Cybersecurity may seem like a technical challenge outside your purview as a lab manager, but effective leadership is a vital part of keeping a laboratory secure. Lab managers play a key role in the governance, risk awareness, and training for cybersecurity. To shed light on where a lab manager’s responsibility for cybersecurity begins, ends, and how they should best collaborate with IT, we spoke with Stefan Lüders, PhD, longtime computer security officer at CERN, who offers practical advice for building secure, cooperative lab environments based on his expertise securing one of the world’s premier research institutions.
Q. Which aspects of cybersecurity should a lab manager expect to handle themselves, and what should they expect the organization's IT department to handle?
A. Cybersecurity is not the core business of most lab managers—we should acknowledge that their skills, expertise, and knowledge lie elsewhere. So why put the burden on them?
Stefan Lüders
Credit: Stefan Lüders/CERN
Their only (but essential) responsibility is governance over cybersecurity, just as they have governance over budgeting, human resources, operations, business continuity, and so on. That means ensuring cybersecurity is considered at every step—development, deployment, testing, and operation of all equipment, including software—and ensuring appropriate awareness and training for all team members.
They must liaise with relevant bodies in their organization, especially the IT department, to make sure their equipment is secured, protected, or at least listed in the organization’s risk register as a potential cybersecurity risk. Their primary contacts will likely be IT, but also the training department, the CIO, and the enterprise risk manager.
In short, cybersecurity is a cross-functional responsibility involving many parts of the organization, and teamwork is essential.
Q. What baseline cybersecurity practices should every lab manager implement, regardless of technical expertise?
A. Good practices are usually described in IT and cybersecurity standards like ISO 27000 or CIS Controls (CISv8). The starting point is a thorough risk analysis of the lab’s operations and their impact on the broader organization.
Any cybersecurity risk should be listed and either mitigated (if it’s too large to accept) or accepted as residual risk. As I said earlier, this must happen together with experts—the IT department and other partners—who can provide the right controls, like network segregation, VLANs and firewalls, single sign-on, multi-factor authentication, tight access control, patching, application management, software repositories, and software bills of materials (SBOM).
While governance belongs to the lab manager, and implementation of protective controls belongs to IT, a good lab manager should still ensure hardware is up to date, software is developed with cybersecurity in mind, access is tightly controlled, and backup, business continuity, and disaster recovery plans are in place and tested.
Again, this all depends on good communication and mutual trust with IT.
Q. Lab managers and IT staff can often have an adversarial relationship — the lab manager feels IT is a hurdle, while IT may feel the lab manager doesn’t take security threats seriously. How should a lab manager collaborate effectively with IT?
A. It’s essential to understand the core responsibilities of both lab managers and IT, and to focus on the ultimate goal of the organization. Both roles are key to achieving that success.
The IT department should not be seen as a hurdle but as an enabler—they provide the expertise to help labs run smoothly, including cybersecurity measures appropriate to the organization’s risk appetite.
Lab Management Certificate
The Lab Management certificate is more than training—it’s a professional advantage.
Gain critical skills and IACET-approved CEUs that make a measurable difference.
Trust is key. Sharing the workload is key. Everyone has their own expertise, and that should be used fully: lab staff for equipment operations, IT staff for IT provisioning.
This also means IT should be given the chance to understand lab operations—ideally through internal mobility, internships, or regular discussions. Again, working hand in hand is essential because the goal is shared.
Q. You once said about CERN: “One important step forward is making every user of IT resources actively aware and responsible for their use of IT. They are responsible for the security of their IT resources.” Do you think this approach of trusting users to ‘own’ their lab’s cybersecurity would work for most research organizations, or is it unique to CERN?
A. Having discussed this with many peers at other research organizations, I believe it’s the best alternative — unless lab managers want to take on cybersecurity entirely themselves.
But as mentioned earlier, that would mean stepping outside their expertise or increasing staff to cover cybersecurity, which I would not recommend as it’s cost-inefficient for the organization.
In most organizations, cybersecurity is a shared responsibility between lab and IT staff. It starts with understanding and taking the risks seriously, then delegating responsibility to the IT resource owner, making them own the problem, and trusting them.
If the IT department can provide solutions that are simple, useful, and secure, enabling people to manage cybersecurity risks, we create a win-win situation.
Q. How should a lab manager approach security training for their lab staff?
A. Training should take a multi-pronged approach, depending on the team’s maturity level. General awareness is essential — understanding the impact of a cyberattack, the attack vectors, and the possible consequences.
Once that foundation is set, more specialized training can follow, for example for programmers: how to design, architect, develop, and program software securely. Similar trainings exist for IT system deployment.
The IT staff should already have that expertise and can provide training; if not, they should be included and required to complete the same courses.
Q. Phishing and ‘vishing’ attacks are on the rise, according to CrowdStrike’s 2025 Global Threat Report. What roles do lab managers and IT leaders play in preventing these attacks?
A. These attack types have been around for years, with many variations. All staff—lab managers, HR, IT—need awareness and training to recognize phishing and follow the principle of “STOP—THINK—DON’T CLICK” when browsing or handling emails.
Leaders must ensure staff complete the necessary training. IT leaders, ideally the CIO, must ensure appropriate trainings are offered and technical countermeasures are in place: spam filtering, email quarantining, anti-malware, multi-factor authentication, firewalls, web application firewalls, monitoring, and intrusion detection.
Importantly, the organization must also be ready to respond swiftly and thoroughly when incidents inevitably occur. Prevention (training), protection (technical safeguards), detection, and response are all critical.
Q. With internet-connected lab instruments and IoT devices becoming common, who’s responsible for keeping that hardware secure?
A. First, operation-critical lab instruments should never be directly connected to the Internet — doing so is a major error and cannot be justified.
Second, you can’t “ensure” that such hardware stays secure. Maybe it’s secure today, but IoT is often called the “Internet of insecure things” for a reason. Security conferences are full of examples of cracked IoT devices — they excel at their core functions but often lack proper security layers.
Therefore, IT staff are primarily responsible for protection. The organization’s perimeter firewall should never allow lab instruments or IoT devices to be openly accessible from the Internet. Any exceptions must go through an extensive approval process, including risk assessment. Personally, I would never authorize such a firewall opening.
Q. For labs running aged instruments, what should lab managers know about security for old operating systems and software?
A. It’s not unusual for lab equipment to run outdated OS or firmware versions that can’t be updated or patched. Generally, this isn’t a problem if other protection layers are in place: network segregation, VLANs, firewalls, and strict access control.
These protections should exist anyway, because lab equipment can’t be patched as promptly as office computers. Maintenance windows are needed, and in some cases, they’re scheduled weeks, months, or even years out.
Patching also isn’t always straightforward, as it requires thorough testing and sometimes recertification. That’s why layered defenses—“defense in depth”—are essential.
Stefan Lüders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined the European Organization for Particle Physics (CERN) in 2002. Since 2009, he is heading up the CERN Computer Security Incident Response Team as CERN’s computer security officer with the mandate to coordinate all aspects of CERN’s computer security – office computing security, computer center security, GRID computing security and control system security – whilst taking into account CERN’s operational needs. Lüders has presented on computer security and control system cybersecurity topics at many different occasions to international bodies, governments, and companies, and he has published several articles.
