There was a time when Richard Addiscott scoffed at the idea of working in higher education: “My perception was that it was somewhere to go in the twilight of your career. And that tweed jackets with elbow patches and corduroy pants were the order of the day.”
The stereotypes quickly faded when Addiscott arrived at Curtin University in Perth at the beginning of last year, working as director of IT planning, governance and security.
“It reset my thinking,” the former BAE Systems information security consultant told a Gartner Security and Risk Management summit in Sydney. “It’s one of the most forward thinking, dynamic and complex environments a security professional can work in. And that’s only been amplified since joining. It’s far more competitive than I could have imagined.”
Last year, Western Australia’s largest university identified a shadow IT problem caused by a lack of trust between the IT department and the fast-moving innovative business units. Addiscott described it as a ‘trust chasm’. But there’s now a plan to fill the gap.
“On the one side we’ve got the business who doesn’t trust us because they think we don’t understand their business; we’re too slow and don’t respond on time; we don’t have the skills needed to support the digital capabilities they want; the tools that IT provides aren’t fit for purpose anymore,” Addiscott said.
“Curtin IT services don’t trust the business because when we ask them they don’t know what they want; they’re moving too fast for us to respond. And they don’t understand how hard IT is. In that divide between the two you get shadow IT.”
Addiscott, one time advisor to the first National Security Chief Information Officer within the Department of the Prime Minister and Cabinet, explained that his team was left with a choice.
One was to ‘butt heads’ or ‘go cage match’ with business units. Another was to “try and throw more red tape at them and hit them up with more bureaucracy”, he said. “None of those things are going to help us win friends.”
An organisational restructure of IT in winter last year, gave Addiscott and the wider team a chance to hit reset on information security at the university. Fundamentally, he said, it was a choice between being the ‘compliance police’ or a ‘change agent’.
“Rather than fight and expend energy and reduce even further the political goodwill across the university – what we tried to do is reframe the way we look at shadow IT,” he said.
“Security has typically been very comfortable under the compliance and technical security comforter. We like that. There’s a 1 or a 0; it’s compliant or it’s not compliant, it either works or it doesn’t. But there’s always a negative connotation to it. We need to be far more focused on a risk based approach and far more comfortable with, and adept at, dealing with uncertainty.”
Addiscott and team laid out a strategy to build trust across their organisation as well as improve the level of security. There would be strategic alignment between security and the business, bi-directional security awareness, a baseline level of security capability, a new approach to governance and a risk rather than compliance-based approach.
Although it has only recently got underway, there is already significant momentum behind the plan.
Grazing in the paddock
The team has appointed a student from Curtin Business School to work as an intern for two days a week through the semester and develop a security campaign aimed at students.
“It’s fair to say myself and my team don’t speak fluent student. We don’t understand how they’re going to be reacting on social media, and the language that resonates with them,” explained Addiscotte.
The team has also launched a security advisory service.
“It has a very strong directive: we don’t say no. We say ‘that sounds like a great idea, how do we do that securely? How do we make that work?”
The service also acts as a broker to those students needing additional, specialist services the team doesn’t have capacity for.
“A student might develop a mobile app with clinical trial data. Quite often those apps are developed by students who don’t have a lot of idea around security. If we can talk to them early we can say ‘you need to build this into the design and you’ll need testing here and here, and penetration testing at the back end’.
“That costs money and it’s a capability we don’t have in house, so the idea behind the panel is also to broker those services very quickly, on behalf of the project to make that happen for them.”
The university is also working towards what Addiscott calls a ‘trust paddock’. This is an IT environment where, if people are operating within it, security doesn’t necessarily need to be engaged. Inside the paddock are easy to access frameworks and freely available documentation as well as access to experts.
“It’s a building environment where everything helps guide the parts of the university that want to do digital projects, where they don’t have to rely on security and IT to do it.”
Each scheme is helping the university shed its Shadow IT problem, and most importantly help the security team generate business value in line with the fast pace of innovation it’s seeing.
“We need to adjust our thinking. As a security professional it’s very easy to bemoan shadow IT as something that makes the organisation more vulnerable to security threats, to operational risks. At Curtin we’re trying to reframe that,” Addiscott said.
“As security leaders we can crawl under our desks and suck our thumbs. Or be forward thinking.”