This is the presentation that I created while applying for the CISO position at Babylon Health (note that I ended up taking up the CISO role at Revolut)

1. @DinisCruz
security
Dinis Cruz
presentation to Babylon Health
When applied to the CISO position
Dinis Cruz v0.6 (DRAFT) Sep 2019

2. @DinisCruz
security
Babylon Health Security
Dinis Cruz Interim CISO Candidate Sep 2019 v0.6

3. @DinisCruz
security
This presentation was created by
Dinis Cruz , who is an candidate to the
Babylon Health CISO position*!
DISCLAIMER!
* Dinis is currently NOT an Babylon Health employee/contractor
** Dinis does NOT have Internal knowledge of existing Babylon Health security team structure,
objectives or activities
?
WHY?
This is a good medium to present Dinis’
thinking, approach and values**

4. @DinisCruz
security
Babylon’s Security team
mission is to put an
safe, accessible and
affordable health service in the
hands of every person on
earth.

5. @DinisCruz
security
must enable and empower these amazing
professionals to fulfill their potential
… while enhancing the patient’s data:
Confidentiality
Integrity
Availability

6. @DinisCruz
security
?
WHY is
Babylon Security
important?

7. @DinisCruz
security
Is the guardian of
Babylon’s
Customers and
employees:

8. @DinisCruz
security
@DinisCruz
Babylon Health Security commitments

9. @DinisCruz
security
@DinisCruz
Babylon Health Security page

10. @DinisCruz
security
@DinisCruz
Security drives business change and digital transformation

11. @DinisCruz
security
@DinisCruz
Required compliance to multiple standards

12. @DinisCruz
security
@DinisCruz
https://www.serveit.com/recruitment-sourcing-guide-gdpr/
https://www.serveit.com/gdpr-for-developers-data-subject-rights/
GDPR principles, processing and customers rights

13. @DinisCruz
security
@DinisCruz
GDPR - Personal Data Journey (Privacy Impact Assessments)
https://2018.open-security-summit.org/tracks/gdpr/working-sessions/creating-standard-for-gdpr-patterns/

14. @DinisCruz
security
@DinisCruz
Desired Threat Level capability
Detect and Contain
Must be able to:
Neutralise
Break economic model
https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment%20Guide.pdf

15. @DinisCruz
security
@DinisCruz
Health care security stats

16. @DinisCruz
security
@DinisCruz
Healthcare record’s value and incident’s patterns

17. @DinisCruz
security
Strategy

18. @DinisCruz@DinisCruz
security
By combining the ever-growing
power of AI with the best
Security expertise of humans,
Babylon Health Security Team
can deliver a safe ecosystem for
customer’s health Data,
including personalised Security
assessments, treatment advice
and appointments with a
Security Professional 24/7.
AI
+
Security
Professionals

19. @DinisCruz
security
@DinisCruz
Aligned with best practices
Start here
https://www.ncsc.gov.uk/collection/board-toolkit

20. @DinisCruz
securitystrategy

21. @DinisCruz
security
@DinisCruz
How to prevent and contain malicious activities
https://www.ncsc.gov.uk/collection/board-toolkit

22. @DinisCruz
security
@DinisCruz
10 Steps to Cyber Security
https://www.ncsc.gov.uk/collection/board-toolkit

23. @DinisCruz
security
@DinisCruz
Effective Cyber Security
https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment%20Guide.pdfhttps://onlinedegrees.kent.edu/ischool/health-informatics/community/healthcare-data-security/CybersecurityHealthcare.pdf

24. @DinisCruz
security
@DinisCruz
Strong driver for Information Governance
https://www.bdo.com/blogs/nonprofit-standard/may-2018/the-integration-of-data-privacy https://activenavigation.com//wp-content/uploads/2015/10/File-Analysis-and-Your-Information-Governance-Maturity-Oct-2015.pdf

25. @DinisCruz
security
@DinisCruz
NIST (Cyber Security Framework)
https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment%20Guide.pdf

26. @DinisCruz
security
@DinisCruz
Map functions to standards and policies
https://insights.sei.cmu.edu/sei_blog/2016/02/structuring-the-chief-information-security-officer-ciso-organization.html

27. @DinisCruz
security
@DinisCruz
Hippocratic Oath for Security and IT Engineers
https://queue.acm.org/detail.cfm?id=1016991

28. @DinisCruz
security
@DinisCruz
#DataSavesLives
https://understandingpatientdata.org.uk

29. @DinisCruz
security
=
+

30. @DinisCruz@DinisCruz
security
Babylon Security objectives and
mission are completely aligned with
NHS and NHSx
Tight collaboration with NHSx Cyber
Security team is a win-win scenario for
both parties and the wider health care
industry
Learn, integrate
and improve
NHSx
Cyber Security
https://coinzodiac.com/cryptocurrency-arms-race/reinvent-wheel/
Do NOT reinvent the wheel

31. @DinisCruz
security
@DinisCruz
Be a player
Supports
Integrates
Contributes
Babylon should be here
Private sector players

32. @DinisCruz
security
@DinisCruz
NHSx focus = Babylon Health Security focus
https://www.slideshare.net/InnovationNWC/dr-masood-nazir-eco-19-care-closer-to-home

33. @DinisCruz
security
People
Process
Technology

34. @DinisCruz@DinisCruz
security
1. Babylon Security provides a comprehensive
service, available to all*
2. Access to Babylon Security services is based
on need, not an individual’s business unit
3. Babylon Security aspires to the highest
standards of excellence and professionalism
4. The patient will be at the heart of everything
Babylon Security does
5. Babylon Security works across organisational
boundaries
6. Babylon Security is committed to providing
best value for money
7. Babylon Security is accountable to the
patients, management and shareholders
*All = Babylon Health Company and selected partners
Principles
inspired by:

35. @DinisCruz
security
@DinisCruz
Following best practices and ideas
1. Ensuring every Babylon Health customer and
employee data is protected
2. Establishing shared architecture and
standards
3. Implementing services to meet needs
4. Supporting stakeholders to get the best out of
technology, data and information
5. Making better use of cyber health and care
information
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/443353/HSCIC-Strategy-2015-2020-FINAL-310315.pdf

36. @DinisCruz
security
https://digital.nhs.uk/binaries/content/assets/legacy/pdf/8/9/copconfidentialinformation.pdf

37. @DinisCruz
securityhttps://www.gov.uk/government/publications/the-future-of-healthcare-our-vision-for-digital-data-and-technology-in-health-and-care/the-future-of-healthca
re-our-vision-for-digital-data-and-technology-in-health-and-care

38. @DinisCruz
security

39. @DinisCruz
security
@DinisCruz
Babylon Health is very synergetic with GP Connect

40. @DinisCruz
security
@DinisCruz
NHS Code of Conduct

41. @DinisCruz
security
@DinisCruz
OWASP ASVS Application Security Verification Standard (in Healthcare)

42. @DinisCruz
security
?
HOW
Babylon Security
Operates and behaves

43. @DinisCruz
security
@DinisCruz
Team’s capabilities exposed as services

44. @DinisCruz
security
@DinisCruz
Graph project’s to outcomes and threats
Each yellow
box is a Jira
ticket

45. @DinisCruz
security
@DinisCruz
Create schema that represents the business

46. @DinisCruz
security
@DinisCruz
Scale using Workflows
RISK Workflow VULN Workflow

47. @DinisCruz
security
@DinisCruz
Lots of workflows

48. @DinisCruz
security
@DinisCruz
Hyperlinked RISKs
https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment%20Guide.pdf

49. @DinisCruz
security
@DinisCruz
Modern approach to managing security RISKs
https://www.soa.org/globalassets/assets/Files/Research/Projects/research-new-approach.pdf

50. @DinisCruz
security
Embrace Open Source and CC (Creative Commons)

51. @DinisCruz
security
=
Linked
Security Policies
Evidence based
Security decisions

52. @DinisCruz
security
@DinisCruz
Hyperlinked policies in Jira
Policy’s pdfs
do not scale
because it is not
possible to link real-world
data to the respective policy

53. @DinisCruz
security
@DinisCruz
Convert policy into an graph

54. @DinisCruz
security
Policies Links to Facts Links to Vulns Links to Risks

55. @DinisCruz
security
@DinisCruz
Context specific Jira projects (for example FACTs)

56. @DinisCruz
security
? WHO is
Babylon Security ?

57. @DinisCruz
security
@DinisCruz
Current Security team

58. @DinisCruz
security
@DinisCruz
Creating Security Champions
https://www.owasp.org/index.php/Security_Champions
https://safecode.org/putting-a-face-to-software-security-champions/

59. @DinisCruz
security
@DinisCruz
Security Champions
https://www.slideshare.net/DinisCruz/security-champions-v10

60. @DinisCruz
security
@DinisCruz
Security Digital Twins
Leverage existing Babylon
Health technology and create
Security digital twins for:
● Security Activities
● Application Security
● Network Security
● Intrusion Detection
● Risks
● Stakeholders (users, customers)

61. @DinisCruz
security
} Babylon Security
Data Science Tech Stack

62. @DinisCruz
security
@DinisCruz
Serverless stack

63. @DinisCruz
security
@DinisCruz
Scalable data creation workflow

64. @DinisCruz
security
@DinisCruz
JIRA

65. @DinisCruz
security
@DinisCruz
Elastic (ELK)

66. @DinisCruz
security
@DinisCruz
Slack

67. @DinisCruz
security
@DinisCruz
Jupyter notebooks

68. @DinisCruz
security
@DinisCruz
Other Key Components

69. @DinisCruz
security
*Graphs and Maps

70. @DinisCruz
security
@DinisCruz
Wardley Maps
https://leadingedgeforum.com/researchers/simon-wardley/

71. @DinisCruz
security
@DinisCruz
https://wardle.org/strategy/2018/07/19/mapping.html
This is a graph (position doesn’t matter)
This is a map (position represents evolution)
Using Wardley Maps on Healthcare

72. @DinisCruz
security
@DinisCruz
Maps help to visualise strategy (and bias)

73. @DinisCruz
security
@DinisCruz
https://medium.com/@erik_schon/the-art-of-strategy-811c00a96fad
Metadata use in Maps is very powerful

74. @DinisCruz
security
@DinisCruz
Advanced Wardley Mapping

75. @DinisCruz
security
@DinisCruz
Cynefin Framework
https://academic.oup.com/heapro/article/28/1/73/576131

76. @DinisCruz
security
Why Dinis Cruz ?
for Babylon CISO

77. @DinisCruz

78. @DinisCruz

79. @DinisCruz

80. @DinisCruz

81. @DinisCruz
Created OWASP Summit* event.
Motivated 100+ Security professionals to collaborate together, and
release knowledge/code under Open Source (or Creative Commons)
* now called Open Security Summit

82. @DinisCruz
Published
Books

83. @DinisCruz
https://cyberleadersnetwork.org/dinis-cruz-ciso-of-photobox-on-how-to
-identify-communicate-and-resolve-cyber-security-risks/
https://www.youtube.com/watch?v=A7hccDXlDwI
https://www.youtube.com/watch?v=6XmCQhn57gk
Video interviews
and presentations

84. @DinisCruz
LinkedIn, GitHub,
Twitter, Blog, Email
http://www.linkedin.com/in/diniscruz
https://twitter.com/DinisCruz
http://github.com/diniscruz http://blog.diniscruz.com/
dinis.cruz@owasp.org

85. @DinisCruz
security
Thank you - Any Questions?
Dinis Cruz Interim CISO Candidate Sep 2019

86. @DinisCruz
security

87. @DinisCruz
security
Misc Slides
(to be added to next version of this
deck)

88. @DinisCruz
security
Security Ecosystem
Safe Secure
EffectivePeople
Mentor
Community
ResilientCompliant
CommercialTransformative
FoundationsInnovative Enabler ScalableOpen

89. @DinisCruz
security
@DinisCruz
Handle incidents (should be seen as opportunities)

90. @DinisCruz@DinisCruz
security
The Security team must do the same
Babylon thinks in graphs

91. @DinisCruz
security
@DinisCruz
Board/C-Level view of Cyber Security
https://www.ncsc.gov.uk/collection/board-toolkit

92. @DinisCruz
security
Open Source as a key strategy

93. @DinisCruz
security
@DinisCruz
Behaviours

94. @DinisCruz
security
Add how this applies
to security

95. @DinisCruz
security
@DinisCruz
Security Team values

96. @DinisCruz
security
Wardley maps

97. @DinisCruz

98. @DinisCruz
https://www.isaca.org/Journal/archives/2017/Volume-3/PublishingImages/17v3-Security-Assurance-2L.jpg

99. @DinisCruz
security
NIST and CIS Controls
https://www.nist.gov/news-events/news/2018/05/mep-centers-aid-manufacturers-cybersecurity

100. @DinisCruz
security
Design elements