Plenaries - Day 2

Alex Dewdney, Director Engagement, NCSC

  • Focus: interection of tech and people IRL

Claudia Natanson, Chief Security Officer, DWP

  • UC is Europe’s largest online payment system
  • 6k servers, 100k devices, lots of them ageing
    • migration is challenging

Drivers for change

  • Change in usage by users and potential employees
  • Responding to user needs rather than deciding far in advance what should be built
  • Data sizes massively increased
  • DDoS are frequent and huge

Doing the change

  • Security people embedded into sprint teams (PDUs)
  • ‘Shadow IT’ - go to third party SaaS and devices because they help get the work done in a way which isn’t possible with tools provided by (and managed by) the organisation
  • « Seems to have a different idea about what devops is - focused on delivering tools »

Risk-based approach

  • Rather than a binary yes/no, understand the risks: mitigate them or decide to accept them
  • Aggregating information about incidents, threats and claims alongside risks: information aggregated allows an understanding of risk appetite

Security capability drivers

  • Need to be “Breach-ready”
  • “Leading from the top” in terms of education around e.g. spearphishing: ensuring that the top people in the organisation have good understanding
  • Use big data analytics to whittle down the huge numbers of potential incidents to ~100 which can be investigated as likely incidents


  • Agile vs Security tension: need to have the same deadlines, be on the same team. Discussion is around managing risk not blocking.
    • driven by demand and risk
  • Remove accreditation step: risk assessment needs to be done throughout
  • Risk in the supply chain: other orgs risks aren’t in your control
  • People are responsible but not accountable
  • Diverse skills needed to address the really hard problems
  • We haven’t put nearly enough research into how people function wrt security
    • focus has been on trying to ‘fix the user’
  • Punishing users for falling for phishing attempts doesn’t make sense
    • some are really good!
    • wastes time and money
    • hurts users
    • doesn’t change anything!!
  • We ask users to decide whether they trust emails - how are they supposed to do that
  • No evidence that regular password changes help to make accounts more secure
  • We understand tech more than we understand people, so we make the tech then ask people to come to it
  • “Security must work for people, because if security doesn’t work for people, it doesn’t work”
  • Policies are often a stick to beat people with when they do things wrong - not a tool to help them to do things right
  • “People are the only link”


  • When your employees bend the rules, they’re trying to tell you something