A UK university CIO’s lessons: Fix security, power WFH, negotiate budget

Mark Wantling may be 200 miles away but his discomfort is plain to see, even on the small video window of a Zoom conference call. “That pen test was a car crash,” he says. “It was absolutely horrendous.”

A series of high-profile cyberattacks on universities already had him on high alert, so too the realisation that re-engineering the University of Salford’s infrastructure for thousands of remote students would have repercussions for cybersecurity.

But a brutal penetration test that successfully poked holes throughout his network in a matter of hours was what lit the touchpaper. It was this exercise which proved the catalyst for identifying and remediating zero-day vulnerabilities linked to the WannaCry and SolarWinds incidents, for issuing of 38,000 critical security patches and for bringing his IT operations and infosec teams together in process and tooling.

Yet at the time, back in March 2020, Wantling had other priorities. With the first UK government lockdown on the horizon, the university, based in Greater Manchester, was in the process of migrating its virtual learning environment to a SaaS-based platform and had also deployed Windows Virtual Desktop and Citrix Apps and Virtual Desktop on a Nutanix HCI to allow students to remotely access applications and desktop PCs.

Pandemic accelerates digital transformation

For Salford, the pandemic offered the chance to accelerate its digital transformation initiative, which had been progressing for the past three years, and fast-track long-held ideas on mobile and online learning.

The socio-economic background of many of the university’s students is such that most of them are the first in the family to go to university, with some struggling to financially to support themselves, Wantling explains.

University of Salford

“Our traditional response was, let’s put a lot of equipment on campus so that students can access anytime in the library or in open access areas. We had some longer-term plans to transition away from that and provide anytime, anywhere access … but those conversations were on the backburner.” Wantling says.

COVID-19, and migration to the cloud, changed that almost overnight.

“As COVID hit, the organisation saw it as a massive opportunity to engage IT and accelerate all those things,” Wantling says.

Negotiating a budget with the CEO

This did, however, require an open and honest conversation with the CEO. The chief executive came to Wantling to ask how the university could adapt amid the crisis; fortunately, the University of Salford CIO was already armed with a list of what could be delivered, over what timeframe, and the risks that would likely come as a result.

“If you can help me deliver with an injection of cash,” Wantling told the CEO, “I’ll help you balance some of the risk at the same time.”

That cash injection came, even as some establishments were tightening their belts.

“We probably spent two or three million pounds over our budgeted amount in this last financial year. Our transformation budget is around 15 million pounds a year,” Wantling says. “I’ve run IT in the order of 12 to 13 million pounds a year, and there was an additional investment of two, three or maybe even four million by the time we reach the end of the financial year.”

With the additional resources, Wantling believed he accomplished in 12 months what otherwise would have taken two to three years. Like other CIOs in the sector, he says COVID-19 allowed him to accelerate his digital transformation initiative.

Such modernisation, however, would clearly have an impact on security, particularly as nation-state actors were probing universities for insight and intelligence on vaccine development.  Wantling knew that while his team was re-engineering and re-architecting systems on the fly, they were potentially introducing vulnerabilities into the network.

“We suddenly had to open up remote access to finance systems, to teaching and learning systems. We’ve got academics who want to do research, but they’re completely remote now. So we had to quickly re-architect and re-engineer systems … but we were having to do that in two or three weeks, not two or three months.”

Pentesting pains, and how to scare the CFO

The penetration test proved the catalyst for eventual security improvements, but the exercise itself was nothing short of a digital wrecking ball, exposing risks and vulnerabilities in record time. The brief for the pen testers was simple enough: breach the network and see what access and information they could glean. Four hours into a four-day paid assignment and the job was already done.

“That pen test started on Friday about 10 o’clock in the morning … I get a phone call, probably about one or two o’clock, to say it was the end of the exercise, the pen test is over and we’ve owned your network.”

Wantling explains that the compromise originated from VPN access, through which pentesters were able to elevate privileges and compromise the Kerberos ticket-granting account, which encrypts all of the passwords on the home network. If nefarious actors owned that, they would know every password for every account, and it would be difficult to kick them off the network.

“As a CIO getting that phone call three or four hours after what should have been a four-day paid engagement, you’re like … okay, we’ve got some big problems.”

Wantling took this information to the board and the audit and risk committee, and started concentrating on the quick wins. Some of the issues owed to technology implementation and process; for example, the institution was missing 38,000 critical security patches in an estate with 5,000 devices, while network visibility was challenged by siloed infosec and operations teams using different tools.

Real-time monitoring helps fix security

To counter this, he deployed Tanium Platform to get real-time visibility into the university’s network of connected computers and other devices. Through this, Wantling’s team could identity missing patches and vulnerabilities, discover shadow IT endpoints, create a common system for IT, security, risk and executive teams and increase the accuracy and speed of patch roll-outs. The institution was also able to reduce missing software patches to near zero and expedite patch windows from weeks to under 24 hours.

Such initiatives were no doubt aided by Wantling’s relations with the COO — who he reports into — as well as with the executive board. But perhaps they also owed to some unusual tactics to help executives understand the pervasiveness of cybercrime, such as taking the board on a tour of the dark web.

“I’m in this meeting and I’m displaying my screen. I browse to a forum on the dark web, where CEO, CFO and CTO email and username and password are for sale. [It’s] $250 for a CFO email address and password. And these are for some big organisations. My CFO sees that and says, ‘is that all I’m worth, $250 for my account?'”

Striving for digital inclusivity

Rearchitecting his infrastructure may have started from allowing students and staff to work from home, but it also pushed the university to analyse its on-site facilities and the digital divide among students.

Wantling explains that the majority of university students live five miles off the campus, and that Salford itself has some deprived areas. With a recognition that students would be better equipped if they had their own devices, the University of Salford CIO dipped into his surplus hardware budget to help address the problem.

“I’ve got around half a million pounds a year to spend on refreshing hardware on campus. And using Dynamics 365, which we use for our CRM implementation, I built a portal where students could apply to a technology fund. If a student met a certain criteria, out of my budget, I gave them a 300-pound voucher to order a device with our hardware supplier.”

The remote learning boom also saw him collaborate with facilities on reallocating space in under-utilised university cafes and other areas, something Wantling puts down to his background in relationship management and his growing influence as a CIO. But this isn’t to say that he believes that the job is done.

“We’ve got a long journey to go to improve our cybersecurity posture and our security. We’ve got our risk appetite and our current level of risk doesn’t fall within that appetite,” Wantling says, adding that a priority over the next 18 to 24 months will be to improve security so that he’s not worried about it all the time.

“For the transformation side, we’ve spent the last three years developing this digital transformation, and we’ve been pushing to deliver it. The last 12 months has demonstrated the pace and agility we can move at, so my aspirations are to maintain that pace and agility, without something like a global pandemic being the motivating factor behind it.

“We’ve proven how quickly we can move. And when we move at pace, we can still deliver high-quality solutions that meet our increasing customer expectations.”