SlideShare a Scribd company logo

Security by default - Building continuous cyber-resilience.

Thoughtworks, profile picture
Thoughtworks

The document discusses the importance of cyber resilience, highlighting the need for organizations to prepare for and respond to cyber threats as part of their ongoing operations and culture. It emphasizes the shift from traditional cybersecurity to a more adaptive and holistic approach, incorporating concepts like zero trust architecture. The text also touches on the complexities of modern systems and the necessity for businesses to maintain a balance of acceptable risk while engaging with various user interactions.

Technology
Related topics:
Cyber-Security Cyber Attacks Digital TransformationProduct Development
1 of 32
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Security by default - is it possible? Are we on the edge of the abyss
Today ● Why? ● Resilience ● Building Blocks ● Future
“Cyber resilience refers to an entity's ability to continuously deliver the intended outcome despite adverse cyber events.”
Source: https://norse-corp.com/map/
Security by default - Building continuous cyber-resilience.
Traditional Software Security ● Risk analysis ● Give security requirements ● Set infrastructure standards ● Define compliance & policies A lot of changes Who is taking care of security?
“We need a cybersecurity renaissance in this country that promotes cyber hygiene and a security centric corporate culture applied and continuously reinforced by peer pressure” - James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology
● Direct and Indirect attacks ● Privacy vs Transparency ● How do you control social media? ○ Hint: Consider carefully ● Did you find GDPR difficult? ○ Or are you just hoping no-one looks ● Someone or something intelligent is out there Here’s looking at you…!
Resilience during exponential change
40 years of Processor Performance Source: John Hennessey and David Patterson, Computer Architecture A Quantitative Approach, 2018
Security by default - Building continuous cyber-resilience.
What is resilience Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations. In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.
Resilience during exponential change
CD: Fundamental building block Commit Stage Compile Unit Test Analysis Build Installers Automated Capacity Testing Automated Acceptance Testing Manual Testing Showcases Exploratory Testing Release
Security by default - Building continuous cyber-resilience.
Product Owner Experience Designer Business Analyst Developer Tech lead Project Manager Security Analyst Infrastructure Consultant Build security in: Everyone responsible QA
Security by default - Building continuous cyber-resilience.
Risk
“If you know almost nothing, almost anything will tell you something” - Douglas W. Hubbard
Risk: Quantify not Qualify
We need to maintain the balance of acceptable risk
Inherent Risk – Impact Assessment? ● What data is stored or processed by system? ● What is the reason for storing? ● What is the sensitivity? ● What services are provided by the system? ● What is the purpose of those services? ● What is the sensitivity? (Business critical? Safety sensitive?) ● What types of users or third parties interact with the system ○ What is the purpose these interactions? ○ What can we say about our trust these users or third parties?
Source: https://logrhythm.com/blog/what-is-the-zero-trust-model-for-cybersecurity/
Zero Trust Architecture, also referred to as Zero Trust Network or simply Zero Trust, refers to security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.
The end of simplicity How the future is more complex than it might appear
A complex adaptive system is a system in which a perfect understanding of the individual parts does not automatically convey a perfect understanding of the whole system's behaviour. -Miller et. al 2007
Butterfly Effect
Butterfly Effect Emergence
Adaption Source: Hiroki Sayama, D.Sc., Collective Dynamics of Complex Systems (CoCo) Research Group at Binghamton University, State University of New York
Security by default - Building continuous cyber-resilience.
Security by default - Building continuous cyber-resilience.
Dave Elliman Global Head of Technology, ThoughtWorks Thank you

More Related Content

PPTX
Alice has a Blue Car: Beginning the Conversation Around Ethically Aware Decis...
Thoughtworks
 
PDF
Do No Harm: Do Technologists Need a Code of Ethics?
Thoughtworks
 
PDF
Hardware is hard(er)
Thoughtworks
 
PPTX
Technology Radar Webinar UK - Vol. 22
Thoughtworks
 
PDF
The layperson's guide to software architecture
Thoughtworks
 
PPTX
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
PPTX
Super Symposium - Art of the possible
Steve Woodward
 
PPTX
EXTENT-2017: Putting AI to Test
Iosif Itkin
 
Alice has a Blue Car: Beginning the Conversation Around Ethically Aware Decis...
Thoughtworks
 
Do No Harm: Do Technologists Need a Code of Ethics?
Thoughtworks
 
Hardware is hard(er)
Thoughtworks
 
Technology Radar Webinar UK - Vol. 22
Thoughtworks
 
The layperson's guide to software architecture
Thoughtworks
 
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
Super Symposium - Art of the possible
Steve Woodward
 
EXTENT-2017: Putting AI to Test
Iosif Itkin
 

What's hot (20)

PDF
Designers, Developers & Dogs
Thoughtworks
 
PDF
Playing Nice in the Product Playground #StrataHadoop
Intuit Inc.
 
PDF
Project Guidelines
tipfutures2011
 
PPT
Semantech Inc. InnovationWorx
Stephen Lahanas
 
PPTX
Grasping the Future: Virtual Hands Control for Fine Motor Tasks
Ronald Punako, Jr.
 
PDF
IoT Meetup Stockholm - Designing Connected Products
Martin Charlier
 
PDF
NUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS
 
PPT
O'Reilly Webcast: Ten Things Every Software Architect Should Know
O'Reilly Media
 
PDF
Designing Connected Products - Web Directions 2015 Sydney
Martin Charlier
 
PDF
Prototyping Experiences for Connected Products
Martin Charlier
 
PPTX
Decision Intelligence: How AI and DI (and YOU) are Evolving to the Next Level
Lorien Pratt
 
PPTX
Semantech 2014 Corporate Capabilties
Stephen Lahanas
 
PDF
Why So Many ML Models Don't Make It To Production?
UXDXConf
 
PDF
When we design together
Thoughtworks
 
PDF
SDNs for the Enterprise
Open Networking Summits
 
PDF
Design Thinking for Data Science #StrataHadoop
Intuit Inc.
 
PDF
Customer-centric innovation enabled by cloud
Thoughtworks
 
PDF
What is a Creative Technologist?
Simon Whatley
 
PDF
Why happier developers create more secure code
DJ Schleen
 
PDF
Machine Learning for Product Managers
Thoughtworks
 
Designers, Developers & Dogs
Thoughtworks
 
Playing Nice in the Product Playground #StrataHadoop
Intuit Inc.
 
Project Guidelines
tipfutures2011
 
Semantech Inc. InnovationWorx
Stephen Lahanas
 
Grasping the Future: Virtual Hands Control for Fine Motor Tasks
Ronald Punako, Jr.
 
IoT Meetup Stockholm - Designing Connected Products
Martin Charlier
 
NUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS
 
O'Reilly Webcast: Ten Things Every Software Architect Should Know
O'Reilly Media
 
Designing Connected Products - Web Directions 2015 Sydney
Martin Charlier
 
Prototyping Experiences for Connected Products
Martin Charlier
 
Decision Intelligence: How AI and DI (and YOU) are Evolving to the Next Level
Lorien Pratt
 
Semantech 2014 Corporate Capabilties
Stephen Lahanas
 
Why So Many ML Models Don't Make It To Production?
UXDXConf
 
When we design together
Thoughtworks
 
SDNs for the Enterprise
Open Networking Summits
 
Design Thinking for Data Science #StrataHadoop
Intuit Inc.
 
Customer-centric innovation enabled by cloud
Thoughtworks
 
What is a Creative Technologist?
Simon Whatley
 
Why happier developers create more secure code
DJ Schleen
 
Machine Learning for Product Managers
Thoughtworks
 
Ad

Similar to Security by default - Building continuous cyber-resilience. (20)

PPTX
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
 
PDF
David Bray - Why Cyber-Resiliency Matters: Unprecedented Exponential Changes
SUCanadaSummit
 
PDF
Introduction to Cyber Resilience
Peter Wood
 
PDF
Presentation- Introduction to Cybersecurity.pdf
fizarcse
 
PDF
2019 10-22 axio - taking control of cyber risk - grid-seccon
Axio
 
PPTX
The 2018 Threatscape
Peter Wood
 
PDF
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
PPTX
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
PPTX
Robert Lentz - CSO Perspectives Roadshow 2016
CSO_Presentations
 
PDF
The Evolution of Cybersecurity in Software Development for 2025
ScalaCode
 
PPTX
Iurii Garasym. The future crimes and predestination of cyber security. Though...
IT Arena
 
PDF
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
PPTX
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
PPTX
Architecting trust in the digital landscape, or lack thereof
Jonathan Sinclair
 
PPTX
NZISF Talk: Six essential security services
Hinne Hettema
 
PPT
December ISSA Meeting Executive Security Presentation
whmillerjr
 
PDF
Cybersecurity Basics - Aravindr.com
Aravind R
 
PDF
ScotSecure Cyber Security Summit 2025 Edinburgh
Ray Bugg
 
PPTX
Zero-Trust-Architecture-Reimagining-Network-Security.pptx
yash98012
 
PDF
Citrix security booklet
Benjamin Jolivet
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
 
David Bray - Why Cyber-Resiliency Matters: Unprecedented Exponential Changes
SUCanadaSummit
 
Introduction to Cyber Resilience
Peter Wood
 
Presentation- Introduction to Cybersecurity.pdf
fizarcse
 
2019 10-22 axio - taking control of cyber risk - grid-seccon
Axio
 
The 2018 Threatscape
Peter Wood
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Robert Lentz - CSO Perspectives Roadshow 2016
CSO_Presentations
 
The Evolution of Cybersecurity in Software Development for 2025
ScalaCode
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
IT Arena
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
Architecting trust in the digital landscape, or lack thereof
Jonathan Sinclair
 
NZISF Talk: Six essential security services
Hinne Hettema
 
December ISSA Meeting Executive Security Presentation
whmillerjr
 
Cybersecurity Basics - Aravindr.com
Aravind R
 
ScotSecure Cyber Security Summit 2025 Edinburgh
Ray Bugg
 
Zero-Trust-Architecture-Reimagining-Network-Security.pptx
yash98012
 
Citrix security booklet
Benjamin Jolivet
 
Ad

More from Thoughtworks (20)

PDF
Design System as a Product
Thoughtworks
 
PDF
Cloud-first for fast innovation
Thoughtworks
 
PDF
More impact with flexible teams
Thoughtworks
 
PDF
Culture of Innovation
Thoughtworks
 
PDF
Dual-Track Agile
Thoughtworks
 
PDF
Developer Experience
Thoughtworks
 
PDF
Amazon's Culture of Innovation
Thoughtworks
 
PDF
When in doubt, go live
Thoughtworks
 
PDF
Don't cross the Rubicon
Thoughtworks
 
PDF
Error handling
Thoughtworks
 
PDF
Your test coverage is a lie!
Thoughtworks
 
PDF
Docker container security
Thoughtworks
 
PDF
Redefining the unit
Thoughtworks
 
PDF
A Tribute to Turing
Thoughtworks
 
PDF
Rsa maths worked out
Thoughtworks
 
PDF
Making best-in-class security ubiquitous - Why security is no longer just an ...
Thoughtworks
 
PDF
How to tell secrets
Thoughtworks
 
PDF
Continuous Delivery for Machine Learning
Thoughtworks
 
PDF
Holistic approach to cloud adoption
Thoughtworks
 
PDF
Ada Lovelace Day 2019 - Sydney
Thoughtworks
 
Design System as a Product
Thoughtworks
 
Cloud-first for fast innovation
Thoughtworks
 
More impact with flexible teams
Thoughtworks
 
Culture of Innovation
Thoughtworks
 
Dual-Track Agile
Thoughtworks
 
Developer Experience
Thoughtworks
 
Amazon's Culture of Innovation
Thoughtworks
 
When in doubt, go live
Thoughtworks
 
Don't cross the Rubicon
Thoughtworks
 
Error handling
Thoughtworks
 
Your test coverage is a lie!
Thoughtworks
 
Docker container security
Thoughtworks
 
Redefining the unit
Thoughtworks
 
A Tribute to Turing
Thoughtworks
 
Rsa maths worked out
Thoughtworks
 
Making best-in-class security ubiquitous - Why security is no longer just an ...
Thoughtworks
 
How to tell secrets
Thoughtworks
 
Continuous Delivery for Machine Learning
Thoughtworks
 
Holistic approach to cloud adoption
Thoughtworks
 
Ada Lovelace Day 2019 - Sydney
Thoughtworks
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KodekX | Application Modernization Development
KodekX
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Security by default - Building continuous cyber-resilience.

  • 1. Security by default - is it possible? Are we on the edge of the abyss
  • 2. Today ● Why? ● Resilience ● Building Blocks ● Future
  • 3. “Cyber resilience refers to an entity's ability to continuously deliver the intended outcome despite adverse cyber events.”
  • 6. Traditional Software Security ● Risk analysis ● Give security requirements ● Set infrastructure standards ● Define compliance & policies A lot of changes Who is taking care of security?
  • 7. “We need a cybersecurity renaissance in this country that promotes cyber hygiene and a security centric corporate culture applied and continuously reinforced by peer pressure” - James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology
  • 8. ● Direct and Indirect attacks ● Privacy vs Transparency ● How do you control social media? ○ Hint: Consider carefully ● Did you find GDPR difficult? ○ Or are you just hoping no-one looks ● Someone or something intelligent is out there Here’s looking at you…!
  • 10. 40 years of Processor Performance Source: John Hennessey and David Patterson, Computer Architecture A Quantitative Approach, 2018
  • 12. What is resilience Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations. In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.
  • 14. CD: Fundamental building block Commit Stage Compile Unit Test Analysis Build Installers Automated Capacity Testing Automated Acceptance Testing Manual Testing Showcases Exploratory Testing Release
  • 16. Product Owner Experience Designer Business Analyst Developer Tech lead Project Manager Security Analyst Infrastructure Consultant Build security in: Everyone responsible QA
  • 18. Risk
  • 19. “If you know almost nothing, almost anything will tell you something” - Douglas W. Hubbard
  • 21. We need to maintain the balance of acceptable risk
  • 22. Inherent Risk – Impact Assessment? ● What data is stored or processed by system? ● What is the reason for storing? ● What is the sensitivity? ● What services are provided by the system? ● What is the purpose of those services? ● What is the sensitivity? (Business critical? Safety sensitive?) ● What types of users or third parties interact with the system ○ What is the purpose these interactions? ○ What can we say about our trust these users or third parties?
  • 24. Zero Trust Architecture, also referred to as Zero Trust Network or simply Zero Trust, refers to security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.
  • 25. The end of simplicity How the future is more complex than it might appear
  • 26. A complex adaptive system is a system in which a perfect understanding of the individual parts does not automatically convey a perfect understanding of the whole system's behaviour. -Miller et. al 2007
  • 29. Adaption Source: Hiroki Sayama, D.Sc., Collective Dynamics of Complex Systems (CoCo) Research Group at Binghamton University, State University of New York
  • 32. Dave Elliman Global Head of Technology, ThoughtWorks Thank you