Jason Halls: Empowering Security Ecosystem to Safeguard Critical Data

The Institute of Cancer Research(ICR) is a public research institute and a member institution of the University of London, specializing in oncology. The ICR is a leading academic institution in the UK and has been carrying out world-leading research into the causes of cancer, and how it might be treated or prevented, for more than 100 years.  The ICR was the first to provide evidence that DNA damage causes cancer and have discovered more new cancer drugs than any other academic centre in the world.  In partnership with The Royal Marsden hospital, the ICR provides a unique bench-to-bedside approach to making the discoveries that defeat cancer.

Leadership with Unparalleled Expertise

Jason Halls, the Chief Information Security Officer (CISO) at The Institute of Cancer Research is a qualified software engineer and holds several security certifications.  He is a fellow of the Chartered Management Institute and the Institute of Analysts and Programmers.  He has been entrenched in secure environments since the mid-90s where he worked on software to detect submarines.  After completing his Master's in Artificial Intelligence he joined one of the UK Intelligence Services to develop messaging systems that were critical to the UK's national security.  Here his endeavours not only opened up new ways of working but also accelerated the dissemination of crucial information from days to minutes.  This was achieved whilst meeting and surpassing some of the World's strictest security requirements.  Almost 2 decades later he left to broaden his experience outside of the rigid confines of the intelligence community.  Moving to the private sector made him appreciate that security is a negotiation, not an edict.

Joining the ICR gave Jason an opportunity to contribute to a great cause and to own information security at a world-class organisation that is a charity, a research institute and a university with PhD and MSC students.  This provides unique challenges where information security must be appropriate to the company, its staff, and the data it handles.  It must secure medical data and intellectual property whilst giving staff the flexibility and freedom to carry out their research with the minimum of distraction.  Getting this balance right whilst providing a strong foundation of security is at the heart of his work.

Commitment from the Executive Board and the Board of Trustees

Jason has seen how poor leadership and slavish adherence to security can paralyze a company – where it cannot perform its main function due to the restrictions security puts in place.  He was determined that this would not happen at the ICR and that security would be seen as an enabler, not a hindrance.  On the day he joined the ICR he attended a forum for IT and researchers to discuss new initiatives.  One of these was a set of screensavers commissioned by IT that would display basic infosec awareness messages (such as "don't share your passwords) when the screen locked.  One researcher objected to its introduction as it could distract their train of thought and potentially lose something that could defeat cancer.  This exchange gave Jason valuable insight into the company.

• The institute exists to defeat cancer and its researchers are key to this.
• The relationship between the IT department and the researchers was broken. There had been no attempt to explain why the screen savers were necessary, what workarounds could be implemented, or to obtain the opinion of other researchers.
• There was a distrust of IT and a perception that they were hindering research rather than supporting it.
• A heavy-handed approach to security would not work, therefore Jason needed to win hearts and minds to improve the security posture.
• His goal would be to promote security as something to enable collaboration and promote good data governance.

In 2019, Adrian Cottrell joined the ICR as Chief Information Officer (CIO) and tackled the IT issues head-on.  Jason designed a million-dollar improvement programme involving the onboarding of an MSSP (SmartTech247), implementation of new security controls (VMS, EDR & PAM), and a commitment from the Executive Board and the Board of Trustees to adopt a more security-aware culture.

Keeping Organization Safe and Staying Focused

Jason believes that the biggest challenge a CISO faces is framing security in terms that everyone in the company understands. Researchers by their very nature are inquisitive; they want to use data in novel and challenging ways. Information security needs to be agile enough to step in when required and to sink into the shadows when not. As the only dedicated InfoSec resource, one of the biggest challenges Jason faced on joining the ICR was keeping the organization safe; deciding which battles to fight and which to avoid, and staying focused on what was important strategically and operationally.

Key Hallmarks for Every Technology Leader

According to Jason some of the key attributes of the technology leader includes:

• Willingness to listen more than they talk. To ask the right questions and listen to the answers.
• Breadth and depth of knowledge, experience in several areas allow one to see a problem from several viewpoints. This is especially important in security which has such a wide remit.
• Making decisions based on the information given at the time but be prepared to pivot when new information comes to light.
• Having all the answers is not necessary but one must know where to find them.
• Trust your team and their experience.

Embedding Good Cyber Hygiene

Jason believes we are entering a new epoch where information is at the heart of modern life. Good cyber hygiene should be expected in every digital interaction.  This is especially true at the ICR where information is crucial in everything the company does.  Embedding good cyber hygiene, not just at work but throughout their digital life, is Jason's current goal. The challenge here isn't so much technological as human nature.  Citing cyber security as the "health and safety of data" and minimal security controls as "cyber-hygiene" gives people a human frame of reference.  They are less likely to develop workarounds and more willing to accept necessary controls.  Terms such as confidentiality, integrity and availability are still useful but need to be backed up with clear examples.  A hacker stealing data is easy for researchers to understand but they may not see the danger if they are intending to share the data anyway.  Explaining that a hacker could corrupt their data without them knowing, and subsequently publishing their research based on this data, is much more impactful.

Cloud-based Malware Protection with AI and Behaviour Analytics

With security breaches hitting the headlines so often and cybersecurity being discussed at the board level, leaders are finally grasping just how crucial it is to get security right. AI, automation, cloud computing, and big data are coming together to tackle information security. Solutions such as CrowdStrike Falcon provide cloud-based malware protection with AI and behaviour analytics. Basically, it is like stopping malware based on its bad behaviour rather than what it looks like.

The board finds it harder to assess risk due to the variety of ways its staff may interact with data. Using measurements such as impact and likelihood becomes almost meaningless. It's accepted that any company will be subject to a data breach at some point in time. This could damage the company's reputation to the degree that it cannot recover or it may just be nothing. So what is the level of cyber risk if a breach is definitely going to happen and it could conceivably critically disrupt the organization's ability to function? This is the challenge the CISO faces; to articulate the risk and present actionable ways to reduce it to acceptable levels.

People don't appreciate how IoT opens them up to additional risk. It's very easy, perhaps too easy, to add a new web-aware appliance to your home network. As a CISO one should think about the consequences. It is not that one shouldn't use a shiny internet webcam to monitor their house when they are away. Just that people should consider whether others could access the feed when they are at home.

Framing Security into Every-Day Life

Jason opines that AI and behaviour analytics together with the MITRE ATT&CK framework is capable of blocking a large number of threats. However, hackers have a knack for getting around security controls thanks to the human factor and their inherent laziness. Humans will always gravitate to the path of least resistance whether it's writing their password on a post-it or using a 4-digit PIN on their phone. Security in the future needs to be simple to the degree that it's more effort to bypass. This means baking security into everyday life so it becomes second nature.

The level of protection or security will be raised across the board with the number of systems that are connected and sensitivity of data stored, no other choice but to give it the strongest protections that it can. Advances in quantum computing raise some interesting challenges for security in the not-too-distant future.

Word of Wisdom to Emerging Security Leaders

It is advisable for everyone to always own mistakes, learn from them and move on, and encourage others to do the same.

• Be prepared to eat, sleep, and work security. It will take over life.
• Get a range of security-related experiences such as governance, training, risk management, audit, networking, and operations. A position on a service desk could be a good foot-in-the-door.
• Fill in knowledge gaps with training, the BCS Foundation Certificate in Information Security Management Principles is a good start. There are also good free resources available online.
• Study for the CISSP exam and work towards full membership of the ISC². It gives a good indication of the width and depth of knowledge required.
• Contribute to one of the many infosec forums.
• Volunteer to be a security champion at your company.
• Propose new security initiatives and show how they can reduce cyber risk and ultimately save money.

Covid-19 Crisis

The ICR, like many research organizations, has been hit by cuts to its fundraising income and grants from other charities. The ICR had to pause much of its work during the initial lockdown and is now running a major fundraising appeal to help kick-start its research and make up for the estimated 17 months lost time.