Single-line of defence security is no longer enough. Organisations need to build security across everything they do - business processes, data handling, platforms, products and services, and understand security as an evolving, responsive, agile setup. In this talk, Dave explains how technology foundations for secure product development and an agile security setup across the board can promote sustainable innovation and enhance cyber-resilience overall.
6. Traditional Software Security
● Risk analysis
● Give security requirements
● Set infrastructure standards
● Define compliance & policies
A lot of changes
Who is taking care of security?
7. “We need a cybersecurity renaissance in
this country that promotes cyber hygiene
and a security centric corporate culture
applied and continuously reinforced by
peer pressure”
- James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology
8. ● Direct and Indirect attacks
● Privacy vs Transparency
● How do you control social media?
○ Hint: Consider carefully
● Did you find GDPR difficult?
○ Or are you just hoping no-one looks
● Someone or something intelligent is out there
Here’s looking at you…!
12. What is resilience
Cyber resilience helps businesses to recognize that
hackers have the advantage of innovative tools, element of
surprise, target and can be successful in their attempt.
This concept helps business to prepare, prevent, respond
and successfully recover to the intended secure state. This
is a cultural shift as the organization sees security as a
full-time job and embedded security best practices in
day-to-day operations. In comparison to cyber security,
cyber resilience requires the business to think differently
and be more agile on handling attacks.
21. We need to maintain
the balance of
acceptable risk
22. Inherent Risk – Impact Assessment?
● What data is stored or processed by system?
● What is the reason for storing?
● What is the sensitivity?
● What services are provided by the system?
● What is the purpose of those services?
● What is the sensitivity? (Business critical? Safety sensitive?)
● What types of users or third parties interact with the system
○ What is the purpose these interactions?
○ What can we say about our trust these users or third parties?
24. Zero Trust Architecture, also referred to as Zero Trust
Network or simply Zero Trust, refers to security concepts
and threat model that no longer assumes that actors,
systems or services operating from within the security
perimeter should be automatically trusted, and instead
must verify anything and everything trying to connect to
its systems before granting access.
25. The end of simplicity
How the future is more complex than it might
appear
26. A complex adaptive system is a system
in which a perfect understanding of the
individual parts does not automatically
convey a perfect understanding of the
whole system's behaviour.
-Miller et. al 2007
29. Adaption
Source: Hiroki Sayama, D.Sc., Collective Dynamics of Complex Systems (CoCo) Research Group
at Binghamton University, State University of New York