Michala Liavaag talks with Laura Dawson, Director of the Data and Technology Services at the London School of Economics and Political Science. She has been a leader in the Charity and Not for Profit sector for nearly 30 years including RSPB, Save the Children UK and British Council.
They discuss the ins and outs of cybersecurity in the higher education sector from the perspectives of both employee and trustee.
This is the part 1 of the interview. Join us next week for Part 2.
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Welcome to Cibility Savvy the show that demystifies cyber security for not-for-profit boards and leaders
Hello I’m your host Michala Liavaag and today we're going to be talking with Laura Dawson the CIO, about her journey to becoming a cyber savvy executive. We'll discuss the ins and outs of cybersecurity in the higher education sector from the perspectives of both employee and trustee. Our guest today is Laura Dawson. Hi Laura thank you so much for joining us today.
Laura: Hello Michala I’m delighted to be here, thank you for inviting me.
Michala: You're most welcome I think this could be a really interesting show for people to listen to.
L: I hope so, I very much hope so.
M: So for those in the audience who might be listening today that don't know who you are would you like to please just tell us a bit about yourself first?
L: My name is Laura Dawson, I’m the chief information officer at the London School of Economics, I’ve been there for about four years. I’ve spent most of my working career working with technology and I started leading technology teams way back in 1989 in fact, so I’ve been leading teams for quite a long time and I’ve seen a lot of changes in technology and particularly cybersecurity which I’m sure we'll touch upon.
M: I think it's also particularly interesting that you know as a woman you were in a leadership position in technology so early.
L: I guess I mean it was a bit of a surprise I was I was very very lucky I mean I should say first off about I am one of Thatcher's YTSers. So I went to a highland eye tech and I studied computers on the BBC Bs I did coding on BBC Bs and Commodore Pets for those of you old enough to remember what those are and I actually applied to join well I first worked in an accountant's office but I applied to join the civil service and I did what was called the automatic data processing aptitude test
L: which got me into the Ministry of Defence and then they had this thing in the civil service where all the jobs were advertised in all the departments and I applied for a role in a little tiny organization called government actuaries department
L: and um I got the job because I’d written a How to use computers guide in the Ministry of Defence and they were just blown away with the How to use computers guide. So yes I got the job there and I was leading a team of three at the time.
M: It's really interesting to me about you know the path you've taken. Could you tell us a bit about how you went from Ministry of Defence into Higher Education?
L: Yeah it's quite a journey actually. I mean obviously it's quite a long period of time I was in in the Ministry of Defence in 1986 was when I started there. I think mainly the focus and the theme of it has always been technology and I’ve been looking for jobs that allowed me to do different things in terms of technology and so I spent about 16 years working in various government departments. I worked as I said government actuary’s department which was great. Big data and I mean really and personal data so you're talking about pensions and things like that so lots and lots of data lots of lots of sensitivity around it at the very early days of computing, and then moving through sort of off tell and then I had a stint in an arts organization for the government and I found that that was interesting it was a bit more values based than what I’d been in before and so I started to kind of understand more about social impact all of those kinds of things. They were doing a lot of work with children and art. They were doing quite a lot of work with the university of Bristol on using technology to assist children in learning and so it's kind of cutting edge type stuff I mean this was in 2002 to 2006. And then there was a role came up at the RSPB which I’d always been a bit… I mean I came from a farm, I like nature. I applied and I got the role and I think that was when I realized that actually I really quite like the charity sector.
It's hard it's really hard in the charity sector for two really big reasons: One- when you're talking about cyber security, the culture in charities can often be no one's going to hurt us because we're nice and that's just not true and it's quite hard to deal with that. And then the second thing in charities is they don't have a lot of wherewithal, they don't have oodles of cash even the big ones are very conscious of their budgets. Every penny spent it's a penny not spent on children that kind of thing or a penny not spent on nature and that is always at the forefront of your mind so you're always trying to squeeze a quart out of a paint pole. But the relationship with people that you had is just deeper and richer and more values based. You know, I can remember going to a bird reserve and I knew nothing about birds I mean apart from an oyster catcher I could probably spot one of them and a robin, I’m rubbish at birds and I remember being shown my first snipe and it's like wow and I was just so excited! So you know that helped and then I kind of went from a number of different charities. I jokingly say I’ve done nature, animals, children, world peace and now education. I’m hiking them off, but it is a... I mean education has always been something I mean I kind of naively maybe think education is a major benefit and solution to many of the problems in the world. The more we can know about each other and about how things work, the better we will be.
M: I agree with you wholeheartedly on that absolutely. Here you are then, higher education and you've taken the role of CIO. At what point did you realize you were responsible for cyber security?
L: Actually right from the outset
L: Right from the outset. and I’ve been on a bit of a journey with cyber security but when I arrived I had what was with my executive team so I had five direct reports and then I had another four people who reported to me but they weren't in the executive team. One of which was the head of security.
L: So the first thing I did was I lifted everybody up. So I’m not having this, I’m not going to have like you know a dog leg, let's not do that so lift it up. And then I went through a restructure of the team and basically went down to four direct reports one of which was the head of cyber security, now my director of cyber security, so I’ve always been very aware and conscious that cyber security is part of my remit. And it's also part of my remit in two ways. So one is the kind of role that he has which is the sort of assurance role, second line of defence role but then I also have the first line of defence role which is the operation. And so I kind of keep those two as separate as I can, but they are really important that they're connected together as well. So yeah right from the outset. And then I realized that I didn't have what I needed in terms of strength, we had the right person, he didn't necessarily have the right authority in the team.
M: Yeah I think that's very common across the board actually. Quite often you know security expected to sort of do everything, be accountable even though it shouldn't be and because they don't have the authority to actually make things happen quite a lot of times, so you do end this sort of conflict. But I’m quite interested in what you just said about you've got two roles you know the sort of cyber security and the operations. What about a third role in terms of you being the face of cyber security to your fellow execs, and sort of you know banging that drum and supporting. Would you consider that perhaps a third role or?
L: I do, I do. I just happen to think personally that my director of cyber security is actually way better at it than I am. I absolutely do that but I think he has got… I’m very blessed actually, he's got such a good way of delivering a message that I mean I’ll set him up I mean I come do the introduction things: hello this is this is my cyber security person but he is perfectly capable of delivering that message with the level of authority that he needs. And with the way that we're working at the moment he does get to do that looming down the camera of people which really works quite well. What I don't want to do is water down his message in any way in fact. His message has to be absolutely crystal clear and not adulterated by me in any way. So I have to do that, but equally I also have to translate sometimes and to do things in a slightly different way and you know we have conversations about bringing context into the conversation and all that kind of stuff
M: Yeah so is that very much so what you see your role as being that sort of translate between the two sides if needed?
L: If needed, but rarely is it needed and, as I said at the beginning, I think he's just perfect and he's also that bit more, and this is going to sound a bit weird, he's actually that bit more empathetic to the needs of the individuals that he's having those conversations. So I will have no qualms about sending him in to have conversation with someone who's in a really difficult position, something bad has happened and he needs to have a conversation. I will have no qualms about him letting him do that because he will just do it so much more empathetically but also clearly than I could ever do, because he knows the subject so well.
M: Yeah I think there's definitely a school of infosec pros who are sort of like that in terms of I was, maybe I’m stereotyping too much, the sort of old school and new school. The old school being the sort of you know security doesn't know, the new school being you know well yes how can we help you do that securely, and did you say be in pathetic and understand the business needs etc or in your case the educational needs. You mentioned as well the importance of authority there. Was it simply lifting them up that gave the authority or were there other things that you did that you can identify that really supported them in helping them with that?
L: Well probably the number one thing that I have to do is sponsorship. I have a very clear view about what I mean by that. You get a lot of I remember having lots of conversations with people about oh this person needs a coach or this person needs a mentor. I don't agree with that because what you're saying when you say this person needs a coach or a mentor is there's something wrong with that person and they need help to be better. There is nothing wrong with the individual that I’m talking about here, they don't need somebody to tell them how to do it. What they need is for me to open doors for them and that's what I mean by sponsorship. So my job is to do things like okay with that particular issue you know you need to speak to this person or I’m sitting in a board meeting and there's a conversation going on and say well actually why don't we get Jethro in here to discuss this with us because actually this is his area of expertise? and that's what I mean about sponsorship. I mean it applies to anyone in my team but particularly around about cyber security. And then there is, and I’m not always as good at this because you can imagine what I’m like I’m a bit full-on, the other thing that I have to do is to step back and give him the space. Now that for me is a huge stretch because you walk into a room and I just want to fill a room. But I need to step back and give him the space and let him say what he needs, to be able to say. And that's about giving him the floor, right? Letting him have that conversation and it comes down… it's little things. I had a boss who always insisted on doing a long preamble when they were introducing me to speak. So I was coming to a board meeting or something, there'd be a long preamble about that and it was all utter rubbish, not here, I used to say. It was all utter rubbish, but what it did was it just minimized me.
M: Right oh gosh
L: It's minimizing and so I have to make sure that if I’m you know there's no point in me doing a long preamble when I’m about to introduce somebody else to come and speak at a board meeting or in a in a committee meeting or whatever it is we're doing. I just need to say no I’m just going to hand over to Jethro. Jethro do you want to introduce yourself? And then you can take off from there. That's all you need to do, you don't need to do anything else. So it's giving people the space, be generous with your time, obviously, but equally be aware when you don't want to overdo it. I mean the other thing about it is: it's very easy to give him the authority he needs to do and for him to take it, because I trust him so much. I mean he is he's somebody who is just able to do the job really really really well and I know he is. So I it's dead easy for me to give him the authority he needs to do the job.
M: And how would you say um the organizations sort of responded to that change because obviously you know they were there before and suddenly you know here they are, you'll be more vocal opening these doors. How's the organization's sort of culture to handle that if you like?
L: Well I think I mean we've had some successes which has helped. Well first of all he always had a good reputation with particular parts of the school. So he deals a lot with things like the NHS toolkit, so he's always done that, and he's always had a really good relationship with the researchers of the school who were involved in those kinds of things. So he's already got that kind of baseline but we can see they've responded really really well because they've given us the money we need to do the work we need to do, so that's always a bit of a win. I mean being in a university we're probably in a really kind of quite privileged place compared to some of the other not-for-profits, but I think it does help. The other thing that really really helped is that when I first started, so my first year we had a ridiculous number of phishing attempts, and as a result a fairly ridiculous number of compromised accounts. it kind of happens twice a year with students. It happens at Christmas time and it happens at the start of academic year. Christmas time because people are sending ridiculous pictures of kittens about with hats people click them, I mean who doesn't like a cat? But then you also get at the start of academic year you get loads of emails coming to students telling them click this click that, so of course it's really hard for them to differentiate. So we had this ridiculous number of phishing attempts and we sort of very quickly put some mechanisms in place to get that down. And the following year we went from ridiculous numbers, which I’m not going to tell you but was ridiculous numbers, it was it had knots in it, to two at Christmas
M: That's amazing
L: And it was incredible and my director was able, the director of the school, was able to say that in a school-wide meeting. So she said it out loud and it basically just opened doors for us having a success of that kind, because it had been bad. And I think the other thing about it was as well, is that when we had the really bad time, I came in I had a very different style on alerting the school when bad things were happening. My number one tip to anyone is: if something bad is happening, tell everybody, you know, don't be shy, don't be afraid. Just learn how to write: I need to inform you, this is underway, we're investigating, we'll come back to you at 11 o'clock and let you know what the update is. That's all we have to do, but you have to tell people, and so that's what I was doing. So they all knew we had this really terrible situation with compromised accounts and phishing attempts, and they also knew how we handled it, which made a big difference I think.
M: Yeah I think that's a really really good point there because you know with security it's so you know sort of working beavering away in the background and most of the time people have got no idea what you're doing, what's going on, what you're sort of up against, and they only hear about you when something goes wrong. So make the most of that as an opportunity to show the value of your team I think.
L: Yeah and again I mean in a previous job um we also set up this thing and I’m quite keen to consider doing it here, where we sent out security alerts that weren't just to do with the office
L: So there I think it was at the time there was a there were some bank frauds going on, and bank account stuff. We had this process of sending out security alerts and it just said title, what you need to know, why you need to know it, and then at the bottom it said: we don't send you anything that you don't need to know. And those that kind of made it a bit more what's in it for me to read them. Some things like the I love you bug you know and if anything hit the press as being a virus that people at home were attacked, we would send out a security alert saying this is what you need to do and that just made a bit of warmth towards the security team that actually not only have they got our backs for work but they've got our backs for life too. That's quite cool, that's a cool message.
M: It absolutely is and actually on that topic where I used to work recently the head of learning and development did say to me, after going through the sort of new version of the e-learning course for cyber security, which was bite-sized sort of things together, these are really life skills aren't they? I was like yes, yes they are!
M: Yes it's so easy to get more people realizing that and I think slowly we are perhaps you know
L: Yeah absolutely absolutely
M: In terms of you know again here you are CIO with your team, new sector. What would you say was one of the sort of biggest surprises to you about that shift?
L: Well, coming into higher education? um I guess it was the students actually and I guess it's kind of like you had an assumption, we've always got this assumption that the generation coming up and the next one and the next one the next one are more security savvy than or more technically savvy than you were. You know I’m a digital immigrant definitely, I’m not a digital native but what I discovered and what was a surprise to me was how lacking in cyber savvy they were, and maybe that's something that again it's for life as well as for the work environment is, that not everybody who knows how to use an iPad or an iPhone really really well understands the importance of their own data. And that I think was a was a bit of a surprise. I guess the other thing that surprised me is, everywhere I’ve gone whether it was government or private sector to government to charity to higher education, it feels like I’ve gone back in time in every move. So it's kind of like government is 10 years behind private sector, and charities 10 years behind government. I wouldn't say that now actually, I think charities have outstripped government quite a lot, but then higher education is behind charity. And mostly it's behind it on applications and operations. So it's our operational side of things and how much we've automated that. and I suspect part of it is to do with the selling software into the higher education sector. It's actually really difficult, because there isn't a kind of one-size-fits-all approach and in fact if anything higher education hates the concept of one size fits all, and refers to it as one size fits no one. There's a real lack of technology in particular areas around about operations, that would make us more efficient and more effective and less vulnerable. So everything's kind of, I mean the most horrific thing was finding out just how bespoke everything was. We've coded our way out of every single bad process problem we've got, rather than looking at design of processes. It's a bit of a horrific story I guess, and it's very it's difficult to get out of. But that adds huge amounts of vulnerability, every single connection to every other that's a that's a hole and someone can get in that hole.
M: Yeah and how do you sleep at night knowing that?
L: You have to, actually. I had a boss once said to me it's just a job to be done. Whilst I’m very passionate about what I do, I also have that in my head, it's a job to be done. Do what you can do the best you can, and I say that to everybody, do what you can do the best you can, but go and get some sleep, and go and live because those are important too.
M: What would you say are the traits that make a good CIO and that enables them to work effectively with security and vice versa perhaps?
L: The number one thing is being, and I don't mean this to sound arrogant, but to be confident about your own abilities. If you are insecure about your abilities or you're insecure about the work that you've got to do, you're at risk of hiding things. You're at risk of that little voice behind you going they are out to get you, or whatever it is that you've got in your little voice, that will stop you from doing what you need to do, because you have to be open and transparent, and build trust and you can't do that if you lack confidence. I mean again somebody once said to me some when I got a job and I was kind of going oh my god I can't believe they've chosen me blah blah blah and they went: no, they did choose you, they chose you. That means something, remember that. And that I think people kind of need to get that into their heads when they go for a job is that they were chosen for a reason, so a little bit of confidence I think that's quite important. I touched upon openness and transparency, you have to be open, you have to be transparent. You have to be brave, you have to have that conversation with people that says: actually something has gone wrong, we don't know exactly what it is, we're investigating it. You know people will forgive you if you communicate, they won't forgive you if you don't. So that's kind of quite important. And then the other bit is about the communication, is just remember that nature abhors a vacuum. If you don't say something people will think you're a bad person and you're up to something and you're hiding it from them, which is awful in a security sphere, because sometimes you can't tell them.
M: Absolutely yeah there's something around the sort of marketing I guess, that's a, you know on LinkedIn we talk about personal branding and everything, but I guess it's the same sort of thing here, around security, and the branding with the organization
L: Yeah it is. I remember having a conversation with my boss about something completely different actually. About he was saying I just need to get through this meeting and go well, no actually, what do you want to get out of that? What's the message you want to get out of that meeting? What do you want to want them to feel? And that's kind of what you have to do with cyber security, yeah we actually genuinely do have to scare people sometimes to get movement and get traction. So sometimes you want that brand to be clear authoritative but actually pretty brutal to get something across if you need to. But you also need to be empathetic as well and understand context. So yeah I think branding, the brand that you want, what is the message you want people to take away about what you're saying? It's worth thinking about that up front.
M: Excellent. So is there anything else you'd like to share with our listeners around your role as a CIO and yeah cyber security?
L: I did want to touch upon something that we talked about separately, which was around about the conflict of interest because I think it's a really interesting situation: should the CISO or the director of cybersecurity report to the CIO? And my kind of view on this is, and you're not going to like this, is it depends. The context really really really matters and interestingly I got into trouble with my team here actually a little while ago, because when I did the restructure, in the restructured document I said that at some point the cyber security team needs to come out from under the CIO and go and move to, we've got a thing called the school secretary
L: that is the governance. So the team they saw this in the paper and they were really upset because they didn't want to move from underneath the CIO. Now I’m not a brilliant person or anything like that, it's not that. It was that they could see a road map, they could see the path and they could see what they needed to do. But you contrast that with my job before this and the CISO there was determined to not work for the CIO and your CIO, I mean me then, so my previous, was absolutely determined they were definitely going to work for me. So you have a bit of a journey and that was clearly that was never going to really work. Things changed and it got a lot better. I would say at that point that thing I said about insecurity, I was probably a bit more insecure than I am now.
L: and that insecurity kind of went oh I can't let them go, they have to report to me, that surely that you know and you get that kind of behaviour. I think context matters and I’ve met some CIOs where absolutely the director of security or whatever you want to call them should not report to them because they're just dampened down the message the whole time. The model that I would always go back to and always use is the three lines of defence model. I have that role of I am responsible and accountable for the operation, my director of cyber security sits on the side, pokes me and goes you need to be doing this Laura, you need to be doing that.
L: So, I wanted to just touch on that and that conflict of interest. It can be there but you've kind of got to be mature and confident and realize that it's not about you.
M: So in terms of you know this reporting line I just say it depends and actually you know I agree with you, it always does depend very much on the context I think. I’ve seen sort of some CISOs reporting to CIOs it works and something doesn't. Reporting to the CFO is quite common.
M: Yeah, now it's interesting you reacted that way, because for most people it's a oh ouch, and then for others they actually managed to make it work because they're able to translate cyber security risks into sort of a financial impact, which then helps the CFO support them in investment.
L: There's no getting away from it, all comes down to personality and confidence. So I’ve worked for some CFOs who their main thing is all about reducing cost, reducing cost, reducing costs. That was always in it, and they didn't really understand the value of investment is something that was to do with risk. Maybe that is the kind of key skill, is the ability to assess risk, and if you've got a CISO, and I’ve had CISO's work for me who are like this, where the chances of anything happening are either a half, either it will or it won't, or it's a dead certainty: this bad thing is going to happen, and you kind of go really? And if you've got that kind of almost binary approach to security, then that's going to push away people, and you know so it does depend on both and I think in those circumstances you definitely need somebody like a CIO over them to help them to say okay, okay that risk isn't really going to be 100% is it? Let's just work it through together as to where we're going to be. The CFO if they've not got a really good strong understanding of risk that could be a problem. I think we're violently agreeing aren't we?
M: I do think, we might be yes.
The conversation with Laura was so good that we didn't want you to miss anything so we split the episode into two parts join us next week when Laura will talk about her role as a trustee