Assessing protective security maturity for a university spin-out

Written By fra juniper

Executive summary 

  • This brief explores an anonymised case study based on a protective security assessment conducted on a UK university spin-out working with sensitive and export-controlled technologies.

  • The company had strong but highly personalised cyber security controls, reflecting its academic origins; broader protective security controls required further development.

  • The leadership recognised the importance of security for the company’s commercial growth and development, particularly in relations with potential investors.

Case description

This case concerns a university spin-out seeking to commercialise the results of multiple years of academic research. The company’s core offering centred on a combination of innovative hardware and proprietary software. The company had patents and was applying for their recognition in other markets.

The company’s offering fell within the 17 sensitive sectors of the economy originally identified under the UK’s National Security and Investment Act. Aspects of the company’s offering were also subject to export control. 

Its leadership recognised that this made the company a target for state and criminal threat actors. Significantly, the company’s founders were familiar with these risks from their time in academia - highlighting that there are continuities as well as changes as researcher moves from university into the commercial sector. 

Security assessment

We conducted a holistic assessment of the company’s protective security posture. This assessment covered the full spectrum of security considerations, ranging from governance and culture, through cyber and physical security, to consideration of the company’s controls around partnerships and international expansion.

The assessment’s findings were typical of small university spin-outs. Aspects of technical security were well-developed but highly personalised, reflecting the development over a long period of time by a small team of highly technical individuals. The company’s enterprise IT estate was small and dependent on personal accounts.

This is common among academic teams, but is less suitable for commercial organisations planning rapid expansion. Security controls that depend on technical expertise do not scale well as organisations bring on a wider mix of staff. 

The focus on technical cyber security measures also obscured broader gaps in the company’s approach to protective security. Security governance was highly personalised to the leadership team, with little in the way of documentation. 

Key stakeholders evinced awareness of non-cyber security threat vectors including espionage, adversarial capital, and influence activities. However, processes and controls to mitigate these threats were not formalised, depending on tacit knowledge within the organisation. With the company planning to expand and become more commercially focused, this argued for establishing a secure baseline in documented policy and process. 

The value of security

The company leadership recognised the importance of security at multiple levels. There was a recognition that the loss of core intellectual property would pose an existential risk for the company, underlining the importance of an asset-centric strategy for protective security.

The leadership also appreciated that the sensitive nature of their work mandated additional security requirements. We have encountered varying degrees of awareness and acceptance of national security considerations when conducting similar assessments elsewhere; in the daily pressures of academic and start-up environments these considerations are not always front of mind for researchers.

Finally, the leadership saw security as a key requirement for the company’s successful commercial expansion. Being secure – and being seen to be secure – is crucial to a company’s relationship with potential investors. Often the demand for evidence of a mature security posture comes from investors concerned about sustainable returns; companies that are able to proactively demonstrate a mature, strategic approach to protective security are at an advantage in these circumstances.

Lessons identified

There are continuities between threats to research security in academia and in the market.

  • Researchers may be familiar with a range of threats to their work from their time in academia and can bring that knowledge with them into the commercial environment.

  • The transition nonetheless represents a potential point of vulnerability as researchers begin to operate without the security protections provided by an academic institution - some researchers may not have had full awareness about the degree of security provided in the academic environment. 

Approaches to security suitable for a university lab do not scale to a commercial setting.

  • Highly technical researchers have an understandable tendency to develop their own systems for securing their research and collaborations. 

  • As the design of these systems does not always align with best practices and standards the security of these systems may not be recognised by common metrics used by partners and potential investors. 

  • If companies are serious about commercial expansion then they will inevitably bring on personnel who are not technical specialists - systems must be designed to be secure for these users as well as the researchers. 

Adopting a proportionate, holistic approach to protective security early on can support spin-outs as they scale.

  • Spin-outs are mission oriented and resource constrained - these are often presented as barriers to the development of a strategic, documented approach to protective security.

  • There are some simple, pragmatic steps organisations can take early on to strengthen their long-term security posture.

  • Outlining a protective security strategy that spells out key requirements and principles is a productive first step for a rapidly expanding organisation. 

Contact us

Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.

Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. 

We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.

Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.

info@tyburn-str.com

hello@secured-research.com

fra juniper
Next

Dependence on US technologies: a new geopolitical exposure