How to be a more secure organisation? Start at home

In a new epoch of competition over research and technological innovation, organisations that did not previously have to consider security are asking how they can be more secure. Similarly, the security of intellectual property and research data is increasingly a factor when investors and funders make decisions.

What are the first steps that organisations unfamiliar with security can take to make themselves more secure? In this brief, we outline one place to start: at home.

When we talk about security, the focus will often be on the adversary; the individuals and organisations that we suspect mean to subvert research collaboration, steal intellectual property, or undermine the value of an investment. Because these groups act with varying degrees of secrecy, we understand that learning about their activities is challenging.

However, this focus on the adversary can distract attention from the importance of understanding the organisation that we want to protect. It can also mean that we underestimate how challenging it can be to develop a current understanding of an organisation’s activities. 

Perhaps the biggest challenge for many organisations engaged in research or technological innovation is to develop a sufficiently comprehensive and current understanding of their own activities, assets, and vulnerabilities.

For universities and other academic institutions, this involves developing situational awareness about research projects and studies, the activities of researchers, foreign travel, external partnerships and collaboration, and more. 

Start-ups face similar challenges, now more than ever in the hybrid or remote working world where geographically dispersed teams co-operatively create new systems and technologies at pace. 

Keeping track of all this activity is a difficult task. Moreover, there is a risk that controls and processes introduced to gain this level of visibility will undermine research and innovation. Asking your team members to document every interaction with external collaborators, for example, introduces a bureaucratic overhead. It also changes the organisational culture in ways that may be counterproductive if people come to feel that they are not trusted. 

Balancing the need for internal visibility with the downsides of greater monitoring is a challenging task and one that many organisations fail to achieve. However, it is a prerequisite for developing a secure environment for research and innovation. 

As we noted in a previous briefing, organisations have a home field advantage when it comes to security. You should understand your own organisation better than the adversary does. Developing the processes and culture that enable this level of understanding can be challenging (and it helps to start early) but done right it can be a key enabler of security.