Andrew Rose (UK)
Appearances
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It really is. Well, coming from the UK, absolutely it is. So that's my favorite food. I think my favorite food memory actually relates to what used to be my favorite food, which was pizza. I spent many years as a complete pizza nerd because we used to live in New York. And whilst we lived there, we went on a pizza tour. And this pizza tour still happens.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Gosh, there's so many. There's so many lessons. That's the problem. When you look at the control stack that a CISO would look at for an enterprise, there's generally about 130 controls. And however you break it down, it turns out to be about 130 controls, whether it's ISO 27,000 standard or the NIST standards. So there's always a lot to think about.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
But I think, oh gosh, there's lots of aspects to think about. One is the evolution that I think we've seen in the industry moving from IT security, where you're just protecting the box to stop malware getting on it, to information security about, okay, now we've got to protect the value of our information. and the integrity of our information.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Then moving on to cybersecurity, where it's actually, okay, well, this is going to affect our service and our service is going to be down. So we were built to deliver our value proposition. Where organizations are moving now is into cyber resilience, where actually if they have a cyber breach, it doesn't disrupt what they do.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And there's certain aspects, there's a chicken sort of growing company that I've been working with as well a little while ago. And they were talking very much about how the need for resilience is paramount to them. They need to keep their systems running. They need to keep the whole process running through. Otherwise, things get pretty horrible.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So I recommend it to anybody who goes to New York, Scott's Pizza Tour. I am not sponsored by Scott, but he did do the tour. And it's incredible. He takes you around all of the old pizzerias in New York and he explains the history behind New York pizza and the science behind it. How about the pH of the water, how that affects the pizza and all sorts of stuff. And it's thrilling and amazing.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
You can't back chickens up and keep them in the same pen longer than they need to be. So I think certainly focusing on that resilience journey, which many big enterprises are going through too, is a real big focus that agri-food should think about. And I think the post-child for doing this incorrectly is the colonial pipeline system. American guys will all know about that one.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
But they had their billing system get some ransomware on it. And because the billing system was infected, they shut down their operational capability. And that's entirely the wrong thing to have to do. So I think in agri-foods, the people there need to realize that the service needs to continue.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
They need to get sort of, they need to be able to continue to produce and continue to move the produce around and get it to the right place. So they need to focus very much on resilience or rather, sorry, resilience rather than recovery. You can't be down for two weeks and then recover it and go, well, fine. That's two weeks of produce loss. Goodness only knows the impact that could have.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
How you get around that is, well, I think you just have to look at all the normal controls that people focus on these days. So how am I going to prevent ransomware? How am I going to keep my network segregated and safe from different external threats? And if we do get a breach internally, how can I make sure that other aspects of my network are segregated away from that?
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And finally, I think probably the key thing to think about is, how most of these attacks start, which is very much the space I'm passionate about right now, which is the human side of the risk. It's really interesting to look at enterprises and what they do is they seem to spend about 90% of their security budgets on technology.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And yet when you look at the statistics, about 90% of the threat comes from people who will click on links, who will open attachments, who will do silly things, send information to the wrong place. So actually there's a real imbalance there. And normal large enterprises are still dealing with that themselves.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So I think as the agri-food industry starts to really get in and tackle cybersecurity, they need to think about this education and awareness to change the behavior of the people who are involved in the whole end-to-end process. Because that's where many of those vulnerabilities and those issues will begin, but they can be cut off with some good education and training.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It's interesting to sort of have the analogy with air traffic, because in air traffic control, I didn't care about confidentiality one jot. And we all talk about cybersecurity being the triad of confidentiality, integrity, and availability. I didn't care about confidentiality. If we lost our HR database, sure, that was a rough day, but hey, it could be so much worse.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
We had to focus entirely on integrity and availability of data so the air traffic controllers could do their job. And if that dot was on the screen, we knew that was exactly where that dot was. And they'd rather have no dot than an incorrect dot. So integrity was vital and availability was vital. I think those aspects actually are true with the agri-foods as well.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
The confidentiality is not that much of a big deal, but the integrity of the data to prove the provenance of their foodstuffs and the availability of their systems to process it and bring it through from farm to fork is really key for them so that they're not just a normal cybersecurity journey. It's slightly different. It's much more critical national infrastructure thinking.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It's much more about safety level thinking.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And he takes you around and talks about all the different types of ovens and you try a slice in all these different pizzerias so you can compare and contrast. It's an amazing experience. I absolutely loved it.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It is, and I think that chicken company I was talking about, they actually went through all of their processes and they worked it out that if they had no computers at all, they could still do it. They went back to the paper process. How would we do this with no technology? How could we know what we were doing? And I think that's a very wise thing to do.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
We've seen other organizations do that when they had ransomware. There was Norsk Hydro, an aluminum or aluminum, sorry, smelting factory. And they again had to go back to manual processes because their computer systems wiped out by ransomware. So we do need to think all the way through how could we keep our services going when everything is gone and certain industries really need to do that.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
My wife did say that she'd never actually seen me have such an immediate bromance as I did with Scott when I first met him, because I was just like on his shoulder all the time learning about pizza and hanging out with him. But it was really good. So if anyone goes to New York, I'd definitely recommend that. That's my probably favorite food memory.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
I think agri-foods is one of them.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
I think on that one, I think a lot of the cybersecurity people out there, most of them are very focused on that CIA triad and confidentiality is everything. And integrity and availability is probably IT operations problem. So they come at this from the wrong angle straight away. And I also had to retrain people who joined my team to sort of refocus them on the key things.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So I think they come at it from the wrong place. And I think there's a perception across society that agriculture is not technology based. You know, it's probably the one thing that's not technical. They see it as, oh, there's wheat in the field. Okay, that's not going to get, you know, malware. It's not going to get ransomware.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
But actually, it's all the process of the technology that puts the wheat in the field, brings the wheat out of the field, and gets it to your store. Absolutely, that's technology-based. So I think there's just a perception that this is different, that this isn't at risk from those cybersecurity issues.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And with the lack of cybersecurity people focusing on the right aspects of it, I think that puts us into this really poor position, which is, again, why I got involved, because I... perceive this is the most critical national infrastructure. And yet it just gets so underserved in terms of commentary and governance and oversight and support generally.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
I've been there. I've been there. Yes. I heard about it. It is weirdest down this little corridor. Uh-huh. Exactly. Yeah.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Andrew? Probably about 48 hours due to food poisoning. I just couldn't keep anything down.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
I absolutely learned it on the job. So I came from a legal sector, which was entirely different, entirely, couldn't be more different. And then I was an analyst for five years. So this opportunity just came along. And it's the sort of thing you just can't say no to because it's a security world that means something. You know, working in the legal sector is fine. You know, you're keeping one
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
very rich company, you know, rich and helping them make a merger and acquisition to make them a little bit richer the next day. And that's fine, but it doesn't really mean anything. But air traffic control and those critical infrastructure things really does make a difference to you keeping people safe. It's all about safety. And so for air traffic controllers, I had to learn that on the job.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It was very much about sort of transferring my knowledge into the operational technology environment, creating a culture within those operational technology engineers to make sure that they understood that cybersecurity applied to them in their context.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
and and then started to wrap controls around all of those those pieces uh to make sure that we could be safe but it's it's interesting andrew talked about sort of anarchy and how long it takes with air traffic control we didn't worry about that too much but certainly when i was at mastercard um you know we were doing all these interbank transfers and we knew that it wouldn't be long if that's those systems failed you know if you couldn't go and buy you know food for your children how long would it be before you were smashing down the windows and just taking the food 48 hours something like that and so we knew that we were running systems which were critical
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
and had a really short time base before we created anarchy on the streets of our society. So it is something that people can build up a knowledge of, certainly, but it's not a natural thing. This OT security piece is still pretty rare. We talked about it at RSA, and there's not that many people around with this disability or this way to think through these situations from that angle.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
what they do and they're really good at it they have a long memory and they have a long reach to do so so don't be afraid to report if something happens so in terms of future threats from my perspective i think there's there's a couple and we've touched on some already actually i think the global threats the the nation-state threats against uh critical infrastructure are escalating um we're seeing you know nation states looking to impact the economies of the competitors and the the enemies as it were
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And this is being done in a multifaceted way, whether it's political intervention using disinformation, whether it's attacks on systems and capabilities just to undermine the trust in that society and create division. But I think, as Andrew mentioned, the food, agriculture environment is vulnerable to this and could be such a force multiplier.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So we can expect really competent cyber attackers to start looking at this space. And that worries me because obviously the new technologies are coming out right now. And we've all talked about AI and all those sort of things in every other conversation we ever have. But those things are going to enable the attackers to amplify their capabilities.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And we'll start to see hyper-personalized attacks coming in. So today that's always been talked about spear phishing. figures out that Kirsten likes skiing. And so we're going to invite her to the local skiing club or whatever it is. But that takes time for an attacker to do. So it's relatively rare.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
But actually with AI, hyper-personalization delivered in grammatical perfection with a really compelling lure and a compelling push linking back to news stories that you're interested in because they know what news stories you follow. That's Now that's on the verge of coming out.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And then that could be supported by a deep fake video, which is your partner or your boss or someone like saying, you must do this. You must click on this link. So we're going to see all those new technologies being utilized in the next wave or two of cyber attacks being utilized by these very competent nation states to disrupt our societies. And again, agriculture is right in the middle of this.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So I'm worried about where that goes. And I think the thing we need to do is we need to start raising awareness of the capabilities first. Because if people understand what a deep fake is, they understand what AI can do, then they're much better protected about it. They're more inoculated to the possibility because they go, oh, I've heard about it. This could be really weird, couldn't it?
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It doesn't look quite right. So we need to educate, definitely. But we also need to start building those controls in. Because Andrew and I have done a podcast together before, or a webinar, I think it was. And there was lots of discussion about all of the innovation that's going on in the agri-food environment. All of these startups come here with brilliant ideas for improving our capabilities.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And that's awesome. Love it. But I'm really concerned that those guys are doing this with not enough of a focus on cybersecurity. Very early on in sort of the physical security phase, when suddenly everyone realized that you could actually connect your iPhone to your front door and you could actually open your front door with an iPhone and you could sort of have a doorbell.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
pushes that all those products, the first wave of those products came out, no security embedded because it just wasn't seen. They just wanted to create functionality. That was key. First to market with functionality, all they wanted. And I'm concerned that perhaps that happens again in this industry. And that would be a devastating mistake.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Because if those are adopted and put into systems, put into processes where we know critical infrastructure has a problem with legacy tech, you buy it once and you keep it for 20, 30 years and you don't change it. If they're going to embrace these new technologies and put it on their farms, it's going to be there for a while.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
And if that's not capable of being secured properly, then we're building huge problems for a long period of time here. So there's a lot here. That's a lot that concerns me, which is why I think it's great that we have this podcast and other conversations to try and raise awareness.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So those startup companies can perhaps think twice when they're creating this great new function and thinking, well, perhaps I should build security and perhaps that will enable us to be better in the future. Absolutely it will.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
We absolutely do. And there's one sort of incentive to this because there was a product that was released into aviation and aviation is very picky about products, but this was released into aviation and it was put into pretty much every jet and every airliner. but it wasn't really built with security in mind. And so it can do its little function, its little dumb function, and that's all it does.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
The problem is if they built security into that from the off, then that would have had so much more potential for growth. They could have got that little system to grow and do more functions and bring more functionality and more operation capability to the cockpit if only they built security in from day one.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
they never did and so now it's hamstrung entirely to only do a dumb job so think if you're a product developer and you're in the space think very much about if i want to create the the length of delivery to create a value chain that can get longer and longer with my product then i need this to be secure it needs to talk in a secure way to authenticate correctly using zero trust principles
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
It needs to be able to be scalable. All of these other security things need to be built in. And if you do that, then you have a product which you can maintain and build upon for years. And that's where your company will grow.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
We have to find the other Andrew Rose. Yes.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Well, I think there's a definite answer to that, frankly. From an English perspective, it's obviously cream first, jam second. And what we all steer clear of is the tea situation, whether you actually put the milk in first or the milk in later, because that's equally contentious, but also has a very clear answer from my perspective. It's first. Oh, I just didn't know. Oh, good grease.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
If you're asking a British person about tea and they just say a cup of tea, they mean English breakfast tea. Yeah. Which is the same sort of standard hot black tea, which is Tetleys and PG tips and things like that. If they're going off piste and going for something a bit more sophisticated, like an Earl Grey, they will specify.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
So yeah, just English breakfast, just default to that and you'll be fine.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
You just make the whole language up. It's a bit sad, really, what you've done to it, frankly, but hey.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Oh, absolutely. It's a very British thing. It's like a skill. Yeah. We can write emails like you wouldn't believe. You'll just get to the end of it and go, was that nice or was that really mean? I can't tell. I don't know what they were trying to say. Yeah.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
way beyond that. You take it to a whole new artistry level. It's incredible.
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Okay, so I'm currently the chief security officer at SoSafe, which is a German company which is involved in human risk management. So we talk about changing the behavior and the culture in an organization to really sort of minimize the human attack surface. But I've actually been
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
employed in many organizations before this so i was the cso of two very large global law firms i was the cso of uk air traffic control cso of mastercard in the uk and also was a forester analyst for about five years in the middle uh quite a quite an extensive experience of security in large enterprises and critical national infrastructure which is what sort of brought me to this topic that we're going to talk about today really because i think this this topic area is very underserved and under talked about which is great that we're talking about it today
Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Hi there. Thanks for inviting me on the podcast. Lovely to be here. Favorite food is probably lasagna. I do love a good lasagna. Oh my gosh. And I'm not sure if this is weird or not, but I do love it with fries. Like in lasagna or on the side? No, on the side. Okay.