The Institute of Cancer Research(ICR) is a public research institute and a member institution of the University of London, specializing in oncology. The ICR is a leading academic institution in the UK and has been carrying out world-leading research into the causes of cancer, and how it might be treated or prevented, for more than 100 years. The ICR was the first to provide evidence that DNA damage causes cancer and have discovered more new cancer drugs than any other academic centre in the world. In partnership with The Royal Marsden hospital, the ICR provides a unique bench-to-bedside approach to making the discoveries that defeat cancer.
Jason Halls, the Chief Information Security Officer (CISO) at The Institute of Cancer Research is a qualified software engineer and holds several security certifications. He is a fellow of the Chartered Management Institute and the Institute of Analysts and Programmers. He has been entrenched in secure environments since the mid-90s where he worked on software to detect submarines. After completing his Master's in Artificial Intelligence he joined one of the UK Intelligence Services to develop messaging systems that were critical to the UK's national security. Here his endeavours not only opened up new ways of working but also accelerated the dissemination of crucial information from days to minutes. This was achieved whilst meeting and surpassing some of the World's strictest security requirements. Almost 2 decades later he left to broaden his experience outside of the rigid confines of the intelligence community. Moving to the private sector made him appreciate that security is a negotiation, not an edict.
Joining the ICR gave Jason an opportunity to contribute to a great cause and to own information security at a world-class organisation that is a charity, a research institute and a university with PhD and MSC students. This provides unique challenges where information security must be appropriate to the company, its staff, and the data it handles. It must secure medical data and intellectual property whilst giving staff the flexibility and freedom to carry out their research with the minimum of distraction. Getting this balance right whilst providing a strong foundation of security is at the heart of his work.
Jason has seen how poor leadership and slavish adherence to security can paralyze a company – where it cannot perform its main function due to the restrictions security puts in place. He was determined that this would not happen at the ICR and that security would be seen as an enabler, not a hindrance. On the day he joined the ICR he attended a forum for IT and researchers to discuss new initiatives. One of these was a set of screensavers commissioned by IT that would display basic infosec awareness messages (such as "don't share your passwords) when the screen locked. One researcher objected to its introduction as it could distract their train of thought and potentially lose something that could defeat cancer. This exchange gave Jason valuable insight into the company.
In 2019, Adrian Cottrell joined the ICR as Chief Information Officer (CIO) and tackled the IT issues head-on. Jason designed a million-dollar improvement programme involving the onboarding of an MSSP (SmartTech247), implementation of new security controls (VMS, EDR & PAM), and a commitment from the Executive Board and the Board of Trustees to adopt a more security-aware culture.
Jason believes that the biggest challenge a CISO faces is framing security in terms that everyone in the company understands. Researchers by their very nature are inquisitive; they want to use data in novel and challenging ways. Information security needs to be agile enough to step in when required and to sink into the shadows when not. As the only dedicated InfoSec resource, one of the biggest challenges Jason faced on joining the ICR was keeping the organization safe; deciding which battles to fight and which to avoid, and staying focused on what was important strategically and operationally.
According to Jason some of the key attributes of the technology leader includes:
Jason believes we are entering a new epoch where information is at the heart of modern life. Good cyber hygiene should be expected in every digital interaction. This is especially true at the ICR where information is crucial in everything the company does. Embedding good cyber hygiene, not just at work but throughout their digital life, is Jason's current goal. The challenge here isn't so much technological as human nature. Citing cyber security as the "health and safety of data" and minimal security controls as "cyber-hygiene" gives people a human frame of reference. They are less likely to develop workarounds and more willing to accept necessary controls. Terms such as confidentiality, integrity and availability are still useful but need to be backed up with clear examples. A hacker stealing data is easy for researchers to understand but they may not see the danger if they are intending to share the data anyway. Explaining that a hacker could corrupt their data without them knowing, and subsequently publishing their research based on this data, is much more impactful.
With security breaches hitting the headlines so often and cybersecurity being discussed at the board level, leaders are finally grasping just how crucial it is to get security right. AI, automation, cloud computing, and big data are coming together to tackle information security. Solutions such as CrowdStrike Falcon provide cloud-based malware protection with AI and behaviour analytics. Basically, it is like stopping malware based on its bad behaviour rather than what it looks like.
The board finds it harder to assess risk due to the variety of ways its staff may interact with data. Using measurements such as impact and likelihood becomes almost meaningless. It's accepted that any company will be subject to a data breach at some point in time. This could damage the company's reputation to the degree that it cannot recover or it may just be nothing. So what is the level of cyber risk if a breach is definitely going to happen and it could conceivably critically disrupt the organization's ability to function? This is the challenge the CISO faces; to articulate the risk and present actionable ways to reduce it to acceptable levels.
People don't appreciate how IoT opens them up to additional risk. It's very easy, perhaps too easy, to add a new web-aware appliance to your home network. As a CISO one should think about the consequences. It is not that one shouldn't use a shiny internet webcam to monitor their house when they are away. Just that people should consider whether others could access the feed when they are at home.
Jason opines that AI and behaviour analytics together with the MITRE ATT&CK framework is capable of blocking a large number of threats. However, hackers have a knack for getting around security controls thanks to the human factor and their inherent laziness. Humans will always gravitate to the path of least resistance whether it's writing their password on a post-it or using a 4-digit PIN on their phone. Security in the future needs to be simple to the degree that it's more effort to bypass. This means baking security into everyday life so it becomes second nature.
The level of protection or security will be raised across the board with the number of systems that are connected and sensitivity of data stored, no other choice but to give it the strongest protections that it can. Advances in quantum computing raise some interesting challenges for security in the not-too-distant future.
It is advisable for everyone to always own mistakes, learn from them and move on, and encourage others to do the same.
The ICR, like many research organizations, has been hit by cuts to its fundraising income and grants from other charities. The ICR had to pause much of its work during the initial lockdown and is now running a major fundraising appeal to help kick-start its research and make up for the estimated 17 months lost time.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.