Shifting From A Reactive To A Proactive Approach In Cybersecurity

Good morning. Um, it's a pleasure to be here at Bides and thanks very much Pete for the invitation to speak. Um, I always love coming to the southwest of England. Um, I used to spend childhood holidays down here with an aunt in Bath. So, anywhere that's got Roman ruins feels like home to me. So, it's it's really really great to be here. Um, what I'm going to speak about today, I was asked to talk about um, accelerating progress. So essentially how we can shift from reactive approaches in cyber security to more of a proactive approach and for those of you who were at secure southwest yesterday um you'll be familiar with some of the themes in this

talk and I'm really building on that. So this is this is really about resilience but not just resilience at an organizational level also at a societal level. also be thinking about the systems thinking that we need to take to build more resilient organizations and democratic societies. So just to >> if I can get the clicky thing to work. >> Okay. >> Um is that okay?

[Music] I'm okay just using the um

>> it was you yesterday was >> it was a different laptop yesterday. Um would you be okay just um moving backwards and forwards for me if that's okay if we can't get this to work. Is that okay? >> Okay. Thanks very much. Um so just just to introduce myself um I'm a cyber security professional like many of you are and I've held a number of different roles in my career and the reason for showing you the progression that I've had since I started as um you know working in systems development as a graduate trainee. It's not to show you my CV. It's to show how we have changed from when I started in my career, I was

working on developing systems, so software engineering, tech, really technical um programming. And now I'm here speaking to you about democratic resilience and organizational resilience. And I think that shows how we've progressed in society from cyber security and technology being a more technical concern to now it's actually a societal imperative that we think about resilience more broadly. So cyber security is not just a technical issue. It's something that matters to everyone in our society. And I think at a community event like Bides, you you all know that already. That's why you're here on a a Saturday morning. But that's a message that we need to get out more broadly as well. So personally I've you know I've come from a very technical

background worked up through various roles um and essentially I am a technologist and a cyber security professional and that's the you know that's the basis in which I'm sharing my perspectives with you today. and it's working wonderful. Thank you for fixing it. Um, so the the theme of this talk is resilience and resilience is is the ability to adapt to to recover from and also very importantly to grow through the challenges and disruptions or adversity that we face. So when we think about cyber attacks and many of you will have dealt with responding to cyber attacks. I know I've got my own personal stories around that. When we think about dealing with disruption, it's about continuing to operate, but we

need to think more systemically as well about how we build resilience at a democratic level and also an organizational level. So building true resilience needs us to think about the systems that we work within. So it's that systems thinking approach that comes very naturally, I think, to a lot of people that work in cyber security. And it's recognizing the complexity and the interconnected nature of everything that we do. So we think about the community that we're part of, the organizations that we're part of, the society that we're part of, everything's connected. So how do we build resilience at all the different levels that we need to in order to deal with the very real challenges that we face? And we need

resilient social and technical infrastructure in order to withstand disruption, recover from setbacks and prevent regression. And that social and technical aspect is important. So in this talk I'm going to talk about the social aspects and also about the technical aspects. So I'm going to speak about democratic resilience and also about organizational resilience from more of a security architecture perspective. But I'd like you to to keep in mind I'd invite you to keep in mind that we need to build resilient social and technical infrastructure in our societies and in our organizations. So firstly, democratic resilience. We are currently in exit which is in the United Kingdom. We are a democratic society and civic integrity is something

that's important to us and that we need to protect. We face a number of challenges and these are not abstract challenges. These are very real challenges that we face and that many democratic societies throughout the world also face. So we see AI enabled disinformation at scale. We see narrative attacks. We have declining trust in institutions. We see the erosion of rights and civil liberties. We see the weaponization of technology. And as cyber security professionals when we think about the challenges that we're facing, it is often technology being weaponized. So technology can be used for good and it can also be used for ill. It can be used against us. We see surveillance overreach and we see

concerns from citizens about a democratic deficit. So transparency, accountability, responsiveness from our institutions. So these are all very real challenges that we face in democratic societies. And democracy is a system. It's something that we co-create that we design. But it's not just a system. It's more than that. It's also a shared agreement about how we live together. And I'd invite you to think about it in that sense and to think about what it is that we're protecting, the democratic values that we are protecting, and why civic integrity is important to us. One quote that I'd invite you to reflect on is from the American philosopher John Dwey. So he suggests that democracy has to be born a new every generation and

education is its midwife. And it's particularly appropriate to think on that when we sit in a forum in a university where education dialogue comes naturally. We saw an excellent example yesterday of participatory democracy and action with regulators and government speaking to citizens in this very room. And that is something that we need to take out further into our communities and into our societies. So what are the possibilities for renewal? because we have many challenges that we face. But rather than thinking about you know the decline or dwelling on the decline that we face, what can we do about it? And I would invite you to think what if technology could be used to strengthen democracy?

What if citizens, institutions, and innovation could align? And what if digital spaces amplified trust and participation? So what might that look like if we were thinking not just about protection, not just about defending democracy, but also co-creating and designing democracy for democratic futures because that's something that we can do now. We can look not just at the challenges that we face just now, but how we prepare for the future. What kind of futures do we want? Does the future matter to us? I'm sure it does because you know you're you're here on a Saturday morning speaking about cyber security. It matters to us. It matters to our children, to our families, to our friends. So, what kind of futures can we

co-create together? I think there are three pathways that we can focus on when we think about resilience at the societal level. So, from a democratic resilience perspective, firstly, and fundamentally, empowered citizens are absolutely fundamental to a strong democracy. So, digital literacy is the new civic skill. We need digital literacy not just in our schools, not just in our education system but in our communities. So cyber security professionals we are um you know there are some experts in this room in security culture in training and in awareness and I think we need to broaden that into digital literacy as part of civic literacy. So that's absolutely fundamental to the strength of our democracy. We have been

doing that in the cyber security community. We need to broaden that out and think about how we can help with digital literacy in our community and society more broadly. Part of that is educating citizens on their rights so they understand rights to privacy. They understand how to deal with some of the online harms that we see that we're dealing with. So education is absolutely fundamental and we have the knowledge here. We're experts in this room. So we can take that knowledge and share that and empower other citizens with the knowledge that we have. We need to equip citizens with the tools to critically engage with information ecosystems. So not to be passive recipients, but to critically engage

with what's in the information environment and support trusted media, open data and knowledge sharing networks. So this is not separate to cyber security anymore. This is something that's absolutely fundamental to democratic resilience going forward. So that's the first pathway. The second pathway, and these are pathways, so I'm not suggesting solutions. I'm just inviting you to think about what the conversations and solutions might look like. But tech that serves democracy. So transparent and explainable AI, responsible AI is a democratic imperative. It's not just a nice to have. It's actually important to the future of a functioning democracy. We need inclusive and accountable design processes and enhanced civic participation in technology and the protection of our digital rights. So

starting with understanding what our digital rights are, how do we protect them and we need transparent and explainable systems and resilient institutions. So resilient institutions build trust. We need trusted digital infrastructure. Cyber security is part of building that trustworthiness, transparency, accountability and responsiveness and cross- sector collaboration for resilience exactly as we have an event like this with people coming from many different sectors and organizations and backgrounds and we need to see that more broadly. So resilience is the foundation of trust. Now this is not easy. These are societal challenges at scale, but we need to start thinking what the pathways are to democratic resilience and renewal. And I would suggest that these are areas that

we can start and fundamental to all of this is the role of leadership. So, not just leadership for what we face today, not just responding to cyber attacks or dealing with the, you know, the day-to-day leadership that we need to do in our organizations and communities, but leadership for the future as well. So, future focused thinking about anticipatory governance. So, we touched on that yesterday. The role of responsible innovation and fostering the conditions for meaningful progress. So the health of our democracy depends on its digital foundations. This is the Acropolis in Athens. This was built over 2,000 years ago. And this symbolism and representation was the Athenian ideal of resilience and um elegance in their

society. What digital technologies, what futures are we building with the technologies that we're creating today? An anticipatory governance is not just thinking about governance today but governance for the future. We can lead with imagination and vision not fear. And we've moved away from narratives of fear, uncertainty and doubt in cyber security. We need to broaden that out to technology more broadly. Accelerating progress towards a safe, free, fair democratic future. Democratic innovations can improve the quality of democratic representation, governance, and inclusion. And we can co-create democracy through innovations that strengthen representation and governance. We don't need to dwell just on the decline that we see. We can think about how we can innovate for the future.

So, we're not just defending democracy. We're shaping resilient futures together. And that's a responsibility that we have and that we have to take seriously. given the challenges and the threats that we face. So for those of you who are familiar with this quote, Carol von Klausvich, every age has its own kind of war, its own limiting conditions and its own peculiar preconceptions. And we live in an age where technology and the information envir environment is being weaponized. And it's important that we recognize this and we think about the question, how do we shape the conditions of the age that we live in so that progress is accelerated, not just preserved. We see how quickly it rights

can be eroded. How do we shape the conditions of the society and the age that we live in and governance with foresight? So tackling the next problems, not just the current one, is absolutely critical given the pace of technological change that we're dealing with. So the World Economic Forum has written more about this. If you want to look into it, I invite you to um to to look at the reference there. But really, we need to build the right foundations for resilience. We need to improve our preparedness to navigate uncertainty for the future. And we need to be able to respond to whatever futures emerge. So we need that agility. And these are just principles. We need to build frameworks.

We need to build um much more around this. But this I invite you to think about anticipatory governance as something that is important to our society for democratic resilience. Now that's at the societal level. That's thinking about democratic resilience. So as I said at the start, this is all connected. So it's we need we need to think about the systems as a whole from a systems thinking perspective. In our organizations, we need to build resilience as well. We also need to think about personal resilience but that's not a topic for this talk but from an organizational resilience perspective what can we do so the same themes apply thinking about governance and leadership but thinking at a

different level at an organizational level when we work as security professionals within our organizations there's a UK cyber governance code of practice that has been published this month it covers everything that organizations or people responsible for managing ing cyber risk in the UK need to do in order to do that or to perform those duties effectively and I encourage you to think about how this can be operationalized in the organizations that you work in. So this is a code of practice, best practice, risk management strategy people incident planning, response and recovery and assurance and oversight that provides a blueprint, a framework, call it what you like, for governance within organizations and there's much more available about

that as well in the references that I've given there. It's complmentary to cyber essentials to other schemes, but it helps with the governance challenges that we have in many organizations and it helps us to build resilience. So when we think about resilience in organizations, we need to think about governance and leadership as critical to it. The cyber assessment framework, many of you will um be aware of it or you will already um you know you may already be doing it in your professional lives but that complements the code of governance um at a different level. So thinking about how we can take a systematic and comprehensive approach to assessing the extent extent to which cyber risks are

cyber risks to essential functions are being managed by the responsible organizations. So an organizational level thinking about the code of practice for governance thinking about the calf also thinking about cyber essentials building blocks that we can put in place from a governance and leadership perspective within organizations. and architecture. So when we're designing for the future, we need strong foundations when we're thinking about what what we are doing. You know, how we build not just resilient social infrastructure, but how we build resilient technical infrastructure. We need to think about security architecture. We need to think about more than security architecture, but because this is a conference for cyber security professionals, I'll focus on on this topic. But architecture

building strong foundations in our organizations is absolutely critical. So we come from historically the castle and mo type of approaches to network security more than network security where the threats are outside and that's what we're defending against. And we need to start on that journey to more modern security architectures. And that's a challenge because we're often dealing with legacy technologies, hybrid environments, lots of complexity. So where do we start on that journey? And I think we need to think about it as a journey that we're on in our organizations and we need to lead that as cyber security professionals. Where where are we starting from? Where are we going to? What do we need to get there?

But it's a journey that we need to start to take not just in from a democratic resilience perspective but also from an organizational resilience perspective. So I would suggest that foregrounding security architecture is something that we could do when we're speaking about pathways at a societal level. This is a pathway that we can take at an organizational level along with the code of governance along with the the cath along with cyber essentials. So we face a situation now where we have especially since the pandemic and the you know the opening up of um digital transformation and access we face a situation now where we have perimeterless IT environments. So that concept of inside and outside doesn't

work anymore. If an attacker breaches your network boundaries, then that you know you you really need to think about moving towards more zero trust architecture models in order to limit the damage that can be done. Because when we think about the current threat landscape, what we face currently, strategic compromise of critical systems, when we think about the threat actors, the the persistent threats that we face in our networks today, we need to take a long view about how we build resilience. It's not just some, you know, it's not just responding to attacks as they happen. It's thinking about how we can build resilience against these persistent threats that are things like prepositioning attacks that are within our networks now. So in

order to do that, security architecture and that journey towards zero trust security architectures is fundamental. So when we think about at the start of this um in the first part of this presentation, I spoke about a high trust culture. So having trust in our institutions, in our societies, trust in each other, agreeing how we live together. This is really thinking about zero trust from a technical architecture perspective. But it has to be coupled with that high trust culture where it's a very positive security culture and people are are happy to speak up to speak to each other to learn lessons to to share concerns and learnings. So within our organizations, we can make this a strategic goal, a framework based

on zero trust principles supported by technical reference architectures and a maturity roadmap because we're all starting from different positions that can be used to plan your own journey to zero trust in what is often a very complex hybrid environment. So that is a very clear and helpful starting point I would suggest for building our technical strategies within our organizations. What is zero trust? Um I would refer to the the NIST um the NIST publication there which I've referenced so you can you can look up um in more detail. Um definitions of zero trust and zero trust architecture are provided. What I want to focus on here conscious of the the time that I have is not the technical

details of it but I'm more than happy to share the slides later. It's the principles that we can apply. So taking that principles based approach. So it's not one sizefits-all in all organizations. So there are two particular sources that I would um refer you to and one is NIST SP800207 which has what are called the zero trust tenants within the UK conscious that we are um you know within the um the UK the national cyber security center has a set of guiding principles that have been published so this is not telling us what we have to do it's setting out principles that we can then think about how we adapt and operationalize in our organizations

So these principles, taking that principles-based approach provides an excellent starting point and it starts with knowing your architecture, knowing your users, your services, your device identities, assessing user behavior, using policies and there's much more guidance available. It's all on the website there. But I think the point that I want to make here is that we can take that strategic approach and then take these principles and apply them within our organizations. And that provides us with a a road map for the journey that we need to take towards modern security architectures. So it's about proactive security. It's about moving from the reactive approach that may you know often we have to take because there's so many cyber attacks.

Cyber attacks are always happening. We're always responding to the next one trying to firefight. How do we get ahead? How do we going back to that idea of anticipatory governance? How do we deal not just with the problem that we have here and now, but how do we start thinking ahead at the same time? Because we need to be planning ahead as dealing with what's happening to us here and now. And that journey towards zero trust provides us with a starting point for proactive security. And the most important point about this, it's not the technical details, although it is very technical and there's, you know, building the architectures is is something that is a very technical and

complex task. This is a mindset shift as well in our organization. So going back to the point about systems thinking, it all ties in. So we need that culture shift, that moving from reactive to proactive at every level. And we've got to tailor that communication. So when it's at a societal level and we're speaking about moving from reactive to proactive, we're speaking about democratic resilience, civic integrity at a technical level. It's a journey towards zero trust architectures. And there will be much more than just this. You know, you will have your own ideas about how we do that mindset shift at a societal level and at an organizational level. But the key point is that we need

to start to do it and we need to do it in language and in terms that resonates with our stakeholders and the people that we're speaking to. And we need to do it at a whole system level. So thinking at a societal level, at an organizational level, at a departmental level, you know, at a a community level and we need to think how we achieve the goals, but how we do that in different contexts. So from a security architecture perspective, zero trust um is a journey to a modern security architecture. So we need to start to build modern security architectures. We have an internet that was not secure by design. it was not designed to be secure. Um, we need to

start to think about how we move towards modern architectures that are proportionate, that are designed for what we're trying to protect and that's different depending on the organization. And taking a risk-based approach is of course perfectly compatible with the journey towards a modern security architecture. So moving away from compliance cultures towards that risk-based approach is absolutely fundamental to this. You can layer in zero trust approaches. It's not either or. It's all complimentary. It's a toolkit that we can use and it's fully compatible with hybrid environments. So you don't just need to wait for um shiny new environments to do this. This can be done with legacy environments with hybrid environments and a framework based on zero trust principles supported

by technical reference architectures and a road map can be used to plan this journey in your own particular organizational context. So security is always dependent on context and thinking about the context that we're operating in is fundamental to doing this effectively at an organizational level. So just finally since I'm being given the the the the time warning card I would suggest that to be resilient by design is to be democratic by design. So we need to think intentionally about how we're designing, how we're shaping democratic futures. We need to think about what's important to us, the democratic values that are important to us as a society, what we're trying to protect, the civic integrity that we're

trying to protect. And then we also need to think about how we plan and design intentionally in organizational contexts. And that journey to modern security architectures is one path towards doing that. There will be others and I look forward to seeing many more presentations throughout today and at future events where other people suggest ways in which we can achieve these goals as well. So thank you very much for your time. I'm more than happy to take questions. I think we've got some time for questions hopefully. [Music]

[Music]

just turn it on, shall I? Firstly, thank you for a brilliant uh opening u um keynote um full of insightful and information. I don't disagree with anything you said. Um I work in defense and government and have done for a very long time. Um and um have been the harbringer of doom or at least it feels like it. Um to trying to uh rightsize our risk approaches in many respects, resilience costs money. And in a time when uh finances are constrained and um when defense is suddenly realizing that it can't rely on a single point of failure like the US for example we seem to learn the lessons after the fact after the disaster after the re the

event which cost even more money >> how do we educate our leaders and more importantly our policy makers to reverse that trend >> yeah I think that's such a critical point so moving and that's fundamental to that mindset shift thinking about moving from reactive to proactive approaches I think that's the core of the challenge that we face. So learning lessons embedding those lessons having a positive culture I think is important and to me it comes back to leadership. So leadership at a societal level at an organizational level. So we need to have positive cultures that encourage speaking up sharing lessons not just after incidents constantly you know we should all be learning and sharing and

that's leadership. So leadership skills training if that's not happening in an organization that's where I would start because the tone is set at the top encouraging people to learn lessons to you know to grow to develop to progress that doesn't cost money necessarily that is something that we can do with good strong leadership and there are many excellent examples of that in organizations in government and we need to see more of that and I think one thing that we can do is to think about where is that working well so you know what are the what are the role model case studies if you like of people that are doing that really well and start to

share that at a societal level so that others that are responsible in organizations look at that. I think the um the government's code of practice is really helpful because that you know that basically tells people how you know there's there's guidance now on what needs to be done across all of the areas that we need to think about for cyber risk. I actually think it should be broadened out to technology risk hopefully more broadly. But that provides a code of practice. So that's best practice and then it comes down to leadership in order to embed that at an organizational and societal level. And it's culture change and it's something that you know that that leaders are

responsible for. But I think it's such a fundamental point. I think it's you know it goes to the core of um the change that we need to see to move from reactive to proactive. So thank you for for raising that.

more questions. >> Any more questions? What we saw hand earlier? Thank you. Give a round of applause. >> Thank you.