From Garden To Grid: Lessons From Gardening For A Resilient Cybersecurity Strategy

great thank you so much for joining me today um I know that some of you are thinking cyber security but what has gardening really got to do with this and I think what we need to really take a step back and realize that gardening as well as cyber security should be a thriving environment we're not talking about here as threats we're talking more about resilience and how we can imagine that we are tending to your cyber security as a garden looking at insights into planning protecting and removing what is no longer suiting this approach doesn't really just respond to today's threats but it helps build a foundation of secure future so why why is cyber security like

a garden well actually it's full of chaos new vulnerabilities new tooling and new challenging can be somewhat overwhelming taming and over overr and garden can be something similar where it's been neglected for many many years with the lens of cultivation of not reacting but of course understanding in front of us we can create an environment that is more than just what we see with this mindset shift we can see that we are more than just firefighters we are putting fires out but also lasting that environment so bit about me I've been in cyber security for the best part of a decade now and my best thoughts have come from things that are outside the usual the

metaphor of gardening to grid is simply putting complex cyber security strategies and connecting them with more than just technical aspects principles such as nurturing for growth printing for efficiency building resilience harvesting for success and continuous Improvement these concepts are similar to anyone that spent time in a garden but actually they are equal vital for us when we're looking at cyber security and maintaining a strong future forward each of these principles build together they are holistic and they cannot be done on their own so this would help create a more Dynamic cyber security approach that is resilient and built for stronger overtime our first one we're nurturing we're nurturing for growth in cyber security so this is building a strong

Foundation this is crucial for cyber security teams as it is for young plants it takes consistent care resources and the right environment to help teams grow effectively and resilient so four essential ways to help nurture growth within your cybercity teams in investing in continuous Learning and Development cyber security as we all know as been listening to many of these talks today is continually evolving and actually training your teams to be able to deal with that change is Paramount encouraging certifications like ethical hacking and cyber security in the cloud can help set aside time for teams to invest in themselves this can also be done for looking at emerging threats and ensuring that they stay St sharp and

adaptable with the change encouraging cross functional collaboration security is not a oneperson problem as we all know we work in many different teams that are for everybody's problem we cannot work in isolation and we need to work defensively together I always encourage a purple team mindset which brings in security and of course development to bring together to have a more uh Dynamic approach I also highlight that actually our security teams are normally the bad guys understanding our Persona outside of our team is Paramount to I would always encourage cross functional information going across from not only my side but also people that are in the field and users so user development is important throughout our

teams when we look at Foster in a culture of of innovation and experimentation it's really key to have those areas of innovation days where they're not just looking at what they do daytoday but they're also looking at outside their normal framework so this could be looking at new tool sets and understanding that we need to fail fast we can only learn from what we fail against if we only succeed do we actually improve and lastly prioritizing our mental health and work life balance it is such a high pressure teams that we normally work in and the development work has to be with practice of our own self too high pressure work and burnout is a true risk within our

company and within our teams Mental Health Resources as well as flexible schedules um and we all know that we're coming close to Christmas so actually your work time off is also important too a balanced and supported team normally becomes more resilient and therefore is effective in the long run by creating supported teams with growth so they know where they belong but also what they can achieve is is developing a team that is stronger for defense and therefore be able to deal with whatever comes next so for me I was in infrastructure for many years before I did go into cyber security and I felt it was Paramount for me to make sure that the teams that I

worked with in The Wider organization knew what we were trying to achieve with that in mind I was able to fix more stuff and become more secure because I had those relationships built we cannot deal with our the immense amount of security issues that we have on our own pruning for efficiency like it says we need to remove what no longer serves us pruning away dead branches when it comes to gardening helps helps plants to thrive cutting out what no longer serves Us in regards to technology can help declutter our environment which also if it's that cluttered can make it harder for us to protect our most critical assets we've all experienced the uh different storms of late imagine that as

part of your security you've not dealt with those branches that are hanging and therefore they're going to create more of a issue from your security point of view so when we look at this we should look at removing those outdated systems and software I know it's easier said than done this of course reduces the number of vulnerabilities and therefore your attack surface significantly reduces we all know that there are some political issues in regards to those I have a tree at the bottom of my garden that has a tree protection order that's the politics in regarding gardening and therefore we need to go through change control again removing those aspects in regards to security you have to bring in

Change Control in there we would all like to fix everything under the Sun but that's just simply not possible when we then look at reducing that unnecessary complexity we are all human but if we have no efficiency that is actually the enemy of what we want to achieve overlapping tooling we all have too many tools or convoluted processes unfortunately business has those quite a lot can lead to confusions within our security teams and wider businesses those can lead to mistakes and we all make those but streamlining these processes and consolidating the tools in your shed can help you to reduce that confusion making sure that your teams know exactly what they need to do and

how they can achieve that lastly reducing those permissions principle of lease privilege has been around since our the dot but the problem is is that is one of the most difficult ones to unpick closing off the's access can reduce your attack Vector significantly and it will also impact the reduction of your internal threats I've talked about previously about items inside of a tree being an internal threat but actually if you reduce your access permissions that is significantly going to improve those too so there are some key tools no don't worry I'm not going into my vendor hat but the key tools for pruning for example you should look at a decent EDR solution there are

many on the market but this is the one piece of solution that will help you determine what is actually out there and what is being used especially when you're looking at specific users that have administrative permissions they should be tracking those also access management tools knowing who has access to what and feeding that information in is key to understand where do we need to reduce what do they actually need to get to and how we can improve those so for example when I worked for a financial services we had significant amount of outdated systems and they were spread throughout the environment again there was some tpos out there that was stopping me from removing those Al together so what we

had to do was isolate those they were still key foundational purpose but I needed to make sure that they were segregated themselves I then also brought in the fact that we need to limit the permissions to those outdated systems to protect them further applying a least privilege to who actually needs to access them we reduce those attack surfaces I improve the communication because I'd already done done work previously on my access in regards to those and communication within multiple teams to then have a more secure attack surface so key takeaway from here your pruning for efficiency isn't just about cutting back it's about creating a focus managing that and securing that environment where the focus on assets

truly matters and actually your users are those assets [Music] too building resilience we need to weather those storms and there are a few so when I look at it from a gardening lens we have young plants those young plants need to be protected and to protect those I would generally put them in a greenhouse again not always great in a storm but they can recover from any access that they have so for example I have my young plants I'm overwintering them this year I put them in a greenhouse so they don't get attacked by slugs way they still do but it's one of those things that it's stopping some of the access some of the

issues that I'm going to get when it comes to planting when we look at this it's not about defense it's about being ready to respond when we talk about resilience and cyber security so it's not about knowing everything and protecting everything but it's about being able to bounce back because attacks happen when we look at that we need to implement a good backup and recovery system and it needs to be fit for purpose spent a few years looking at different backup and Recovery systems for a solution that I used to manage it was my Greenhouse I protected it it was able to bounce back if I had a storm no it wasn't gloss um but I made

sure it was robust enough when we look at backup recovery systems they have to protect what is necessary from a data position but it's able to be my safety net okay I've got all of my data it's nice and safe but I need to be able to pull that back into action when something happens so it needs to be regular we need to make sure that my data is kept up to date it's able to be automated as much as possible and then it be able to be recovered and it so when we do that it's recovering from a small downtime but it needs to be practiced if it's not fit for purpose you're never

going to know unless you test it when we also look at this we need to look at having a practiced instant response plan or Dr is another way of putting it it needs to be ready you need to be ready for what is going to happen and it can't be just a document we all have many many different process es throughout our business but it needs to be more than just a document it needs to be practiced and tested regularly platforms can help streamline and automate these processes but you need to be able to know how you use them and effectively with your team they need to be able to active be actively involved in the process and then know how to

implement those we need to know we need to be as prepared as possible because ATS can only do so much and we need to be able to work together the faster we can contain an issue the less issue it's going to be for the systems and businesses that we have here we then need to really monitor monitoring for near to real time I always say near to because nothing is perfect um for early detection when we talk about this early detection is key and it is the differentiator between a catastrophic issue and a okay well we can recover from that realtime monitoring and alerting that is actually usable can help identify what threats we need to

deal with and escalate them steam products are available to help you with that ingesting the data but it's the same as garbage in garbage out you need to know what is necessary for your environment to be able to be monitored but also the playbooks that go alongside those it's all well and good knowing that there's a problem but if doesn't alert and it doesn't have a Playbook associated with those it's going to not work effectively spending all this money without any playbooks is really a bad place to be so again industry I was part of a team that responsible for instant response at times we did not have a instant response plan that was practiced because okay

well breach just don't really happen right we had backup systems unfortunately the backup system that I was responsible for in regards to my product it was running as not as designed and again like I say you know backup systems need to be thought about but in what you're wanting to back up if the database is active you can't really back up a database in regards to those which I learned the hard way so making sure that the teams are available for those and they know where they go how it's dealt with as well as non cool so resilience is being ready for the unexpected strong backups tested response plans and realtime monitoring are building blocks in building this

resilience we cannot recover without those fundamentals and that Foundation reward we all like reward And in regards to when we look at gardening it is is about our Harvest right so we're harvesting the season we're harvesting for success and it is a moment to reflect on what's going gone good and what hasn't gone so well depending on where you're planting stuff what seasons have been about there been a lot of rain so far so it's it's a time to know and celebrate we can identify different areas in regards to this but we need to know what we're measuring so we need to have those kpis or measuring those metrics you can measure things like instant response plan if you're part of

a uh sock threat detection rate vulnerability remediation how many criticals that you have depending on what your business process is and you need to have a tooling there to help you visualize that what does good look like for you and your teams this also is very good to really drill down in which bits do we need to improve as well what works what doesn't we should also look at conducting from our incident response po incident response analysis okay so we need to work out what the root calls was that should be simple right but it's not always the case and it's not done also effectively enough when you have that root CA you need to be able to then

diagnose and have those valuable lessons learned when we're talking about it from a software vendor which is where I have been previously we have incident stuff happens but we have to give the users that key factor what are I going to do better next time or what actually happened po instant response tooling is also very good in this regard it's able to help you to dissect evaluate and help you to know what you did well and what you need to improve but also it helps us to know what weaknesses are out there and so you can then be stronger and the next time that hopefully you might not need to do this lastly we need to celebrate the

winds and encouraging team growth I always have the phrase of you win together but you also lose together and it's knowing that cyber is a challenging uh industry to be in and it's essential to understand and to recognize the efforts that teams place within you when it's successful it can prevent threats and when it's not yes stuff happens and you have to be able to deal with that too acknowledging these wins doesn't just boost um morale within the teams but it also reinforces what best practice looks like and for the teams to know and to move forward from there when I was in Industry some of the key indicators were vulnerabilities that's where I used to it's my little seat

where I used to be um and the team metrics were how many vulnerabilities did I find am I seeing everything and are people patching um of course when we look at that they are quite simple they are black and white but again post analysis of those would be are you scanning everywhere how do I know no am I scanning everywhere and then the celebrating of the Winds with the wider team with my cross functional communication is celebrating you've done some patching and we are compliant so harvesting for Success isn't just about measuring honestly but it's about continuously improving from those metrics that you find it's reflection of what went well what didn't identifying how we can do better and be

better we in cyber security need to build a strategy to understand that that it's not just about being resilient but it's being adaptive to any of those continuous Improvement so we are coming full circle so in a garden it's never done I've got many different Community Gardens that I help with hence why I bring myself cber security Focus today um but they're never fully finished I've still got to go and look at them every season and you know we've had a few different seasons this year but every season becomes a different Challenge and there's always room for growth whether that is doing additional weeding putting in some different mulch understanding the soil and how that's coming on is

exactly the same within cyber security continuous Improvement because it needs to evolve so some key areas for continuous Improvement would be looking at your VM so your vulnerability management assessment it's a key area because we all know that vulnerabilities are ever evolving threats come and go zero days are evolving every single day feels like times but if you do not have a strategy for how you are going to find these threats they are always going to be there so understanding having a method that actually works for the business not just what the vendor says um because it's cross functional it needs to be able to be ingested digested from many different points auditing it is a horrible word to

some people but auditing from a security point of view is again Paramount for continuous improvements audits do change and our standards change on a very frequent basis but it's like having a review of your garden and audit can uncover inefficiencies as well as things that aren't working well or that are security that you don't realize that there's a problem so it's important to absorb that information be able to be compliant and do compliance to be able to empower your team and better the business and finally again encouraging a culture of learning and adaptability it's not just tooling it has to be a mindset shift your teams need to realize that they are part of a

culture of security that is learning and it needs to adapt So within all of those three you can see not only how you find but also how you continuously go around in this journey so again when I was in Industry I was the implementation of our vulnerability Management program including security audits which were not always is easy to rectify um but it was about team learning I knew how my system worked I taught people and put in place practices and documentation of how they could do my job because again not everybody's in the same seat for many years but you have to be able to learn learn from others you know I knew that I

knew my stuff but I didn't know always how it impacted others and that continuous improvement from myself and from my team meant that we had a very secure environment from a security point of view so it is not a set and forget by regularly updating reviewing and learning we ensure our defenses are secure and we are being proactive and not reactive because we need to be one step ahead of those evolving threats so I'm going to wrap it up I've got a couple more so don't worry but to wrap it up we need to bring it all together the core principles so nurturing growth investing in teams investing in technology that suits pruning cutting away and

streamlining cutting away the things that do not need need to be in place cutting away items that are insecure and then putting in processes that are going to rectify those building resilience prepare prepare for the unexpected and most of the time the expected and to understand how you can move forward Harvest when we look at Harvest we are measuring we are reflecting and we are celebrating and they're the key areas and then finally continuous Improvement this is how you evolve evolve for just not one person in their individual seats but together you celebrate the wins together you win and you lose together so these principles like I said do not work in isolation they support each other to develop an

ecosystem that strengthens each other when we nurture prune build and harvest and adapt continuously we create a strategy that's not just resilience but it's ready to grow and withstand whatever challenges come before [Music] us we're coming to the end of our journey our growth together I suppose and I want to reflect there are a few things that when you're nurturing a garden or protecting digital environments the real work happens behind the scenes quietly and consistently and often with without immediate results we don't get celebrated often we only get celebrated when something happens most of the time so strong roots there two quotes strong roots strong roots grow in quiet SE uh Seasons resilience is built

before the storm preparation today ensures protection tomorrow from this I understand that Roots grow before for anything else when we look at the storms that we've had this over the last couple of weeks those strong roots that we put down and we nurture help us to build branches and trunk that is going to support our ecosystem of our business when we stand tall within a within a tree the strength is in what we have already done before us and when we talk about quiet Seasons this is impr operation the routes that anchor us down are potentially protecting us from a ransom attack or a data breach and they don't grow overnight you're not expecting your teams to be able to pick

up tools and run with them instantly it's continuous efforts we're continuously doing vulnerability scanning security audits patching data and they're built long long before we have a breach hopefully so my second quote preparation today ensures protection tomorrow and it's essential for both gardening and cyber security when I plant a seed or a bulb I don't expect it to bloom instantaneously so we're preparing the soil which is nurturing growth and trusting the work that I do today is going to pay off in the future similarly when we invest we are preparing so think about your own garden whether it's your team your systems or your approach to cyber security what routs are you going to be

preparing for your quiet season and what seeds are you planting today to ensure protection tomorrow resilience growth and security are not built in a day they a result of your preparation your consistency and a mindset of continuous Improvement so I want to carry that mindset forward because the work that we do today helps us to shape a secure [Music] future thank you so I'm going to leave you with this thought what seeds are you planting today to ensure a secure digital future tomorrow I want to thank you so much for listening um and your time and attention because it's getting on a little bit now and I'd love to continue this conversation so feel free to connect

that is a safe QR code um and let's grow a stronger cyber security strategy

together if there are any questions feel free it's a bit bizarre I know um so feel free [Music] yes thank you um you a um I am working in a lar oranization security very much on the and so

yeah perspective yeah so just to refresh um gentleman's asked how a segregated security team can be more integrated within a wider organization and I experienced this firsthand um communication is really key transparency is even more key in regards to this so we'll forget about the gardening right now but if you have key stakeholders so you have your key players that are needing to be involved in any conversation when you're talking about security inviting them in getting them involved early as possible helps break down sometimes what I would find is anxiety because we are the big bad guys generally when we're talking about security we're going to stop a lot of things inviting them in listening and

feed leading back to them your thoughts about the situation but actively listening to what they are needing out of it can help that I because I was in infrastructure for many years I could talk the same language you will be able to talk the same language as a technical person and a non-technical person you just need to build a metaphor that they understand breaking down the barriers of that communication once you've got it and you've built that rapport with them they trust you and it's all about building trust so I hope that helps to understand getting under the hood of who they are where their pain comes from can really help to build that resilience

within the teams that cross functional that's why I put it in it's it's amazing when you start bringing in cross functional communication because you have that foundation for for a very long time if there's nothing else I can let you go great fantastic thank you so much