The Francis Crick Institute is the biggest biomedical research facility in Europe and aims to tackle the most pressing health concerns of the 21st century.
The institute is home to 1,250 scientists and 250 support staff, and is the result of several universities and charities joining forces and merging CRUK’s London Research Institute (LRI) and the MRC National Institute of Medical Research (NIMR).
Last year, NS Tech found out how important technology was to the organisation, with the Crick requiring a state-of-the-art IT infrastructure to enable world-leading scientific research. At the time, CIO Alison David was tasked with ensuring the technology was up-to-scratch, as it provides the backbone that enables scientific researchers to innovate and produce high-quality research. Back in May she explained how the Crick was using machine learning to speed up scientific research.
Davis has since moved on, and the organisation took the decision to change the role to an IT director position.
“Alison was in charge of a vast army of IT, but as we’re a scientific organisation, the scientific computing element of that now sits under a science and tech platform, and the core IT now sits under the IT director which is a change of title, in a compressed role,” Francis Crick’s chief security officer (CSO) David Clark says at the recent Cyber Security Connect UK event in Monaco.
Clark works in partnership with the new IT director on security risk mitigation.
“We have an enterprise security risk management programme, where [the security team] takes a very holistic approach to how we manage all of our threats to the organisation including the physical side, cyber side and reputational risk, and that’s my responsibility,” he says.
Clark joined the organisation at the end of 2014, two years prior to the Crick being officially opened by the Queen, and he believes this was a masterstroke by those who hired him as he had time to come up with a suitable strategy.
“It was a great move by the Crick as they brought me in two years before, although this was partly because of delays in construction. It gave me an opportunity to plan and prepare for a security risk management programme which was a rare opportunity and one of the things that attracted me to the job, as I could carve my own design on the enterprise security risk management package as opposed to having to pick up where someone else has left off,” he says.
Having said that, a lot of the strategy was based on guesswork according to Clark as it was a new organisation with a new building, and a coming together of numerous research institutes which had varying degrees of security management in place.
“Some of these practices were good, some bad, but certainly three different approaches, so stripping that back and starting with a new one is done with best guess and I didn’t know how it was going to work as we had nothing to benchmark against,” he says.
However, the time Clark had to strategize paid dividends, as he says he got about 80 per cent of the strategy right.
“We’ve turned it into what we call an optimization phase now, so 80 per cent of it is on point and the remaining 20 per cent we are tweaking and rearranging it to make it more suitable for the organisation and that will take us to the end of 2019. The optimisation piece is where we’re further enhancing and developing our security strategy – the third part of our programme is operational excellence for 2020,” he states.
The Crick faces threats like any other organisation but the perpetrators can come in many different forms, including animal rights and pro-life activists who oppose the Crick’s animal testing and embryonic stem cell research.
In addition, the organisation has a high containment facility which holds packages and toxins of high risk.
The advantage for Clark and his team is that the UK government and police forces take the Crick’s security very seriously.
“This empowers me to have a lot of leverage when it comes to implementing a lot of our security programme. The disadvantage is they audit us and check us on a regular basis, so we have to spend a lot of time responding to audit requirements. But we have to protect this; it’s part of managing our safety and security of our organisation. Ultimately it protects the UK, because if something bad happens to our institute, there’s going to be a considerable impact,” he says.
As CSO, Clark is in the unique position of managing both physical and cyber security. He envisages that many more companies will combine these roles, and that the traditional physical CSO will be gone in the next five to ten years. Without a cyber security background himself, he believes that what’s more important is to have a holistic, top-level strategic overview of both physical and cyber risk.
“I don’t have to be super tech savvy, I have well qualified cyber security guys who will be implementing risk solutions for me, and I can look at things from a strategic approach,” he says.