Embedding Cybersecurity across University College Cork

At University College Cork (UCC) cybersecurity is not a technical silo, it’s a shared, strategic responsibility embedded across the entire institution. This talk explores how the Cybersecurity Team at UCC adopted a human-centred, security-first approach to integrate cybersecurity into its culture, processes and governance structures.

Cyber risk is recognised as UCC’s greatest organisational risk. This acknowledgement extends beyond the IT department, with cyber risk on UCC’s enterprise risk register. Cybersecurity is a topic of regular reporting to Internal Audit and the University Leadership Team, ensuring visibility, accountability, and executive engagement.

UCC’s Enterprise Risk Office (ERO) recognises this and has assumed responsibility for the administration and oversight of mandatory cybersecurity awareness training. This training is delivered through the Enterprise Risk Management (ERM) platform, with attendance tracked and managed by ERO. The cybersecurity team remain closely involved, developing the training content and collaborating with ERO to promote training. This shared model alleviates capacity constraints on the cybersecurity team and underscores that cybersecurity is a university-wide concern.

But embedding cybersecurity goes beyond governance, it requires cultural change.

UCC’s cybersecurity team has built strong partnerships with key functions including Procurement, the Office of Corporate and Legal Affairs (OCLA), Internal Audit, the Data Protection Office, and key research areas. These collaborations ensure that cybersecurity considerations are embedded from the outset in activities like system acquisitions, research initiatives, and business continuity planning. Cybersecurity is now part of the conversation in departments across the University.

Rather than centralising control, UCC operates with a small cybersecurity team, functioning as specialists who empower others to take ownership of cybersecurity in their respective roles. By collaborating both across the University but also within IT, the team facilitates shared responsibility and improved engagement.

This distributed model, using a small agile security team, has resulted in significant gains:

• Improved capacity: local IT teams are empowered to address cyber issues directly and pro-actively.

• Knowledge sharing: Subject Matter Experts (SMEs) in areas such as endpoint management, network management, and data protection, provide invaluable insights, helping to shape and refine security strategies.

• Shared responsibility: joint efforts like the attack surface reduction project brought together technical staff across UCC with remarkable success in just 5 months.

On the end-user front, our cyber awareness program has been well received. Each October, Cybersecurity Awareness Month has engagement from over 1,000 staff and students through a range of activities (quizzes, talks, podcasts…) fostering a security-conscious community.

These efforts have culminated in a cultural shift. Cybersecurity is no longer seen as a block to progression, but as an enabler of sustainable development in UCC. We see less resistance to cybersecurity initiatives and proactive invitations to the cyber team to contribute to strategic working groups, including IT’s AI Workgroup and OCLA’s Business Continuity Planning workshops. The impact is measurable, with tangible improvements in our cyber insurer’s risk rating.

This presentation will share practical insights and lessons learned from UCC’s journey, highlighting how a people-first, partnership-driven approach to cybersecurity can transform an organisation’s culture and resilience.