Secure by Design: Enterprise Architectures Role in Securing the Enterprise

Show Notes

In this episode we speak to Simon Cross. Simon is a seasoned enterprise and security architect who previously held senior positions with organizations such as NatWest Banking Group, Lloyds Bangs Group, BAE Systems, and Hewlett Packard. Simon is now Head of Security Solutions here at Bizzdesign and today he introduces the initiative he leads here - Secure by Design. 

We would also like to let you know, as we hopefully move beyond COVID, that in-person conferences and trade-shows are re-emerging, You can meet us live at the Gartner IT Symposiums and Xpos in Orlando, Florida October from 17th to the 20th of October and again in Barcelona, Spain from 7th to the 10th of November. 

Transcript

0:04

Hello and welcome to the biz design Enterprise Architecture podcast. My name is Wil Scott. And in these podcasts we talk to leaders in the areas of enterprise architecture, and how they in their teams deliver value to their organizations and advancing strategy, optimizing operations and reducing and managing risks. In this episode, I speak to Simon cross. Simon is a seasoned enterprise and security architect, and has previously held senior positions with organizations such as NatWest banking group, Lloyds, banking group, Bas systems, and Hewlett Packard. He is currently head of security solutions here at biz design. And today, he introduces the initiative he leads here, secure by design. Now, we'd also like to let you know, as hopefully we move beyond COVID, that in person conferences and trade shows are reemerging. And you can meet us live at the Gartner it symposium in expos in Orlando, Florida, from the 17th to the 20th of October, and again in Barcelona, Spain, from the seventh to the 10th of November. So with that short announcement, let's go to the podcast. So Simon, welcome to the podcast and the big cast. It's a pleasure to have you here. I know we spent some time getting the schedule, because you're a busy person, it'd be great for our listeners, if you could just begin by introducing yourselves, perhaps give a potted history of your career background, what you do now and what your current areas of interest are. Okay, good to meet you. Well, thanks very much. So yeah, my background, I came from a network engineering background and built many a telecoms network carrying some of the best internet traffic. From there, it became really obvious that cybersecurity was the, the the critical, the critical component of, of how we how we get success across technologies. As I progressed in my career, and I did a master's degree in cyber at Lancaster University in 2011. And from there, the career as a security architect just started to fly. I am a bit of a geek when it comes to Samsa and subsolar architecture. So you know that that was the next kind of stage of my education. And really, you know, I've worked for beyond their work, the number of government agencies and, and then the financial sector, which has taken me up to today and my current role at business. Okay, I'm not gonna say, Simon, that was a bit unfair of yourself to refer to yourself as a geek. I mean, I'll say it for you. You're well known in the space, and you're considered quite the expert in the space as well. If you choose to use the word geek, I'm gonna leave that to you. But I know you're extremely well known. So Simon, let's talk about security. Right? I mean, we've been talking about it for years, if not decades, what's changed? Why should this be top of mind for not just the seaso, but the enterprise at large as well, what's what's happened in the world to create a sort of urgency of taking security more seriously? Well, you know, to begin with, well, we should have been talking about security. 20 years ago, it should have been top of the list and abroad, or that time back. But But today, it's understood how impactful the losses are from a cyber attack from a breach. The board recognize it, the CEO recognizes it, they realize that they've got to act. And I think the I mean, it seems to me when I read the news, that it's almost like a security breach sort of brings a triple threat to the enterprise, right? There's a regulatory impact and fines that go with that. There's a reputational impact, which, you know, means people lose faith in them. And that can be a revenue impact. I mean, certainly in the retail space, I'm thinking of, you know, the various breaches we've had out there in the retail space, and even healthcare space as a revenue impact as well, is that as those are things that boards care about? Well, yeah, everything you mentioned is completely true. But I think one of the things you missed off your list there is the actual physical impact of a cyber attack. We're seeing the Colonial Pipeline attack that resulted in petrol supplies, oil supplies being cut off to vast parts of the United States, and a successful cyber attack against some of our critical national infrastructure will have a terrible effect on people. So you know that right across the board, many risks are are impacted by by cyber attack. Absolutely. And institutions that are subject to attack by malicious foreign actors. I'm not just limited to government institutions, right. There's the defense industry. There's the infrastructure industry that the financial services and trading industry are setting now. have in the US, and I'm sure it is around the world, the utilities are subject to big regulatory requirements when it comes to securing their infrastructure as a fundamental requirement. Yeah, it's the same all over the world. And you know, what? Well, everyone needs to react to it. And everyone actually is changing. So we are starting to see a transformation in, in how the board are responding to cyber threats. And then how, how the, how the security controls within the enterprise are responding as well. So Simon, I know that you have been leading the charge of this thing called Secure by design, it certainly sounds intriguing. But for our listeners and viewers, could you just give us a primer on on what is secure by design? What what's it trying to do? And what are its, you know, tenants and principles? Yeah, sure. So secure by design is all about helping the enterprise succeed through the use of through the use of security, through ensuring that security is built into all enterprise processes, all enterprise people, all enterprise technology, we want the enterprise to be proactive in how it thinks about security. And, and when we say proactive, we mean, don't just be reactive to a breach, let's proactively think about how we build the best systems. So that quality is embedded within those systems. And security is just a subset of quality. That's, that's help. Think about how we achieve defense in depth. Let's, let's understand the layers of defense that we're building and what the threats are actually trying to do, trying to achieve against us. We don't just want to spend millions of pounds on blanketing every security control across the organization, because we don't know what's effective. We were spending too much money. So let's let's prioritize our investments in the right way. And ultimately, just make security part of everything that we do. And has that been the normal sort of? I mean, I'd say normal, but is typically the response mode, you know, the reactive one is that is that what you've observed, as you look across the industry, oh, without a shadow of a doubt, reactive, reactive response is, is the default position. And you know, without wanting to go into the details of names, but what we see is this pattern of a breach or happen, an organization panics, be the Veen work to resolve the breach, they've got to throw all of their resources at resolving the breach. And then they step back and think, Oh, what have we got to do next? Oh, let's, let's let's do our Enterprise Architecture properly. And they come to us, they want they want help from, from this design to structure into, to build out their enterprise architecture, with, with consistency with repeatability with with fine grained detail. So let's let's implement that level of thinking into the organization. Now let's save them the cost of having to respond to the attack, let's let's make them proactive. And I believe that enterprise architecture is the way to achieve that, that proactivity. So it sounds like you know, the response, the response about when you're, you know, acting in a responsive way, then you're throwing a truckload of technology at a problem, which will be very expensive and efficient and consuming, not just in terms of buying the technology, but implementing and maintaining it. But it also sounds like you're saying, you're saying Simon is you may not be securing the right things. If you're just reacting and things you might not be securing the right things. And so having this proactive approach is the right way to go about is that what you're saying? Yeah, I mean, we've had to react over the years because we haven't known what's what's around the corner. And you know, there's a whole finger in insecurity about a black swan event. You know, we never know exactly what what's going to happen. But there's also the industry the verb, the attackers have almost reached a bit of a plateau at the moment. So we've had ransomware, we know how ransomware works. Organizations have now had a number of years to to build the right controls to mitigate the risk of ransomware. It's not to say that all of those controls are built effectively today. But we've reached somewhat of a we know we've reached a plateau which, which means that we know that a cyber attack is going to happen. Now that we know now that we've accepted that's going to happen. Let's let's really think about how we how we build out security the right way, and we no longer need to be so reactive. We have the opportunity now to be the Be proactive. And certainly these these, these data breaches and ransomware attacks are just so well publicized. Now that's elevated to be beyond the IT department. And I've often heard the phrase, you know, there's two types of organizations, those that have been breached, and know it, and those have been breached and don't know it. But in all cases, the inevitably of any enterprise of any substance, I'm sure someone will have had a go at penetrating them. It's not a case of it being likely if they've been attacked, it's a certainty. And it's not just once it's everyday, all day, we see attacks happening every every time you receive a phishing email, that is somebody attempting to breach the organization. Absolutely. Well, this is a podcast and a vidcast, for architects of all kinds, particularly enterprise architects. But can you talk a little bit more about what's the role of enterprise architects and I guess, security architects, solution architects? What's the role of architecture in achieving the goals of secure by design? Yeah, so you know, it's the architects job to embed security throughout the organization, we've got to think about embedding it into how we develop strategy. We want to think about how we understand security across our enterprise architecture. And then how do we enable solutions to be built effectively, rapidly, without without the traditional no culture of security. So it's our security architects job, and our CEOs job to ensure that we have the right security capability available to be used by our our enterprise. And that's consumable and repeatable. And then it's the role of the enterprise architects and the solution architects to make sure we consume it, but equally, so to advise the security, the security team of the changes that are coming down the road, so that we, the security team don't have changes, dropped on them by surprise, that the security teams can be proactive in how they build their defenses based on on the strategic direction of the organization. So really, the architecture teams need to work hand in glove with one another, the there should be no, no silos of activity. So Simon, just summarizing our last sort of 20 minutes chat here. Sounds to me what you're saying is to begin with securities, yes, always been around. But because of the exposure, security instances preceding the media, this has now elevated itself to well beyond the depths of it to a CEO and board level care about. The second thing you said is that traditionally, enterprises response mode has been that just in a responsive mode, as opposed to a proactive mode, which means that they might be throwing unnecessary money at securing things that don't need securing and not putting money into things that do need securing. And so the the the goals of the secure by design, philosophy, I call up one one of a better word is to be proactive, and to embed the idea of security at the architecture stage. And so within that, architecture, architects and particularly enterprise architects have a key role to play to ensure that all the teams are aware of this all the architecture teams security and solution architects and what have you are aware of the changes? Is that Is that a reasonable summary? Just a potted summary of what we chatted about? Yeah, that's, I'd say you picked up on all the key points now. Well, good. Well, we always like to leave our listeners with the with the experts, three things to take away. And so you're the expert in this conversation, Simon, three things you'd like our listeners to take away within the context of secure by design. Okay, so I guess first of all, we've got to think about how security transcends through the entire organization. It starts with our strategy that flows through our people, our processes, and into our technology, we've got to think about it at the design stage, as well as the operational stage. Okay, so my second point would be the Enterprise Architect, and the Enterprise Architect is really key to bringing out this whole secure by design culture within the organization. And and it's got to be driven from an enterprise perspective, not from just within the security team. And to finish off. The third point that I'd add to this is that our aim has to be proactive security, and proactive security is going to be what allows us to get optimized security, the best way, the fastest way and most of all, at least cost. Fantastic. Well, I mean and you can't get punched in that Simon, right? Better security faster for less money. Who doesn't want that? Right? I'm sure the world wants that. And effective as well. Of course, Simon, thank you so much for your time today. I know you're a busy man, and you work with clients all over the world and this particular area. So we really appreciate you sharing your insights and your expertise and your advice as well. Hope to have you back on the on the on the vidcast podcast soon. But Simon, thanks again for your time today. Thanks very much. We'll see you again. Well, I hope you enjoyed that session with Simon and bringing us a sneak peek into the secure by design initiative. And you can meet Simon in person if you're going to be at the Gartner it symposium and Expo in Florida on the 17th to 20th of October. And also as a reminder, we had the Barcelona edition of that event on the seventh to the 10th of November. And hope to see you there. For more podcasts, blogs and recorded webinars, please visit us at business owned.com Where there's a wealth of information available. And if you enjoyed this podcast, we'd encourage you to leave a review on the podcast platform you use. If you'd like to tell your EA story and feature on this podcast then please email me we'll Scott at podcast a business on.com. Biz design is a leader in the area of Enterprise Architecture software that supports Enterprise Architecture teams in delivering value to their organizations with a key focus on the value outcomes of strategy advancement, operational efficiency and reducing risk. Thanks for your time.