Is research security just about cyber security?

When we talk about research security, we sometimes encounter the misconception that what we are really talking about is cyber security. 

Certainly cyber security is important for the security of research, as it is when we are looking at securing innovative technologies, or investment in these areas.

However, to be really effective, an organisation’s approach to security needs to be holistic, encompassing the full range of threats to the security of research and innovation. Some of those threats are cyber-enabled, but others are not. 

What is more, adversaries will follow the path of least resistance in their attempts to steal or subvert research activities and intellectual property. Restricting research security to the cyber domain is only protecting against some of the possible threat vectors.

Recognising the need for a holistic approach is one thing. Implementing it can be very challenging. In many organisations, the security function will be relatively underdeveloped, or situated within one part of the bureaucracy. Security being the responsibility of the IT department is one reason why research security is sometimes conflated with cyber security. 

This creates a challenge, because a genuinely holistic approach to research security requires something that can be difficult for any organisation: it requires changes in culture and practices. 

Having secure IT systems is important, just as it matters that research be conducted in an environment with appropriate physical security controls to ensure that research data and intellectual property cannot be stolen or modified by an intruder. Yet the effectiveness of these controls also depends on the members of an organisation being aware of security threats and adopting appropriate and proportionate security behaviours. 

Effecting that kind of cultural change requires buy-in from every member of the organisation. It also requires changes that might encounter bureaucratic resistance, meaning that there has to be support from senior leadership. For both these reasons, presenting research security as a narrow issue of cyber security is not just inaccurate – it is unhelpful. 

Implementing the appropriate cyber, physical, and information controls, and building a culture of security awareness within an organisation, can be a challenging task. Limiting your efforts to cyber security alone is making an already difficult task even harder.