Pri Alagoda breaks down the nuances of a CISO role and how it has evolved across the industry over the years. He dives into what information security truly means, the further education sector, and building risk capacity. Pri has over 28 years of experience in the technology industry, with 16 of those years focused on leading, designing and implementing comprehensive organisation wide security programs and transformation projects. He also has a successful track record of achieving and maintaining security certifications for businesses across numerous sectors. As a pragmatic security leader, his key personal aim is ensuring that the benefits and aspirations of enhanced cyber security be clearly understood at all levels of the organisation, not just at board level. Pri is a firm believer that robust security protection can be achieved whilst maximising budgetary efficiencies, and that fostering an organisation wide ethos of good security practices and improved cyber awareness can continually drive innovation and growth.
Transcript:
David Bloxham (00:00.685)
how are you today?
Pri Alagoda (00:02.59)
Very good, thank you David. How are you?
David Bloxham (00:04.617)
Yeah, I'm very well, very well today. So it's Wednesday today in the middle of April. I'm a big Arsenal fan. So it's a big football game. Oh, yeah, there we go. So we just talked about Arsenal all the way through this. You know, let's try not to talk about it. But for those who are listening around the world, Arsenal have probably got their biggest game over the last 20 years. So me and Pree may have our minds elsewhere, if you know what I mean. What's your prediction, Pree, for the game?
Pri Alagoda (00:11.786)
So am I, so am I. Oh goodness me. Let's try and forget what tonight's about for a little bit.
Pri Alagoda (00:31.766)
Indeed, indeed.
David Bloxham (00:34.457)
Because when it goes out, we'll know what the prediction is.
Pri Alagoda (00:37.674)
I hate predicting, but I want us to get our tactics right and just play to the best of our ability against City, which we don't usually do. So I'm hoping tonight's the night.
David Bloxham (00:47.729)
No, no, tonight's the night when everything, our stars are going to align. So yeah, let's, let's, let's hope so. So fingers crossed. So, so we'll know by the time this goes live, we'll know what happened and yeah, good stuff. But so, so just to kind of introduce yourself, Pri, and we've got Pri here for our listeners. So we'll see Pri is the Chief Information Security Officer or CISO of Nottingham Trent University, one of the the UK's premier kind of educational
Pri Alagoda (00:52.747)
Yes.
Pri Alagoda (00:59.126)
No, no, no.
David Bloxham (01:16.397)
further education and establishment. 28 years experience in the IT industry, which is pretty much the same as my experience in the recruitment industry, so we're old hands at this type of thing. And we've been speaking to PREA as part of, you know, GCS now has a cyber division, so that cyber division is very much focused around cyber security, the types of roles within cyber security and the types of projects and technologies.
that are being rolled out within this space. And it's something we've always done, but in the last three months, we've really solidified that and made it a part of GCS. And I was just saying to Preet before, it's really going great guns. The demand out there is...
is huge for these types of products. And it's not really surprising because obviously, we know how important and how much in the news that is. So I think that's something that we'll really talk to about with Pree and I know he's keen to talk about that rather than us and I'm sure. But Pree, do you wanna just take, I mean, I think the key role, the key question for me, and maybe for our listeners, is just to kind of find out a little bit about your role and also your kind of take just overview really of what a CISO does and what they bring to an organization.
Pri Alagoda (02:35.33)
Yeah, sure. Thanks, David, and thank you for having me on. It's a pleasure to be here. Take my mind away from things. But yeah, so a CISO's role, I think it's important to, I suppose, quantify it as a role that's very different based on the institutions that you may work for and also within the sector that you're in. It can be many things to many people, but at the same time,
David Bloxham (02:38.711)
No problem. Take your mind away from things, Pri.
Pri Alagoda (03:06.138)
the core element of your role is being primarily and ultimately responsible for cybersecurity, information security within an institution, being accountable for keeping that institution safe, some cyber threats. The makeup of the role can be very dependent on the type of institution you work for, as I said. So again, some CISOs are, you know, they have a hand in pretty much everything.
depending on the size of the institution. Our institution is particularly large, so I tend to focus on the security roadmap, the strategic side of security, information assurance. I have some oversight of operational security as well, but there are certainly technical teams who deal with that area more. My role is also to have that connection with the senior leadership team to explain.
what cybersecurity is and why we need to understand what threats the university face and what we're doing about that. So I think the CISO's role is wide, it's ever changing because I think as more people begin to understand the threats that are out there, they tend to look for senior leaders in that field to be able to come in. And usually it's about
sort of aligning all of the things that you do in security and trying to find the right balance in every area to ensure that you have that layered approach to security and ensuring that you have an institution that can remain as safe as it possibly can be. So, I think that's a really good point. I think that's a really good point.
David Bloxham (04:48.185)
I guess the role of a CISO is quite universal, you know, so most organisations now will need one, although most organisations don't necessarily have one now, but obviously that demand is growing.
So you talk there about having kind of leaders within the within the, like leaders, like people are looking for leaders to take on these roles. What are the key kind of attributes would you say that a leader within information security should have? You know, this position that's a board level position. You know, what do you think people should look for when they're looking for someone to do this?
Pri Alagoda (05:26.154)
Yeah, it's a really good question. I think every single person in security, be it an analyst level or a senior level, comes into security with particular skill sets. So you might come from a technical background, you might come from a compliance background, you might have a mix of both, generally not so much the case, you tend to specialize in something and then you find a route into security. I think as a senior leader in...
in security. So if you're looking at those heads of security or CISOs, it's having a good grasp of most aspects of security. Now that doesn't mean that you have to be a specialist in absolutely everything, but you do have to have an understanding of a lot of the core areas because when you're in that role, you are expected to understand all of the different areas that make up
the risk profile of the organisation. So ultimately, a CISO's main strength is being able to assess the risk of an institution and then being able to do the right things in each individual area. Now, if you don't understand a particular area, it's very hard then to be fully versed in everything that the university is sort of trying to protect itself from. So I think from a skillset perspective, a CISO has to...
David Bloxham (06:23.545)
всё.
Pri Alagoda (06:51.382)
have a really good understanding of information assurance, information, technical security, even certifications, and what it takes to ensure third party assurance of an organization. All of those things do come into play. And I think you have to feel confident enough to be able to answer questions in a way that assures the people.
that you're speaking to at various levels. And I don't mean that just when you're talking to the senior leadership team, even if you're talking to, so take my institution, if I'm talking to students, academics, professional services, the leadership team, the vice chancellor, the COO, you have to be able to communicate and be versed enough to talk about many different areas.
David Bloxham (07:43.333)
I assume that one of the important things you talk there about communication and bringing this through, in the end, every single person is in the network. So that every single person is in the CISO's world is equally as important because anyone can cause an issue from the CEO down to the receptionist.
Pri Alagoda (08:07.334)
Yeah, agreed. Yeah. No, absolutely. And I think that's, that's one of the things that I try and emphasize in the work that we do around security awareness and, and training. It's about the role that everyone has to play. I think it's really important for that to be a constant in, in, in what a CISO has to, to kind of bring to an institution, making sure that it isn't just about, you know, and I have great teams around me.
but it's not just about your immediate teams and the technical teams. It's about everyone having a role to play because ultimately technology can only get you so far. It is really about the people and being able to rely on their ability to spot things and to be able to make sure that collectively you're keeping your institution safe.
David Bloxham (08:41.313)
Yeah.
David Bloxham (08:57.877)
And again, a couple of questions because it's such a new field. When people talk about information security versus the operational security, what is the key difference there? Because obviously, when we talk about the CSO, it's Chief Information Security Officer. So I would think that can cover the whole of security within the organization, but maybe not totally.
Pri Alagoda (09:24.202)
Yeah, so I mean, operational security, IT security, you could argue those are really at a technical level. You're talking about firewalls, you're talking about systems that protect your environment, your technology stack. So as an institution, NTU have always been really strong in technical security and operational security. And we have a real emphasis on that. Information security brings that as it's part of that. So information security is protection of all your information.
David Bloxham (09:32.665)
Еще!
David Bloxham (09:53.945)
show.
Pri Alagoda (09:54.058)
be it in technical systems or across the institution. So we have data everywhere and data protection is a huge part of the university's makeup. So I look after information assurance as well within my role, which is establishing that we have the right protection measures and the right levels of governance around some of the things that we do. So yes, technical security is one part.
but information security is the overarching element.
David Bloxham (10:27.617)
Yeah, so they're kind of technical security is they're set up the kind of the IT platform to make sure that the platform itself on a day to day basis is secure, right? So you can't just no one can just rock up into the network and think, oh, cool. I'm in Nottingham Trent now, you know, the passwords are set up right. That the laptops can't just log on to the Wi-Fi router at willy nilly, if you know what I mean. That's but then so you have to kind of work with people to make sure that's.
Pri Alagoda (10:40.914)
Exactly. Yeah.
Pri Alagoda (10:46.655)
Exactly.
Pri Alagoda (10:52.114)
Exactly. All incredibly important stuff.
David Bloxham (10:57.037)
that's right, but then obviously you take it beyond that because there's a number of different areas that need to be secured, where we've strategized, etc. etc.
Pri Alagoda (11:06.27)
Yeah, I mean, exactly. So those technical areas of perimeter, perimeter controls, desktop servers, all of those systems being secure and ensuring that those are, as you say, secure enough for us to be able to protect against, you know, those cyber criminals who are trying to get in. So my role wouldn't go down to that granular level of establishing exactly how those control, but I would oversee and be able to obtain assurance from those teams.
that the right levels of controls are in place and we've got enough to be able to mitigate against the threats that are out there. So I would oversee that at that level.
David Bloxham (11:35.863)
Yeah.
David Bloxham (11:45.845)
And again, I guess that links into the processes of the finance team, making sure that they're following information security about bank details or the HR, that they're following information security details about holding visas and etc, etc, etc. There's a number of different principles and strategies that happen everywhere because everyone's handling information and you know, you need to follow the right process to keep that information secure.
Pri Alagoda (12:01.516)
Exactly.
Pri Alagoda (12:11.602)
Yeah, absolutely. And that's one of the other areas that I focus on a lot. Working with other departments, working with the departments that have those very specific roles to play in keeping the finance system secure, HR, obviously personal data, you know, making sure that they understand their responsibilities and they understand the threats. So it's very nuanced as well. So we do end up having, so my team end up speaking a lot.
a lot of to a lot of these teams about the specific areas of their role where they can be more secure. So if we're talking to finance, we would be talking about things like business email compromise, where they would be targeted by very sophisticated criminals now who would know the people who are dealing with payments. And we wouldn't have those conversations with every department because it wouldn't be the right way to address the threats that would that we face as an institution. We have to understand the departments.
David Bloxham (12:53.911)
Yeah.
Pri Alagoda (13:07.958)
We have to understand the role that they play. And more importantly, we have to understand what they're trying to protect and what's valuable to the university. So understanding that, and again, it goes back to that role of what a CISO is. A CISO has to understand what the university's trying to protect and it has to know, a CISO has to know that before they can go ahead and actually work on establishing the right levels of protection for the university or be it any organization.
David Bloxham (13:15.522)
Yep.
David Bloxham (13:25.943)
Yeah.
David Bloxham (13:38.877)
And so you talked there, you worked in different industries, you've worked within the IT industry, in different areas, utilities, etc. So for you coming into the educational establishment and the educational sector, what do you see the key drivers are that a CISO needs to be aware of and how have you assessed that? How have you come in and said, right,
I understand this industry and this is how I'm going to deal with it.
Pri Alagoda (14:09.746)
Yeah, it's a brilliant question. It's one of the things that I really faced, you know, head on when I came to the institution. So, you know, someone who's worked in security for over 15, 16 years, I felt like, you know, I'd been through the, the, the various levels of understanding every aspect of security, you know, and enough to be able to understand what, what an institution this size would need. But then there was that element of understanding.
the DNA or what this institution was about and understanding then what didn't I know? And I think that's critical. I mean, for me coming from private sector into a institution, which was very different, establishing what those differences were, ultimately I'm a security leader. So I needed to be in a position where I was also understanding from a security perspective what I needed to look at.
at the institution, you know, look at what we did well, maybe work towards addressing any gaps if they were there. But at the same time, doing that in a way that I still understood what made this university unique. So for me, it was understanding things that were really different to working in private sector. The university works on a completely different annual schedule, so it doesn't work to the same sort of annual events that private sector institutions do because you've got things like clearing.
You've got things like open days, graduation. So those parts, the parts of the university that were different were the things that I needed to establish. The communities within the university are different. So you have obviously a large group of students. We have over 40,000 students. We have academics, we have researchers, we have professional services and they all have very different needs.
And now if you took that and sort of looked at a private sector institution, um, they have a very sort of specific group. I mean, you have your salespeople, you have your marketing, you have your HR, finance. We have all of those too, but then we have a lot of other groups as well. Um, and, and
David Bloxham (16:19.657)
Yeah, and I guess in a kind of in a university, you've kind of got a person who's internal within your system, but he's actually a customer, which is my daughter's at university at home and she's a customer, right, of Bournemouth University. You've got kind of customers who are in the system, right, so they have different expectations, I assume.
Pri Alagoda (16:37.31)
Yeah, and you know what, 10,000 starters and leavers every year. So if you think about that as a challenge, you know, one of the key areas of security is being able to adequately address your starters and leavers mechanisms. Our leavers don't actually leave, they remain as alumni for long periods of time. So we have to have a mechanism in place, yeah, to deal with that. There are various...
David Bloxham (16:41.661)
Yeah.
David Bloxham (16:55.737)
sure yeah change different accesses and that sort of thing
Pri Alagoda (17:03.926)
The other challenge is things that you've never encountered before in different institutions. We have things like, you know, like our prevent duty where it's making sure that you, you know, you look at potential for someone to get drawn into online extremism, things like that. You don't, yeah, you don't encounter those in other sectors. So there are things that you have to learn and learn really quickly because ultimately you as a security lead, as I mentioned earlier, if you're a CISO,
David Bloxham (17:07.38)
Mm.
David Bloxham (17:20.495)
radicalization.
David Bloxham (17:25.624)
Yeah.
Pri Alagoda (17:33.398)
You have to know what all of your risks are, because you can't address everything at the same time, but you have to be able to be constantly risk assessing everything that you're trying to protect.
David Bloxham (17:46.285)
Did COVID make it more hard? Because obviously the education sector has changed and dramatically changed by COVID. I'm assuming that it must have been even more challenging.
Pri Alagoda (17:59.91)
It was, yeah. I mean, I joined in 2019, which in the world was very different back then. So what I came in to do was to, I mean, we as Nottingham Trent University have a very ambitious five year strategic plan. We want to be the most digitally sophisticated university in the country. And one of my briefs when I came in was to make sure that, you know, we go on that journey, but we do it securely, you know.
David Bloxham (18:06.562)
Yeah.
Pri Alagoda (18:29.502)
expanding our student experience, making sure that we look at the ways that we can give our students the best experience possible, but to do it securely. And when, obviously when the pandemic came along, we literally had to make sure that we could provide them with the means to obviously learn in a way that was very different to how we envisaged. So things did change. And what we were doing was to make sure that that was something that we could do.
but again do safely, which was slightly different to what I came in to do, but became, you know, the most important thing at the time.
David Bloxham (19:03.685)
Mm.
David Bloxham (19:09.453)
Yeah, yeah, no, I think it's, well, it's just, you know, it's, it must've been a kind of crazy, crazy kind of few years for you, you know. The challenges that you've, you've dealt with in the last kind of four, four years and obviously previous in your career, but kind of coming into this role.
What's your best ways of dealing with them? And this is what we always talk about with leaders, kind of deal with the challenges and kind of come through them successfully. So how do you deal with those and how do you kind of keep yourself calm and how do you keep your organization calm? Because I'm assuming that's part of what I see so it needs to do, right? It's okay, guys.
Pri Alagoda (19:51.783)
Yeah, I mean I think it is really important. I think if you're in the room and the CISO is panicking then you have a problem. So I try and make sure that I have as much information as possible. Obviously that's really important. When you ask the question of how do you
David Bloxham (19:59.749)
You should panic. Yeah.
Pri Alagoda (20:16.778)
you know, how do you address all of the things that are going on and find? I think you have to be resourceful and I think you have to be, you know, you have to be pragmatic. I mean, we had to make some really difficult decisions. As I say, risk assessing is really important. We knew that there were times when we can do absolutely everything that we wanted to do, but, you know, looking at things with a view on, right, so, you know, the difficult part is the challenge is what do you do?
do now versus what do you need the most kind of thing. I mean, those conversations were being had all the time. We were looking at ways where we could secure, better secure, if you like, the way that people logged into systems and accessed secure areas of the network, which, you know, we were a very campus driven organization. A lot of the, well, if not the majority of everyone worked on campus. And suddenly we weren't, you know, we weren't an institution where we had a...
quite a big mobile workforce and where we could sort of replicate some of what we did with the mobile workforce for the rest. We were a campus-based university and that's what we are. Even now our focus is on learning, teaching in person, you know, and that's what we are.
David Bloxham (21:32.361)
goes back to the point about having your customers right, your customers are part of your organisation because I know again my daughter's at university and I would not expect for the money that you're paying for the tuition for it to be a kind of an online hybrid type thing you know and there's obviously an educational conversation that's been ongoing since hasn't it you know.
Pri Alagoda (21:54.321)
Absolutely.
David Bloxham (21:54.817)
So it has to be campus, so you have to set it up in a certain way and you have very kind of set customer base that are very, very close to you, aren't they? You know, they're there.
Pri Alagoda (22:03.466)
Yeah and expectations are high. I mean we work in a crowded market, there are lots of competitors and similarly to competitiveness there is a lot of collaboration in the sector as well. So you know you do have very meaningful conversations with people who are going through the same things. Another key difference that I would suggest from private sector, you know within the higher education and further education sector you do work very collaboratively.
and when I joined as a SAID, the threat landscape was very different and it was at a time when we were just beginning to see some of those big threats and big cyber attacks against universities and that's, you know, that's evolved unfortunately over the last three or four years. We've seen more of those and one of the things that I've found is, thankfully, you know, we haven't had that touch wood but when we did, yeah.
David Bloxham (22:59.725)
Touch wood.
Pri Alagoda (23:01.154)
when we deal with organizations that have had those sort of cyber threats and attacks, you do have very kind of open and meaningful conversations about what they've done, what they've done since, and what they've done to address those threats. And you can really learn from those experiences and work together to make the sector more secure, which is...
David Bloxham (23:14.157)
Yeah.
Pri Alagoda (23:28.898)
very unique I think in terms of the different sectors I've worked in.
David Bloxham (23:35.017)
What excites you about cyber at the moment? What kind of innovations do you see coming down the line that you think will give the good guys the upper hand? I'm sure you see quite a lot, right? You're assessing new tools and new ways of working. What do you think the most exciting things are that are happening in the protection side?
Pri Alagoda (23:49.183)
Yeah.
Pri Alagoda (23:56.371)
But it's interesting because I think that there's always going to be new things that you see, that you think actually for our institution that would be an incredible kind of development if we could use that. I think the things that I'm seeing now are the things that both excite me and worry me. I think if you think about artificial intelligence and the things that are going on in the industry as a whole, those things are.
David Bloxham (24:17.973)
Mm.
Pri Alagoda (24:22.942)
a sort of seeping into security as well. So I'm on the one hand, I'll see how AI is potentially gonna cause more headaches for cybersecurity professionals because you can almost simulate attacks and things using AI and machine learning types. But then on the flip side of that, I see ways where it can help cybersecurity professionals to kind of...
David Bloxham (24:35.498)
Mm.
David Bloxham (24:39.201)
Yep.
Pri Alagoda (24:51.35)
be more prepared for those types of things. So I think there are things happening in the, within the industry and cybersecurity as a whole, which are both exciting and worrying in terms of what I see on the people side as well. So I think, tend to think of things more as a combination of technology and people, you know, that's where I go with security.
David Bloxham (25:14.553)
Thank you.
Pri Alagoda (25:18.13)
I'm excited by the things that are happening around trying to make cybersecurity more diverse, more accessible to people. You know, there's continuous discussions around the skills gap and everything that's going on there. But I think there's huge untapped markets, which we're seeing people become more aligned to. You work in that field and you're probably seeing that more. And I want that to be sort of the focus for us going forward as well.
David Bloxham (25:48.589)
because I guess there's quite an element of common sense. You know, obviously some highly technical things, you know, Python's software engineers and they're very much based around the language, but I'm assuming quite a lot of information security is around the good, common, practical sense of the ways that things should work so that it doesn't go wrong.
Pri Alagoda (26:10.962)
Yeah, absolutely. I think there's no silver bullets. No, no, no, no. I am. Yeah. It's you know what? It's about transparency. It's about making things more accessible. One of the things that I found when I arrived, not just here at most institutions, is if you make security accessible,
David Bloxham (26:15.317)
I'm not trying to dumb anything down, I'm just saying that I'm assuming that it, you know, wisdom.
David Bloxham (26:25.813)
Mm.
Pri Alagoda (26:39.894)
If you make security more meaningful to people, then they buy into the message. And I think a lot of times when security, when it doesn't work or when you find that people are, basically sort of saying, look, you're just making my life difficult. It's not working for me. It's about not explaining the why. And I find explaining the why is the most important thing sometimes.
David Bloxham (27:00.867)
Yeah.
Pri Alagoda (27:09.182)
Why are we investing in these technologies? Why are we investing in people to help better secure our institution? What are we trying to protect against? What do those threats look like? And as you explain that more and the narrative, and the narrative is very different in different institutions, like at the university, we hold regular workshops, we've built cyber awareness training modules, we do regular updates on social media and in newsrooms.
I write papers for the senior leadership team to understand what we're doing. And it's all about making it more accessible and making it more available to people to, to understand and hopefully take away into their private lives as well, because I'm a big believer in things being, if you can identify with things, not just in the workplace, but what you, what you do at home as well. Then I think it becomes more meaningful and you have more invested interest in, in understanding the message.
David Bloxham (28:03.989)
Yeah. And is that one of the key challenges that you face is that, and interestingly, more conversations I have around cyber and people are actually saying it, that people in cyber security, information security, they need to be aware of how the business works. They need to help the business, not hinder the business. You need to strike that balance. Is that one of the challenges that you face?
Pri Alagoda (28:23.062)
Yeah. Yeah. I think you have to understand and you have to be an enabler. I personally think that as soon as you're seen as an enabler and as someone who wants to understand why the business wants to do something and then being able to explain, because once you understand the institution and why they want to do certain things, so if I speak to our research teams, for example, and
David Bloxham (28:29.282)
Yep.
David Bloxham (28:39.801)
Yeah.
Pri Alagoda (28:50.53)
they want to collaborate, they want to work with other researchers. So, what's really important? Exactly. But if I can explain to them that you can still do that, but if we change a few things around that and make it more secure, you know, you're working in a better environment. And those are the kind of conversations that are more meaningful and easier to have if you're having a conversation around why we'd like to do it this way, rather than saying, well,
David Bloxham (28:53.521)
Yeah, which is obviously really important for scientific research, right? They have to, you know, yeah
David Bloxham (29:08.044)
Yeah, yeah.
Pri Alagoda (29:18.89)
you can't do it unless you do it this way and that's it, you know, and I'm not a fan of those types of conversations because they, they don't really get the end result you're after.
David Bloxham (29:21.198)
Yeah.
David Bloxham (29:28.149)
Yeah, I mean, that's to me kind of one of the innovations. You know, I think this is the importance of security is it kind of affects everyone, right? So for me, you know, the whole 2FA piece with like Face ID and it's been such a game changer. You know, if I think back to kind of the password era to now where, you know, we've got this authenticator app and you know, maybe I shouldn't say this to face security people, but you've got authenticator app, you use your Face ID, it lets you into your set tricks, et cetera, et cetera.
it works, it works quite well, it's quite easy, you know, and that's almost like, oh, that's cool, the way they've implemented there, it makes it much easier for me now, you know, is that, is that something you're constantly, you know, trying to achieve? Like, let's make it easier for people to be more secure.
Pri Alagoda (30:03.798)
Yeah.
Pri Alagoda (30:17.194)
Yeah, I think you have to try and make, I think you have to make it easier for people to understand the things that they can do to still stay secure, but not necessarily feel that they're doing something any different. And I think embedding it is the key. I think we spend a lot of time trying to ensure that security isn't a separate conversation. It's almost like a seamless conversation that happens within the context
David Bloxham (30:27.48)
Yeah.
Pri Alagoda (30:47.478)
project, you know, so for me, being involved in university wide projects, I mean, we're currently running some really big university wide projects around, for example, student data transformation and person centered design. Those are some really big projects that we're running that we don't get involved just as a sideline or an over, you know, or afterthought. We're involved from the start, from a security perspective, because we're trying to make sure.
David Bloxham (30:56.898)
Yeah.
David Bloxham (31:12.513)
Hm. Yeah.
Pri Alagoda (31:17.058)
the conversations around what they're trying to achieve in those projects are incorporating security at the very heart of it. So which makes it more easier to have the things that we want to do embedded within the whole institution.
David Bloxham (31:33.301)
the whole piece. Yeah, we talk quite a lot. I mean, we also have some people that work on the kind of DevSecOps side, which is obviously similar, you know, kind of, you know, ongoing continuous development. But think about the security at the same time as you're developing it, you know, rather than having someone else doing the security at the end when you've done it to make sure that it's secure, you know, try and develop with security in mind. And hopefully that makes it easier for everyone, right?
Pri Alagoda (31:39.722)
Yep.
Pri Alagoda (31:48.658)
Exactly, yeah. Yeah.
Pri Alagoda (31:57.034)
Yeah, absolutely. And I think that that's absolutely true DevSecOps as well. You know, we speak with our developers a lot, you know, in terms of the work that they do and making sure that they understand the things that they can do from a security perspective. We are very committed to security within the technology team, so that's already something that's quite well embedded. What I tend to do is then try and make sure that those, the things that we do are
articulated in a way that it translates to what business value we gain as an institution by doing something a particular way. And that linkage, I think the joining up of the dots of all of the things that we do and all of what that translates to in terms of, you know, increasing our ability to protect against the things that we know are out there. That's another really important part of what I think I do when I have those.
David Bloxham (32:33.592)
Yeah.
David Bloxham (32:55.101)
Yeah, the value you're bringing. Yeah, yeah. As interesting you said about, you know, Nottingham Trent wants to be the most kind of, you know, the best digital enabled university, as a kind of grand, grand plan to have. And, you know, in terms of further education, you know, and in a competitive world, you know,
Pri Alagoda (32:56.266)
conversations. The value, yes.
David Bloxham (33:22.045)
Is that something that people are infused by that they feel like this is something to kind of really kind of aim towards? And I guess that's the part of the leadership, right? You know, you have to show leadership to your team to say, this is where we're going for. This is the goal. Is that do you feel that's an important thing to have within an institution like yours?
Pri Alagoda (33:35.198)
Yeah. Yeah.
Pri Alagoda (33:39.754)
I think it really is. I think our sort of commitment to digital sophistication is not just about, you know, the latest and greatest technologies. You know, we invest a lot in technology. Don't get me wrong, we do. But it's not just about technology. It's about digital confidence. You know, it's about digital skills. It's about making sure that we have the ability to use the technology in the way that is intended.
We also talk a huge amount around using what we have to the best of its capability. And sometimes you don't tend to do that. You tend to find ways to work around the issues that you have with certain things and not actually use things to the best of the, like I mentioned student data. We have a lot of student data within the institution. Do we use it to the best of our ability? Well, we're running a whole program which is gonna run for years.
to ensure that we really emphasize how we do that. And that's all about digital sophistication. It's just utilizing what you already do, but in a more meaningful and sort of effective way, digital skills. So I mentioned we do a huge amount around cyber awareness. You know, we started with staff, we now do it for students as well. And we run.
David Bloxham (35:00.281)
because that's what you take home, right? It's like you said, like these are things to learn to take home and that's what you use throughout your world.
Pri Alagoda (35:02.414)
That's what you take home. Yeah. Yeah.
and digital confidence. We're trying to make sure that everyone is equipped to actually do their job in a way that utilizes technology to the best of its ability and best of your ability as well. So that whole digital sophistication piece is multifaceted and it's something that as a university, we're really trying our best to focus on as an institution.
David Bloxham (35:33.817)
So what are your main priorities as a cyber leader for this year? What are your main priorities for this year ahead?
Pri Alagoda (35:43.459)
Making sure we stay secure out of the news, you know, those are always good things to start with. I think we've done a huge amount. We've done lots of things that I came in to do, but the journey never ends. We're looking actively at things like managed services to kind of emphasize the work that we already do and build on things that are our
David Bloxham (35:45.354)
Yeah.
Mm.
Pri Alagoda (36:09.006)
teams are able to do. We're looking at how we can, as I say, support some of the really big projects that are going on at the minute within the university. As I say, one of the things that I'm really, really focused on is that cybersecurity skills awareness and really embedding that even more within the institution. We do a huge amount of work around that already. But I think as...
the threats become more sophisticated, so do we have to as well. We have to really make sure that our people are equipped to deal with those threats as well. As a team, as I say, I mentioned it before, security is a team effort, so we're making sure that all of the teams are focused on the projects that are gonna bring us the most value. I think...
I think that's the key, you know, as an institution, there's always lots going on. You know, there's plenty of things that are going on at any given time. And I think we as a leadership group and certainly from a security perspective as well, it's about focusing on the things that give us the most value, you know, as a seesaw, I saw an analogy.
the other day and I'll shamelessly steal it because it resonates to what we do. So I think being a CSO is like almost like trying to protect the institution from a zombie attack. You've got three planks to sort of protect ten doors and you're trying to make sure that you use the planks in the right place because there's always going to be areas that are exposed, but can you make sure that you protect the most important things? And that's always the challenge.
somewhere along the line, there'll be another door that breaks down and breaks open and you have to find a way to protect that. And I think what we're...
David Bloxham (38:04.815)
Yeah. It's kind of assessing that risk factor, isn't it? Which is the highest risk today.
Pri Alagoda (38:08.374)
Exactly, continuously assessing the risk factor, continuously making sure that we can react quickly enough to be able to work on something that can protect us more. So we're always on that journey.
David Bloxham (38:20.449)
Yeah.
David Bloxham (38:26.574)
I'm going to ask you this because obviously this is quite interesting to me, but can it sometimes be quite scary being a CISO? You see stuff and you're like, well, we dodged that bullet or something. You're like, do you see, you wouldn't obviously tell me what those things are, but from your experience in the industry, you say stuff that would make my hair curl type thing.
Pri Alagoda (38:39.158)
Hahaha
Pri Alagoda (38:46.602)
Now, I didn't have these gray hairs before. Yeah, definitely every day, every day, day. I mean, it's what it's like I said before, um, and I'm being brutally honest with you. If you can't protect your institution from every, everything. Um, a lot of the conversations we have when we run, um, cyber incident desktop exercises, I run those with the senior teams. Um, we always take that view that it's.
a when, not if, you know, because of the sheer volume of threats and we have become a targeted sector. You know, when I joined, as I say, in 2019, there was still, it was still a little bit of an unknown, why is the CISO here? What are they meant to do? Because, you know, as a sector, we weren't really sure what the threats were, but that's changed, you know.
David Bloxham (39:42.357)
Yeah, when as digitally enabled, I would suggest, not quite so, you know, everything's floating through the ether nets, it's, you know.
Pri Alagoda (39:51.514)
Exactly, yeah. And some of it has come about organically. In an unfortunate way, the threats have really hit home and caused a number of institutions significant pain. And we've witnessed that and we feel that pain. So when my bosses, when they go out and speak to other leaders, they will talk about being impacted during an exam period or being impacted during clearing. You know, I mean, clearing for us is a massive...
week of activity, you know, if the worst happened in that period. And I do a huge amount of work with the teams around that period about what we do to secure our systems.
David Bloxham (40:23.041)
Yeah.
David Bloxham (40:30.889)
everywhere yeah any any kind of like you said starters and leavers we start some leavers in a week right you know
Pri Alagoda (40:36.178)
Yeah, so I mean, those are really big impact things that, you know, as I see, so it keeps you awake at night. I mean, come clearing, you know, it's a pretty, you know, intense period. And but for different reasons for me, but on an ongoing basis, you see the things that are impacting other institutions like yourselves and otherwise, you know, and, you know, there. But for the grace of God, you know, you kind of see data breaches.
those two and you almost have to work in a way that those things can't scale to the point where you can't, because you can't boil the ocean, you can't fix everything straight away, you have to address the things that are more meaningful for you as an institution to address and then the other things you have to mitigate in the best way possible and come back to them.
David Bloxham (41:15.481)
Just can't move. Yeah, yeah.
David Bloxham (41:21.105)
Mm.
David Bloxham (41:26.882)
Yeah.
David Bloxham (41:32.833)
Yeah, and make the bones searching.
Pri Alagoda (41:34.134)
you know, and that's the way we work. Budgets are what they are, resources are what they are. You know what the sector is in terms of the availability of certain skill sets. So with all of those restrictions, but having that responsibility, and ultimately my role is to protect this institution. I take that really seriously. I still have to work in a way that I can still function because if I thought about everything that...
David Bloxham (41:42.649)
Mm.
David Bloxham (41:56.791)
Yeah.
David Bloxham (42:00.526)
Mm.
Pri Alagoda (42:02.682)
is out there that could potentially get to us, then you know, I wouldn't be able to function.
David Bloxham (42:10.518)
Yeah, exactly. And like I think you said quite well, if the CSO is panicking, then you better start panicking. Well, it's been a great conversation. You know, it's been really, really good to speak to you, Prih, and you know, I really appreciate your time and also your candor with these types of things. I think it's useful for our kind of listeners and subscribers to hear. But, you know, from my side, you know, I do...
Pri Alagoda (42:16.422)
Yeah, very interesting.
David Bloxham (42:35.469)
Thank you very much for talking to us. Wish you well, you know, keep NTU safe and Yeah, hopefully we can kind of talk again in the future. So yeah, and hopefully Hopefully when this goes live you and me will have Celebrated a famous Arsenal victory this evening, but maybe not Good stuff. Thank you. Cheers. Thank you
Pri Alagoda (42:38.943)
Thank you.
Pri Alagoda (42:45.994)
Yeah, brilliant. No, I've enjoyed it. Yeah, hopefully you did.
Pri Alagoda (42:52.766)
Let's hope so. Yeah. Let's hope. Thank you, David. I've enjoyed it too. Thank you very much for having me.