HL: It would be to keep doing what you’re doing. It’s a difficult job, it’s not for everyone and it takes a lot of determination and a strong sense of personal integrity to succeed in this role. Everyone who is in the role has proven their skills and competence.

Leverage the community as well – there’s a strong community that we’re all part of and that is broader than the organizations we work in. Having that support network in this kind of role is really important.

What’s hot on Infosecurity Magazine?