Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security by default - Building continuous cyber-resilience.


Published on

Single-line of defence security is no longer enough. Organisations need to build security across everything they do - business processes, data handling, platforms, products and services, and understand security as an evolving, responsive, agile setup. In this talk, Dave explains how technology foundations for secure product development and an agile security setup across the board can promote sustainable innovation and enhance cyber-resilience overall.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security by default - Building continuous cyber-resilience.

  1. 1. Security by default - is it possible? Are we on the edge of the abyss
  2. 2. Today ● Why? ● Resilience ● Building Blocks ● Future
  3. 3. “Cyber resilience refers to an entity's ability to continuously deliver the intended outcome despite adverse cyber events.”
  4. 4. Source:
  5. 5. Traditional Software Security ● Risk analysis ● Give security requirements ● Set infrastructure standards ● Define compliance & policies A lot of changes Who is taking care of security?
  6. 6. “We need a cybersecurity renaissance in this country that promotes cyber hygiene and a security centric corporate culture applied and continuously reinforced by peer pressure” - James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology
  7. 7. ● Direct and Indirect attacks ● Privacy vs Transparency ● How do you control social media? ○ Hint: Consider carefully ● Did you find GDPR difficult? ○ Or are you just hoping no-one looks ● Someone or something intelligent is out there Here’s looking at you…!
  8. 8. Resilience during exponential change
  9. 9. 40 years of Processor Performance Source: John Hennessey and David Patterson, Computer Architecture A Quantitative Approach, 2018
  10. 10. What is resilience Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations. In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.
  11. 11. Resilience during exponential change
  12. 12. CD: Fundamental building block Commit Stage Compile Unit Test Analysis Build Installers Automated Capacity Testing Automated Acceptance Testing Manual Testing Showcases Exploratory Testing Release
  13. 13. Product Owner Experience Designer Business Analyst Developer Tech lead Project Manager Security Analyst Infrastructure Consultant Build security in: Everyone responsible QA
  14. 14. Risk
  15. 15. “If you know almost nothing, almost anything will tell you something” - Douglas W. Hubbard
  16. 16. Risk: Quantify not Qualify
  17. 17. We need to maintain the balance of acceptable risk
  18. 18. Inherent Risk – Impact Assessment? ● What data is stored or processed by system? ● What is the reason for storing? ● What is the sensitivity? ● What services are provided by the system? ● What is the purpose of those services? ● What is the sensitivity? (Business critical? Safety sensitive?) ● What types of users or third parties interact with the system ○ What is the purpose these interactions? ○ What can we say about our trust these users or third parties?
  19. 19. Source:
  20. 20. Zero Trust Architecture, also referred to as Zero Trust Network or simply Zero Trust, refers to security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.
  21. 21. The end of simplicity How the future is more complex than it might appear
  22. 22. A complex adaptive system is a system in which a perfect understanding of the individual parts does not automatically convey a perfect understanding of the whole system's behaviour. -Miller et. al 2007
  23. 23. Butterfly Effect
  24. 24. Butterfly Effect Emergence
  25. 25. Adaption Source: Hiroki Sayama, D.Sc., Collective Dynamics of Complex Systems (CoCo) Research Group at Binghamton University, State University of New York
  26. 26. Dave Elliman Global Head of Technology, ThoughtWorks Thank you