At Crossword we work closely with universities, tech accelerators and academic start-ups to ensure new cybersecurity and third party risk management knowledge is incorporated into our products and services. Here Chief Product Officer, Jake Holloway, explores the role academia has to play in cybersecurity risk management.
The following is an excerpt from our recent report, Strategy and Collaboration - a better way forward for effective cybersecurity.
Academia has a significant role to play in the pipeline of innovation and science in cybersecurity. Academics can look at the bigger picture and put research effort into solutions to major problems, such as the explosion of data from the Internet of Things or how to secure critical national infrastructure. Companies and governments are often too busy dealing with day-to-day issues to spend significant time on the big picture. On the other hand, academics must guard against naivety; from a distance it may be easy to think they have solutions to problems, but people who work at the cutting edge can often see issues with suggested approaches that those not in the direct line of fire would miss. That’s why partnerships are so important.
Though academics do work with companies and governments, 90 per cent of research is initiated by them and sold on. A lot of work is focused on areas of commercial challenge, such as identity management and threat visualisation. Ransomware remains the biggest issue and often SMEs still aren’t spending enough to defend against such attacks. It’s important to teach CIOs and CTOs about the risks and how they can mitigate them.
The challenge with critical national infrastructure is that nations are reliant on a constellation of technology they fundamentally can’t protect from hostile state actors. That doesn't mean they are doing badly, simply that the situation favours the attacker. Governments have a huge waterfront to protect from a highly motivated adversary. Researching vulnerabilities means that academics can help keep systems as secure as possible against malicious actors. However, much critical national infrastructure is run by private companies that answer to their shareholders. They aren’t incentivised to tackle vulnerabilities that might affect others more – and that is a problem academia can’t solve.
Academics are also very aware of their role in tackling the skills shortage. Universities can and are setting up courses. PhD candidates are working in industry on cutting-edge projects that will yield new research and often generate new intellectual property. Some PhD candidates are working on projects so secret that they can’t even tell their supervisors what they are doing. However, one problem that academia has is that it can’t offer salaries that experts in cybersecurity, artificial intelligence and data science can earn in industry, especially with big tech firms. That makes it difficult to attract people with more than theoretical experience of these threats. Academia must find ways to get expert practitioners involved.
The cybersecurity sector must attract a more diverse range of people, too. Companies need to lower the bar of entry so university courses aren’t the only way in. But they might also look beyond technical people; cybersecurity needs cognitive psychologists, change managers, business experts and more. Cybersecurity touches every part of the public and private sector, so greater attention must be focused on it.
Read the full report.