Michala Liavaag talks with Laura Dawson, Director of the Data and Technology Services at the London School of Economics and Political Science. She has been a leader in the Charity and Not for Profit sector for nearly 30 years including RSPB, Save the Children UK and British Council.
They discuss the ins and outs of cybersecurity in the higher education sector from the perspectives of both employee and trustee.
This is the part 2 of the conversation. If you haven’t listened to the first episode yet, check it out: https://www.buzzsprout.com/1848607/9684259-s1e8-interview-with-laura-dawson-part-1.mp3?download=true
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Welcome to Cibility Savvy the show that demystifies cyber security for not-for-profit boards and leaders
Michala Liavaag: Welcome back to our conversation with Laura Dawson. If you haven't listened to the first part yet, in which we discuss her role as CIO I encourage you to do so first. And now we're going to talk about her role as a trustee and not just in one organization but two. So would you like to tell us a bit about how you became trustee and who you're working with?
Laura Dawson: Oh thanks very much Michala and welcome back everybody. I became a trustee of charity IT leaders back in 2008 I think it was, so I’ve been a trustee there for a long time and I have been chair as well so that was one, and then very recently I’ve just joined the board for the London University's procurement consortium
Michala: So in both of those cases I’m quite interested as to how you bring cyber security into that. I mean, does it even come up at that level would you find or…?
Laura: Very much so I mean… well, first of all, with the charity IT leaders, all of the trustees are a leader in technology somewhere in either the sector I’m in, which is higher ed, or you've got the charity sector itself, and we've got somebody from private sector as well, who's a trustee, so and we are all technology leaders, so we all have a relationship with cyber security in one form or another, so that comes in. But yes it does touch upon the topics that we discuss. I mean the whole purpose of the group is to improve the use of technology in charities to the benefit of all of our beneficiaries whether that's nature, children, old people, people with disabilities, whatever the issue is we have them. We actually support loads of charities and therefore loads of beneficiaries which is rather nice actually. But yes, so it does touch upon the security stuff. And I think we've done a number of different things. We did a hackathon a few years ago as part of one of our meetings, whether or not we had diversity in cyber security. And the reason we did that, and the reason I wanted to do that, was because the threat is diverse.
L: And if we don't meet that diverse threat with diverse solutions they've got one over us. So we have to be diverse, we've got to understand, and that's diversity of thought, diversity of people, diversity of training, it's not just? have we got more women in cyber security? It's kind of much broader? Ethnicity, gender, sexual orientation, everything, we need to be listening to lots of different diversity. But when we did the hackathon, what became really quite clear was? we actually also needed to do a hackathon on where security was in the sector anyway.
L: So it's a little bit disappointing. We were trying to do this kind of higher minded thing about diversity inclusion and actually the basics weren't there. So we've done quite a lot of work and we continue to do quite a lot of work. We do reach out every now and then to the Charity Security Forum, which is a great organization, we could do more with them we really.
M: Yeah yeah no I’d like to see that myself actually. That'd be really interesting if we could all start moving together, supporting one another more generally I think.
L: And don't start your own group if there's already one that exists, use it.
M: So that's your role as you know trustee of CITL for quite a while. What attracted you to the procurement trustee role?
L: Ah! It was really interesting and thank you for asking that question. Traditionally technology and procurement never quite had such a good loving relationship as we perhaps might like. Now I happen to have here, again I’m very blessed here, so I’m about to kind of just expand the virtues of our head of procurement, who is amazing, he's brilliant, but he kind of got me connected. And because we have such a good relationship, and because my view about procurement is a really important tool in your toolkit, good procurement. And if you don't work closely with procurement, it's going to come in at the last minute, and it's going to a bit like security used to, it's going to like draw air in between the hole in your teeth: tssss, wouldn't have done it like that, love. So you need to get them in early, so it's just about building that relationship with procurement. The London University Procurement Consortium is great because actually it's about bringing universities together to get bigger buying power, to be able to get really good deals, and you know, what's not to like really about doing that? So you know and I think getting that and making sure that we're doing cost-effective solutions savings for people is a really good idea. In terms of you know the last bit of the jigsaw if you like, cybersecurity and procurement, they need to be so close together you can’t get a cigarette paper between them. And I think what I would say about that is: they're actually both trying to do the same thing but with different lenses
L: They're both trying to get people to do the right thing to the benefit of the organization, and people often don't see it like that. There is a job that we all have to do, we have to make our processes so easy to use that people it's easier to get it right than it is to get it wrong. They've both got the best interest of the school the charity whatever, at heart and they often don't get seen that way.
M: Yes it's definitely as you say sort of not, just a historical thing, it depends again I think very much of personality as well. Certainly in some organizations I’ve had amazing working relationships you know with legal, procurement, audit etc you know sort of all gateways if you like, where security can embed themselves in, and support each other's like? oh did you know about this? And say: no, but… that whole thing I think is really important and just thinking about the buying power you mentioned there, what about the benefit around supply chain insurance and sort of sharing that burden? Is that something that you've been looking at, at all?
L: Yeah, I mean again, it comes back to what I was talking about with our head of procurement, when he was talking about ethical procurement. We've signed up for electronics watch, and that was through LUPC as well, and it kind of takes some of the burden away, of making sure you're doing the right thing in an ethical way. So yeah I think that assurance, that supply chain insurance is really important. That was just one aspect on the ethical side. It's also there on the: is this company sustainable? Are they going to be around in 10 years time? And just helping us to do that and then then making sure that we're getting the best value for money. I think where there's been a problem in the past with procurement is that the only tool on the toolkit for value for money used to be just tendering
L: And the problem there was, if you've got something like, I don't know a SIEM, or you've put in place, you want a long-term relationship with a particular antivirus product or whatever the solution is, the cost of switching is not insubstantial, so if you if the only tool in the toolkit for value for money is tendering and you do that too frequently, then you're actually putting a heart attack across the security team every time you want to change it
M: Yeah absolutely
L: And that's not really the best idea. So what you kind of are seeing now is much more about negotiation, ongoing and negotiation, other tools in the toolkit, market tests and checks, using various tools that give you market data, that you can then go into and have a conversation and renegotiate the contract your procurement are your friends if they've got those tools in the toolkit.
M: Yeah absolutely agree with you. You’ve used the term SIEM there, which I’m just conscious that some of our listeners may not know what that is, so would you like to explain for them?
L: It’s Security Information and Event Management. It's basically about us being more alert and more aware about what's going on within our environment. We're also doing quite a lot of vulnerability management, we're looking at SOC
M: Security Operations Centre, for our listeners
L: Yeah so yeah we want to put that in place as well. So there's a lot going on in our area here. I guess only you sort of jokingly talked about trust earlier, not jokingly but seriously talked about trust earlier, and the organization trusts what we're doing, so we've got the investment we need to do what we need to do, which is great, but yeah
M: Just bringing it back around to the trustee role side of it, how do you find your conversations with your trustees at the university around cyber security?
L: First of all, just to give you a little bit of context of the two, the difference between the two: the charity IT leaders, the trustees up until now have been the executive and the governance. So we've done both, so that has been slightly different in terms of the conversation that we have, I would have with trustees in a charity that's perhaps larger, where that governance and that executive have been split. So in our case the governance and the executive has been split, the council are not responsible for the execution of the strategy, they are there to ensure that whatever we're doing is being done in the right way. So the conversation is more about method and process and investment and are we at the right levels and have we got the right governance in place? And are we monitoring our governance now, we are we ordered appropriate times and all that kind of stuff. The conversations that I tend to have, and it's a very careful balance that you need to have, because I’m underneath the executive, so you've got me, then you've got the executive, and then you've got council. So in any of those circumstances is always a very careful balance, because what you don't want to do is walk in and tell the council something that you haven't done all the executives, so you've got to get that happy balance. The main thing is it's masses of preparation. I’m open and honest, I will talk about where things are in need of improvement, but you always talk about them in the sense of what are you doing to address it, yeah and that's always the conversation that you're having. What you don't want to do with anyone, executive or governance, is go oh my god all these horrible things are happening and it's all really really terrible and then leave it at that because that doesn't do anybody any favors, and isn't going to resolve the issue. So you've got to always have a kind of view about what you're going to do. When I worked in particularly another charity, I’m not going to say which one because that wouldn't be fair, but the trustees were quite unaware of technology. I mean, they were there for a particular reason and they were all from the field that this particular charity dealt with, but they weren't necessarily that aware of technology, and didn't see the value of technology. I remember having a conversation with them, not about security but about: it doesn't do us any good if your frontline workers are spending too much time on their computers, rather than doing what you want them to do, therefore we need to give them good computers because if they're too slow, they're spending too much time on those computers. And that was quite a difficult logical thing to try and get across to them, because they didn't spend any money on new computers or security, or anything, they just wanted their people to be out on the field doing what they needed to do, so they didn't see the link. If you've got a 20 minute boot up time for your computer, that's 20 minutes you're not in the frontline.
L: Which do you want, and we got them in the end, but our trustees often, in those sort of circumstances, don't sort of see that link, they're not always that business savvy.
M: So it's interesting that in terms of obviously, this is Cybility Savvy, but as you say, different trustees are brought in for specific purposes, just thinking sort of wider about charities and other non-profits in general, have you seen any increase at all in having one particular trustee sort of be the champion for cyber security?
L: And actually this is a really good point, actually and one that I want to get across to our listeners: is not enough. I’ve seen a lot of charities take on digital expertise, so it's somebody who's looking at innovation, or they're looking at being more personally relevant, or locally relevant to your beneficiaries, or your donors. I see a lot of that. That's great, but quite often they have chosen people who've come from an innovation space. Now innovation again is fantastic but innovation does not deliver at scale and a lot of these charities are delivering at scale. So that's always been the problem with startups is they don't always deliver at scale. So I don't think there is enough in the trustee about this kind of governance. We'll have financial governance and we might even have risk, but we very rarely see somebody at the trustee level who has a good understanding of cyber security. And yet, it is probably the biggest threat that most charities are facing, after the supply chain, the fuel issue, and the economy, but it is it is massive, and we don't see it.
M: Why do you think that is?
L: It's still not seen, I mean probably less so now after the pandemic actually, that technology is not seen as the enabler that it needs to be. It's seen as a janitorial service that's somewhere over there oh it's just computers isn't it? It's just the stuff on my desk isn't it? That understanding of the value of technology to your business still hasn't quite landed and, I mean there's a talk that I do quite a lot, about what most organizations are facing, which is where they've done local innovative solutions and then somehow tried to lash them all together to create new processes, or new integrations, or whatever it is they've done. I don't think most organized organizations realize that that approach, which is 75 of companies have got that approach according to an MIT study
L: That approach means that every single one of those connections, every single connection, is a vulnerability. You could draw two little lines on every single one of them and all those little red lines are your vulnerabilities. I don't think people realize that, they want technology, they wanted to do amazing things, they somehow want it to happen up here, they don't really care about the legacy stuff, and the net result is: they don't see the value of the technology, and they don't understand the risk. So I don't think people understand the risk, I don't people see that technology is intrinsic to their business, I don't think they understand legacy, and when they're appointing who wants a CIO on your trusty board? I mean it doesn't make logical sense to me, but then you know that's me ranting quietly in my little corner going: this isn't good enough. If we want to deliver digital services to our beneficiaries, they need to be secure, we need to put the right data in the right hands at the right time, safely/ And we can't do that if we don't deal with this clutch of systems that are just lashed together in some kind of spaghetti-like way and gone: there you go, there's your technology core.
M: What's really interesting as well to me is, you know, just hearing you sort of go through that, is: it reminded me of another area that faced similar challenges, and that's enterprise architecture ,not just enterprise security architecture, but enterprise architecture, which is an area that I’m kind of sort of interested in again, you have all sorts of things together, because I also think actually, if we did that well, a lot of this other stuff would just flow. But as you said 75% of organizations are just things together and it's probably, maybe I think 1% of organizations that even know what enterprise architecture is, and do it.
L: So enterprise architecture is very similar to cyber security in many ways, and it comes back to what we were saying earlier about what are the skills and attitudes and behaviors that you need in cyber security? Same question: what do you need in enterprise architecture? I think, and I’m very blessed here, and that this does not relate to my currency, my current team are amazing and they're great and they've got all the attributes that I want, but there is a bit about early enterprise architecture where they did suck the air in over the teeth, and they did kind of go oh I wouldn't do it like that love, and they basically push people away, and there is a there is a conflict, just as there is with cyber security and ops, there's a conflict between enterprise architecture and ops. Ops just want to keep things running, it wants to keep it going, it's got an operation, it's going to get loads of calls if this thing goes down, it's not going to work, you've got to stay away from my live system. And you know people do talk about my network, my server room, my you know whatever it is, so there's that real kind of need to keep the operation running, and then you've got enterprise architecture, it needs to be designed properly, and there's a conflict there. And if they don't have the empathy and they don't have the trust, and they can't articulate it in business terms, and they kind of sit in the little enterprise architecture ivory tower kind of issuing and dictates about how things are going to be, then yeah you're going to have people not understanding the value of enterprise architecture. So I mean for me it's the same with cyber security: the key thing they need to do is define their services, define the services you give. Some of them are going to be tactical, some of them are going to be strategic. Make sure your tactical ones are easy to get hold of and you can deliver them well. They give you the key to the door to do the strategic ones. You cannot do this job without enterprise architecture and what amazes me is we build a building with architecture, why do we not understand that it applies to everything else?
M: Yeah I have no idea
L: It's like anything, it's plumbing, it's got to connect, you've got to have things moving smoothly between it. We have a strategy here our vision for technology here is to create and maintain a strong operational core.
M: There's so many wonderful things you've shared with us today and, whilst I appreciate that you've probably got a lot of that from your own experience, you know are there any sort of books you've read that you think are particularly useful for people?
L: I’ve got three actually, I’m afraid they're all non-fiction, although I threw in a fiction at the end. And so the first one is a book by Christine Pearson, which is The cost of bad behavior, and that was a real eye-opener about how important it was to build an environment where people feel they could talk to each other, there was no bullying, all of those kinds of things, create the right kind of cultur,e and the cost of not having that. And it's a bit of an eye opener when you go through, it's a bit of an exercise, you can kind of go through do the costings, but the amount that that bad behavior costs us, and costs the world and organizations, is a lot bigger than people think it is.
L: My second book that I would recommend is by Kim Gene, he's written a book called the DevOps handbook, he's also written something called the Phoenix Project, but the DevOPs is actually about putting that into action. And I don't know about anyone else, but as in every role I’ve joined, apart from this one, in every role I’ve joined, my first week there's been a massive outage. It is like traditional. And now I’m reading this book, I kind of realized that what the issue was is that, when there's a change of CIO, there's a loss of control over change. And change is your biggest vulnerability, and if you don't get your arms around how you do change on your live environment pretty darn quick, then things start to get looser and looser and looser, because you go back to this thing about the conflict with ops, they just want to get things working, they just want to I’ll just apply this patch, I’ll just pull out this network cable., I’ll just do whatever. And you have to get your hands on change, and they start with a kind of series of steps, the first of which is zero zero tolerance on unauthorized change.
L: If nothing else, just remember that sentence: zero tolerance in unauthorized change, it will change your life as a CIO it's amazing
M: And a CISO
L: And a CISO, yeah. And then the last one is my new favorite hero is a lady called Jeanne Ross, who is enterprise architect, and she's a professor at MIT. She's actually retired now unfortunately, but she's still amazing, and she's written a book called IT Governance and that's quite interesting because it boils it all down to decision rights.
L: The most important thing you need to get right on IT governance is where decisions get made. And if you have, as many organizations do, decisions all over the place, then you have anarchy, and that's really difficult to deal with. So, I think those are my three kind of books in the topics that we're talking about, that really helps.
If I throw in my fiction it has to be Stephen Donaldson’s Mordant’s Need. I couldn't bear Thomas Covenant in the Unbeliever, because I hated the character but Mordant’s Need is just a really… I’ve read it, I must have read it five or six times, it's just lovely, it's a bit romantic-y, fantasy type thing, but it is, it's really good, and the importance of protecting your interfaces actually. I’ll say no more.
M: Okay, well for those who like fantasy, we can add that to our reading list as well. Brilliant, thank you very much for that. In terms of keeping yourself up to date, do you tend to listen to podcasts or other things, what do you tend to do?
L: Oh podcasts definitely. I do a morning walk every day and it's usually about 40 minutes, so that gives me enough time to usually listen to a podcast. So yeah I do listen to a lot of podcasts. I also read quite a lot. I read a lot of usually articles, I use LinkedIn a lot, to kind of keep up to date with the articles. And then I also quite like videos, I’ve gotten into creating and watching videos for getting information across, I just find it's a really easy way for me to digest.
L: I have to make myself read a book, so those three books I gave you, I made myself read those to the end, so that's pretty good that shows they're good.
M: Cool okay and as we sort of wrap up here, what is one question that you wish I’d asked you and how would you have answered?
L: It's a bit of a leading question, I think. I would have wanted to see is just how important is trust in cyber security. And it's interesting because the whole posture of cyber security has to be zero trust. It has to be, but when you're talking about the relationships within an organization, you have to build trust about talking to people, and being connected. So I think there's something there about not underestimating the value of building a trusting relationship between the CIO and the CISO and the CFO and the COO and all of those individuals so that you can get in the door and you can have a conversation. And that means: use your power wisely. Don't go up like a skyrocket every time any little thing happens, you know? One phishing attempt does not a summer make. You kind of use your power wisely, and be pragmatic, and you'll gain the trust yeah
M: Excellent I think that's a great little phrase, so use your power wisely, and be pragmatic to gain trust.
L: yep absolutely
M: I like that as a nice little takeaway for everybody. Well actually, that probably ties into the advice you'd give people as well would it? Or would there be anything else you'd like to add?
L: Oh yeah, I mean, I think I’m at the moment busy working in my mind on a kind of there's a formula for trust.
M: There is yes, the trust equation, sorry
L: Yeah but I don't know this I’m making my own one up
L: which is, I’ve actually seen the trust equation, but for me the kind of key ingredient… so maybe it's the recipe for trust, let's not call an equation, let’s call it the recipe. I’m following a Great bake-off kind of approach. I think you need to have a huge dollop of transparency, so you have to be, to build trust you've got to be transparent. So we talk about being radically transparent here. That doesn't mean to say that I run around the campus with no clothes on, what it means I’m really clear about what I’m doing and why I’m doing I, and I try really hard. And I don't always succeed in communicating what I’m trying to do and what I’m doing, and not hide anything. And with that comes a little a soupçon of taking responsibility. So if something goes wrong, it is far far better to say: that's on me, let me go and deal with that, than it is to say it's not my fault. So taking responsibility is really important. So you've got transparency and taking responsibility. I think the other thing is integrity. And that is about doing what you said you were going to do, and being really just consistent about it and all the rest of it. And then maybe the last bit of the trust equation is about context and context matters. The hundreds and thousands that you scatter across our lovely cake that we've just built, has to be the context. What is the context that you're operating in and if you don't understand that, and you don't pay attention to that, then it doesn't matter about the others, you're not going to fit and so I put those in. So all those things really are the recipe for trust
M: Okay that's brilliant, so we've got our recipe for trust that we can all go away and have a go at. And so where can we find you online if we've got some questions about that recipe?
L: I am predominantly on LinkedIn. I actually watched the Social Dilemma a few months back, and so I’ve cut my use of Facebook and Twitter to an absolute minimum and I’m rarely on. I do go on occasionally but usually only to talk about football. so I wouldn't meet me there. So I’m on LinkedIn predominantly and you can find me Laura Dawson on LinkedIn,
M: That's brilliant, lovely. Well thank you so much for a really fascinating conversation today, really appreciate it and I hope that our listeners enjoy it as much as I did.
L: It's been an absolute pleasure thank you so much for the time and it's been great and I hope to see you again soon.
M: Will do okay bye-bye