CyPro performed a cyber security benchmarking exercise across UK Universities and Higher Education sector to understand how institutions are approaching cyber security differently in 2024 – 2025.
Table of Contents
The Challenge
There are a number of “cyber security surveys” issued each year to cyber leaders across UK Universities. They tend to focus on attempts to benchmark control effectiveness or maturity. Unfortunately, due to the methodologies they employ, at CyPro, we believe these to be highly limited
and not overly insightful. The problem is that these existing exercises are:
- Survey Based – performed via offline surveys and so the questions are always open to misinterpretation – everyone has different definitions for different terms and concepts
- Flawed Methodology – often they use a RAG (Red/Amber/Green) for each control status but each organisation has a different way of reporting (with again, different definitions) of these – they are not directly comparable across different Universities
- Without Context – asking “do you have a Security Operations Centre?” with an answer of Yes/No or rate on a scale of 1-5 just doesn’t work. It is entirely without context. No two SOC’s are the same and the format for responding to these questions doesn’t allow for this context to be captured.
The Solution
At best, these exercises are a waste of time and at worst, produce a false sense of comparison from which Universities could be drawing dangerous and incorrect conclusions from.
Consequently, we decided to conduct our own benchmarking exercise across the higher education sector and to do it differently.
Instead of repeating the same old surveys that are issued time and time again, the aim of this research report was not to compare security control maturity, but to investigate how UK Universities are structuring, funding and resourcing their cyber security teams and functions.
Methodology
We did this with the support of the University of Southampton and PTS Consulting, engaging a total of 22 UK Universities across the breadth of the United Kingdom with a good spread of small, medium and large institutions.
- The research was conducted in July 2024 and the report issued in August.
- For information security and confidentiality reasons, the individual identities of the participating Universities has been kept anonymous.
- Each University had at least one 30 minute call with a cyber security expert at CyPro. A detailed discussion was held to capture the data points and the answers to the questions being asked. This allowed for any specific organisational specific context to be captured as we went.
- Minutes were issued after each session and replied back to the participants to ensure accuracy of data captured.
- Further conversations were held (where necessary) to dig deeper in the subject matter.
- Updates to the data were made where changes were required from feedback from participants. Each time updates were made, the data was replayed back to participants for validation.
Research Topics
The research covered the following areas:
- Data Breaches: which Universities have had a public security incident in recent years? Are there any correlations between who has or has not been breached?
- Certifications: which cyber security certifications (ISO27001, Cyber Essentials, PCI DSS, etc.) were the most popular and what types of University have implemented which accreditations?
- Microsoft Licensing: which Universities had the more capable A5 licensing and which were on the A1 or A3 licenses? How did this affect the cyber security capabilities that could be provided?
- Cyber Insurance: were UK Universities seeking and paying for cyber insurance?
- Cyber Leader: who was leading the cyber security function, what was the role title and remit of their role? How senior was the leader and who did they report into?
- Size of Cyber Function: how big was the cyber security team and how did this compare across different Universities? Were there correlations between those who had a data breach and the size of team they now had?
- Headcount Growth: what were the growth plans for different Universities and by how much did they intend on growing their teams? How did these growth plans change across different types of University?
- Operating Model: what was the functional position of the cyber team (where did they sit organisationally)? What lines of Defence did the cyber security function fulfil?
- Security Remit: what was the scope of responsibility for the cyber security team? Was it information security and data privacy? What about business continuity and disaster recovery? Physical security?
- SecOps Model: did Universities have an established Security Operations Centre (SOC) and was this in-house or outsourced or co-sourced? Did they operate an out of hours capability?
- IDAM Tooling: which types of Identity and Access Management solution were being employed? Did they have a Privileged Access Management tool or Identity Governance tool deployed?
- Areas of Transformation: what were the strategic areas of focus for the cyber security function for the next year or two?
Key Insights
These can be found throughout and summarised at the back of the report. Please download the report today (completely free and no email needed) – any questions please get in touch with us.