Cyber Security Leadership

Applying Lean practices to security

Photo by siddhu2020 https://flic.kr/p/61m23G

I had an opportunity to follow the Lean Silver Belt pathway of Cardiff University’s Lean Competency System and work with a coach to deliver measurable business process improvement in the workplace. This resulted in significant cost savings for the business and was supported by the official accreditation.

A lot of it is to do with the mindset: spotting inefficiencies, eliminating waste and continuous improvement are at the core of the approach. It’s also about applying these concepts and techniques to real world challenges.

NISTIR 7756 Contextual Description of the CAESARS System

Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of effectiveness of security controls.

A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing polices in line with a security framework (e.g. NIST CSF).

A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.

These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.

Scaled Agile Framework (SAFe) provides a way for the entire organisation to work in an agile way, not only software engineers. Security professionals, lawyers, compliance specialists and procurement teams are encouraged to engage in sprints (or ‘iterations’) too. You don’t have to write code to participate in a retrospective.

I recently had an opportunity to apply some of the Agile practices in my latest cyber security projects while going through formal Leading SAFe training at work.

Many ideas are not new, especially if you worked with Scrum previously, but they don’t have to be in order to be effective. The framework serves more as a collection of principles and a menu of techniques that can be used to transform large organisations that have ‘always done things that way’.

Over the years I’ve had the opportunity to acquire multiple professional certifications in cloud security, project management, industrial control systems security, data privacy, architecture and more.

Passing an exam, of course, doesn’t make you an expert: a credential itself doesn’t always guarantee skill. However, I found the process of studying for one rewarding in itself.

It helps structure your existing knowledge and learn a few new things that you could’ve otherwise missed along the way. Combining your prior practical skills with some of the good practices at the heart of these certification paths also allows for continuous improvement.

I write about how to pass some of these exams on this site, so feel free to get in touch if you would like to discuss my preparation strategies and exam tips.

Supply chain security

Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.

I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.

A Causal Loop Diagram of The Happy Path Testing Pattern, Acquisition Archetypes, Carnegie Mellon University

Product security is more than running code scanning tools and facilitating pentests. Yet that’s what many security teams focus on. Secure coding is not a standalone discipline, it’s about developing systems that are safe. It starts with organisational culture, embedding the right behaviours and building on existing code quality practices.

I recently had a chance to collaborate with researchers at The Optus Macquarie University Cyber Security Hub. Their interdisciplinary approach brings industry practitioners and academics from a variety of backgrounds to tackle the most pressing cyber security challenges our society and businesses face today.

Both academia and industry practitioners can and should learn from each other. The industry can guide problem definition and allow access to data, but also learn to apply the scientific method and test their hypotheses. We often assume the solutions we implement lead to risk reduction but how this is measured is not always clear. Designing experiments and using research techniques can help bring the necessary rigour when delivering and assessing outcomes.

I had an opportunity to work on some exciting projects to help build an AI-powered cyber resilience simulator, phone scam detection capability and investigate the role of human psychology to improve authentication protocols. I deepened my understanding of modern machine learning techniques like topic extraction and emotion analysis and how they can be applied to solve real world problems. I also had a privilege to contribute to a research publication to present our findings, so watch this space for some updates next year.

Skills development

While in quarantine after arriving in Australia, I had a chance to catch-up on some learning.

I completed two specialisation tracks on Coursera offered by Macquarie Business School as part of their Global MBA programme. The courses covered a variety topics, including negotiations, change management, storytelling, board engagement, innovation, strategic management, sustainability, supply chains and more.

Some exciting news – I have relocated to Australia 🇦🇺

I’m honoured to be awarded the Distinguished Talent (now called Global Talent) visa for my ‘internationally recognised record of exceptional and outstanding achievement’ in cyber security.

Although I will miss the UK, my friends and colleagues there, I look forward to the next adventures in Sydney.

Cyber Security Leadership

Applying Lean practices to security

Continuous security monitoring

Agile security at scale

Professional certifications

Supply chain security

Communication strategy for security leaders

Product security

Collaborating with the Optus Macquarie University Cyber Security Hub

Skills development

Welcome to Australia