Security and digital: it's all about leadership

Transcript

1. Security and digital: it’s all about leadership James Stewart |@jystewart

   | [email protected]
2. None

3. $
 Digital government


4. @jystewart “Your threat model has changed”

5. @jystewart Good security requires cultural change (just like digital does)

6. @jystewart - Take responsibility - Focus on outcomes - Empower

   teams - Change the environment
7. None

8. @jystewart Can I put this data outside our borders?

9. @jystewart Can I put this data outside our borders? 


   What guarantees do we need to make about data?

10. @jystewart It is unacceptable for a board to not understand

    financial risk. The same has to be true for cyber risk.

11. @jystewart - Take responsibility - Focus on outcomes - Empower

    teams - Change the environment

12. @jystewart https://insidegovuk.blog.gov.uk/2016/11/15/incident-report-gov-uk-dns-outage/

13. @jystewart Data in transit protection - Data transiting networks should

    be protected against tampering and eavesdropping Asset protection and resilience - Data, and the assets that store/protect it, should be protected appropriately Separation between consumers - To prevent one compromised consumer from affecting the service of another Governance framework - To direct their overall approach to the management of the service and information Operational security - Processes and procedures need to be in place to ensure the operational security of the service Personnel security - Security service provider staff should be subject to personnel security screening Secure development - Services should be designed and developed to identify and mitigate threats to their security Supply chain security - The supply chain should support all of the security principles that the service Secure consumer management - Consumers should be provided with the tools required securely manage their service Identity and authentication - Access should be constrained to the authorised and authenticated users External interface protection - All external or less trusted interfaces of the service should have appropriate protections Secure service administration - All methods used by the service administrators should mitigate risk of exploitation Audit information provision to consumers -To help consumers monitor access to their service and their data Secure use of the service by the consumer - Consumers need to be trained and comply with guidance for use of cloud https://bit.ly/cloud-security-principles

14. @jystewart - Take responsibility - Focus on outcomes - Empower

    teams - Change the environment

15. From “Agile Application Security” by Laura Bell, Michael Brunton-Spall, Rich

    Smith, Jim Bird

16. @jystewart - Take responsibility - Focus on outcomes - Empower

    teams - Change the environment

17. GDS

18. None

19. @jystewart “Make email mean something again” https://www.ncsc.gov.uk/blog-post/active-cyber- defence-tackling-cyber-attacks-uk

20. @jystewart “If security doesn't work for people, it doesn't work”

    - Emma W from NCSC https://www.ncsc.gov.uk/blog-post/cyberuk-2017-people- strongest-link

21. Security and digital: it’s all about leadership James Stewart |@jystewart

    | [email protected]