Jules Quenet, CISO at the University of Rennes: “We need to create genuine collaboration between CISOs in higher education.”

The University of Rennes, located at the heart of the Brittany region in France, is a public institution with over 37,000 students and 4,500 staff, 34 research laboratories and six top schools. How do you manage the security of such a large IT estate? What are the key skills required to fulfill this mission? Jules Quenet, University CISO, shares with us the challenges he faces in his organization and his thoughts on the next challenges facing universities.

What threats do universities face?

Jules Quenet: Our universities face all kinds of threats, from ransomware and data theft to phishing… Attackers often try to hack into university accounts to retrieve information from research laboratories, or HR data on students or staff.

Higher education and research are particularly targeted, with the threat increasing from 2022-2023.

Why do you think the sector is a prime target?

J.Q: Research laboratories can hold sensitive information and therefore be targets for espionage by other states. And as far as ransomware is concerned, I think the reason is the same as for hospitals or other public establishments: attackers see a vulnerability there, so they pounce on it. It’s a totally opportunistic approach.

Is a strict cybersecurity policy compatible with the specific needs of students and teacher-researchers?

J.Q: Universities are all about sharing and opening up data. Researchers are very free in the way they work. And this vision of things is sometimes at odds with cybersecurity needs.

So we have to explain to some researchers why the IT tools we make available to them are not as open as they would like. They’re in a professional environment that involves security constraints. They are not the only ones to use the IS, and the challenge is to make them understand that these efforts are necessary to protect their personal and professional data, as well as that of their colleagues. Indeed, in our interconnected networks, one person’s risk-taking has an impact on the security of others.

Have you set up specific tools to secure your information system?

J.Q: We took part in France Relance’s cybersecurity plan. At the end of this plan, the ANSSI (national information systems security agency) recommended that we set up an EDR. This fitted in well with our cyber roadmap for improving workstation and server security. Indeed, if the attacker starts to penetrate the servers, the task becomes more complicated… So the earlier we detect, the better, and the better equipped we are, the easier it is.

Did you encounter any difficulties in defending your EDR project? How did you convince people despite the substantial budget?

J.Q: The university’s governance team has a very good grasp of security issues, and the fact that theEDR is a recommendation of theANSSI-led security plan was a strong argument. After that, you have to do a bit of educating, and adapt your message a little, of course, but we had no trouble getting the project accepted.

You talk about pedagogy and knowing how to adapt one’s speech. Is this one of the essential skills of a good CISO today?

J.Q : Yes, to be a CISO today, you have to be a good communicator and know how to adapt to the challenges of different professions. The new generation of CISOs is much less focused on technical aspects, and more on organization and management.

As a CISO, I need to be able to understand what the technical teams are telling me in order to make a decision or issue an opinion. I also need to be able to communicate with governance to simplify and popularize the decisions we make. I also need to be able to explain to users the security measures that have been put in place.

So we need to understand the different issues at stake in order to apply safety measures while taking into account the constraints of each business.

Can you tell us a bit more about your background? How did you come to work as a CISO in higher education and research?

J.Q: Before university, I worked for the French Ministry of the Interior as a cybersecurity project manager. I worked in a department that supported prefectures, police academies and police stations in IS security. I worked on awareness-raising issues, and in particular set up a first-level audit for the Ministry of the Interior’s IT department. I also did a lot of monitoring, particularly of legal and regulatory aspects. There was no DPO in these departments yet, while the GDPR was being put in place.

I then joined the University of Rennes as PMO and project management assistant. After 2 years, the CISO who had been in post before me retired, and I was asked to apply to succeed him. It was a big challenge for me, as the scope to be managed was very large, but I seized the opportunity and was selected.

What advice would you give to CISOs just starting out?

J.Q : I’d say that you should always start by taking stock of your organization’s security situation, and don’t hesitate to enlist the help of an external service provider, for example. Ask yourself the following questions: what security measures are already in place? What are the major gaps? What can be done to remedy them?

For a large organization such as a university, a global audit can provide an IS mapping and identify major vulnerabilities. A thorough understanding of the existing situation will then enable you to launch your roadmap with the confidence of knowing you’ve hit the bull’s-eye.

I’d also advise you to take your time with cyber tools. Because when you start out, you want to put a lot of things in place, but after that you need to be able to exploit these tools properly and have the right teams in place to use them.

Finally, what do you see as the biggest cyber challenge of 2024 for universities?

J.Q: I think what’s essential is genuine cyber collaboration between institutions. We’re already doing this at the University of Rennes, because we’re part of a group of establishments. We communicate a lot with each other, and that’s a very good thing.

In France, this already exists to some extent with the days for CISOs in higher education, but I think we could go further. We need to exchange more with colleagues and work together to improve.

Read more cyber strategy tips from Antonin Garcia, CISO at Veepee.