From 3f3bc89ba1bc0f90cb45ffb83cf329d5b5d0c13d Mon Sep 17 00:00:00 2001
From: Alone2671 <62079805+Alone2671@users.noreply.github.com>
Date: Sun, 19 Nov 2023 20:11:18 +0300
Subject: [PATCH] Update
 Mapping-Threat-Intelligence-Enhancing-Situational-Awareness.md

---
 ...ligence-Enhancing-Situational-Awareness.md | 1026 +++++++++++++++++
 1 file changed, 1026 insertions(+)

diff --git a/content/sessions/2023/mini-summits/Oct/Wardley Maps/Mapping-Threat-Intelligence-Enhancing-Situational-Awareness.md b/content/sessions/2023/mini-summits/Oct/Wardley Maps/Mapping-Threat-Intelligence-Enhancing-Situational-Awareness.md
index 8dcf119b10f8..2c532b55470f 100644
--- a/content/sessions/2023/mini-summits/Oct/Wardley Maps/Mapping-Threat-Intelligence-Enhancing-Situational-Awareness.md	
+++ b/content/sessions/2023/mini-summits/Oct/Wardley Maps/Mapping-Threat-Intelligence-Enhancing-Situational-Awareness.md	
@@ -34,3 +34,1029 @@ This topic focuses on using Wardley Maps to map threat intelligence and enhance
 = Integrating threat intelligence into decision-making processes
 - Enhancing situational awareness and incident response through threat intelligence mapping
 
+## Transcript:
+Dinis Cruz - 00:00
+You. Hi. Welcome to this open security summit session in October 2023.
+And we're joined by Simon Wardley and Marius Poskus. You know, has to
+be one of my favorite topics, especially, I have to say, the thing I've learned
+the most in the last 510 years that changed my perception. I have to add
+Gen AI to that now. I have to say, Simon, but, you know, I still feel that it's
+one of those unexplored areas that has so much that we need to do to
+figure out how to really use it. And it's not perfect, but it's way better than
+a lot of the things that we use. So big fan on worldly maps. So, Simon, I
+know you got some things you want to present to us. Why don't we start
+there and then we start the Q A out of it.
+
+Simon Wardley - 00:49
+We can do perfectly. Happy to. I put some slides together because we're
+talking about weak cycles. But before you've already dropped the Gen AI
+bomb in here, I've got to say, the difference between Chat GPT Four and
+the multimodal version of Chat GTP, the more visual version, is night and
+day. It's enormous. It's astronomical. Because part of the problem is this
+goes back to the concepts of NICUs negropants and architecture by
+yourself. So the process of design is conversation going on between two
+designers, or possibly within the mind of one designer, two identities. But
+it's a conversation. But that conversation in text form was very much
+limited by rules and syntax and styles. And of course, this goes all the way
+back to Jonah Friedman's work on graphical conversation theory.
+
+Simon Wardley - 01:53
+Getting into that graphical form, it's now much more about objects and
+relationships and context. It's a bit like when you're coding how we often
+have whiteboards behind us to actually explain the problem on the
+whiteboard that we then code. Well, we've been trapped in that world of
+code, the world of storytelling and text and all the rest of it. But the new
+version of Chat sheet, it is totally. This is what I've been waiting for. I
+wrote a post on this back in May last, earlier this year, which was
+following one from previously. The fuss about conversational
+programming, the medium is so important. So it's enormous. If you
+haven't played with the multimodal form, I can throw maps in there, get it
+to interpret the map. I can have a discussion with it, build a bet. It's just
+incredible.
+
+Dinis Cruz - 02:44
+So I would argue that's another pivotal point. But for me, the bit that it
+was already doing, which was the big game changer, was a understanding
+context. So I can have a dialogue with it, but more importantly is the
+ability to translate that into a context that I give it. So, for example, the
+biggest problem I had in the past was how do I tell that story in a way that
+makes sense to that individual, for that culture, for that experience in a
+way to even at the point of the journey, that individual is that could never
+scale. Now we can now we can tell the story and make sure the story is
+coherent.
+
+Simon Wardley - 03:19
+I'm going to disagree with you here. Good on a panel is that beforehand
+were talking about styles and rules and syntax and basically giving orders.
+So it was like, I need to improve this code, et cetera. And were still
+trapped in that world of text. I think what we've got with the multimodal
+forms enable us to ask questions in a completely different way and it is a
+huge transit. So everything before they release the multimodal version, I
+think will be forgotten to history. I mean, it was sort of exciting. This is
+where it's actually game on. This is where it really is a fundamental
+change and it's the medium by which we can have the conversation. But
+anyway, I've got some slight and weak signals. Well, on mapping, because
+I have to talk about mapping, of course, intelligence and.
+
+Dinis Cruz - 04:14
+Connecting the dots, right, and providing context, right. For example, just
+maybe so we can tide a lot of this on mapping, threat intelligence and that
+situation awareness. My challenge a lot in the past was how do I translate
+the situation awareness that we have here to that target audience? And
+even with the map, right, even when I got a map, I was able to create
+analysis. So I was always being very frustrated because I could use maps, I
+could visualize in maps, I could think in maps. I always struggle to
+communicate those stories and to provided that.
+
+Dinis Cruz - 04:50
+And now I can see how I can do that in a way that leads the individual
+almost to they'll be consuming the worldly maps, and then as they ask the
+questions, you can zoom in and go, oh, let me show you what actually
+happens behind the scenes. Where in the past, there was too much of a
+chasm there on that part.
+
+Simon Wardley - 05:10
+Okay, I'm going to agree and I'm going to explain why I agree as well. But
+we'll get there. I'm going to share some slides. I've always got a current
+research project while I've got one going on in video gaming. Coming up.
+Did sustainability. I did cybersecurity. I think I'll spend a few minutes.
+
+Dinis Cruz - 05:30
+Taking yes, my ass before, because you've done a lot of great work and I
+joined a couple, but I know if you finish it off, it'd be great to see the
+outcome of that research project.
+
+Simon Wardley - 05:38
+Oh, it's not written up yet. The time between when the research project
+finishes me right up is quite some time because I've got but I will show
+you. I will show you. All right, let's get started. Anyway. Too much chatting
+for me.
+
+Marius Poskus - 05:54
+Can you see that?
+
+Dinis Cruz - 05:55
+Okay, yes, we can.
+
+Simon Wardley - 05:56
+Right? So let me go view full screen mode. Okay. So very quickly, I'm
+going to talk about origin, how I got into maps, and that's going to be
+super quick. And then I'm going to talk about patterns, and then I'm going
+to talk about the problems with weak signals. Okay? So for me, this all
+started running a company, didn't know what I was doing, completely
+clueless. Ended up reading Sun Tzu's The Art of War. So Sun Tzu taught
+about five factors mattering, competition, have a purpose and moral
+imperative. Understand your landscape, the environment you're competing
+in. Understand the climatic patterns, so how the landscape is changing.
+Understand doctrine. So the principles of organization. Then you're into
+gameplay. And this overlaps very nicely with John Boyd's UDA loop. You've
+got the game. You observe the environment. That's what landscaping
+climatic patterns are about.
+
+Simon Wardley - 06:50
+Then you orientate yourself around this space and then you're into sort of
+action, or decision action. This is where you're into the whole sort of
+leadership part. And this got me really into landscape. What do we mean
+by landscape? So that got me into maps. And I read loads on military
+history and all the rest of it, things like this. And I got really excited by
+maps. And so I asked my company, everybody who was working for me,
+give me your maps. And they gave me loads of maps, customer journey
+maps, my maps, systems maps, loads of them, business process maps. And
+I took one systems map. Here it is. A number of components connected by
+connections. Took one component, CRM, moved it and asked, how has the
+map changed? And the answer is, it hasn't.
+
+Simon Wardley - 07:40
+Which is unusual because if I took a geographic map and I take a map of
+the world and move, I don't know, Australia, put it next to the UK.
+Obviously that has changed. It hasn't changed here because it's not a map,
+it's a graph. And so the thing that every single map I had in common was
+none of them were actually maps, they were all graphs. And just to explain
+the difference there very quickly, the three images at the top, they're all
+graphs. Three places nottingham, London, Dover, connected by two roads,
+m one, M two. Roughly, they're all identical. The three images underneath
+it are all maps, and they are completely different. And the reason why they
+are completely different is because of a compass, because that gives a
+property, and that property is it gives space meaning.
+
+Simon Wardley - 08:31
+So the difference between a graph and a map is in a map, the space has
+meaning. So you can't just simply move a component and it remains the
+same just because the connections are the same. So that's the distinction
+between a graph and a map, and space only has meaning. Well, obviously,
+when you're mapping against some form of landscape. Now, in order to do
+this, you need three basic components. Anchor, such as magnetic north,
+position of pieces. This is north, southeast or west of that, and consistency
+of movement. So if I go north. If I go south. And so that's where I started.
+And the example I always do is a tea shop. If you're mapping a tea shop,
+you start what's the anchor? The public consuming tea, the business who
+wants to sell cups of tea, right? Well, that's anchors that's.
+
+Simon Wardley - 09:18
+Not enough cup of tea has needs. It needs tea. Cup needs hot water, Ketle,
+power. So you've got a chain of needs that describes position through a
+concept of visibility. And then of course, all of these components are
+evolving. And so that gives you movement and evolution. And so this is
+what you end up with is a map. And in this map, if you move a piece, it
+fundamentally changes the meaning of a map of the map, because it's a
+map. There we are. That's super simple. All right? Patterns. Turns out
+when you start mapping out spaces, you learn lots of patterns. There are
+climactic patterns. There's doctrine, which is about organizational
+patterns. There's leadership patterns. There's about 30 Climactic patterns,
+40 doctrine, about 100 different forms of gameplay. All right?
+
+Simon Wardley - 10:07
+So I'm going to talk about Climactic patterns and then bring in weak
+signals into this. So the climactic patterns here's the horrible list that I'm
+going to talk about is everything evolves through supply and demand.
+Competition components can coevolve. Higher order systems create new
+sources of value. Efficiency enables innovation. Success breeds inertia
+very simple patterns that come out of mapping, which you can apply to a
+map. So an example, this is compute roughly in 2004 using these
+application. Best coding practice on a runtime on operating system or best
+architectural practice on compute. That was 2004. The first pattern you
+learn is everything evolved. So we knew that it would eventually become a
+utility. Sure enough. AWS Et Two 2006 the next pattern you learn is past.
+Success breeds inertia.
+
+Simon Wardley - 10:59
+So all of those with big data centers and lots of practices in that space had
+inertia to the change. Perfectly normal. The next pattern you learn is that
+as underlying components evolve, you get a change of practice. So we go
+from high meantime to recovery, to low meantime to recovery. So we go
+from scale up to scale out. We go from disaster recovery to chaos engines.
+So we're distributing systems now. We're using chaos engines. We're no
+longer doing things like capacity planning. We don't need to do that
+anymore. We're not having to do N plus one anymore, all those sorts of
+things. Okay, the next pattern you learn oh, and those new practices, we
+gave a word we called DevOps eventually. Efficiency enables innovation.
+Standard pattern commodogation. So as things become a commodity, you
+get the appearance of new things like Netflix.
+
+Simon Wardley - 11:57
+Higher order systems create new sources of value or worth basic standard
+patterns useful for investment. So when I look at a map, I can basically
+see what's changing. I can go where we should invest and also where we
+should not invest. So existing practices and servers in the data center and
+it's simply by using this map more complicated version. This is how at
+Ubuntu we attacked the market. We were like 3% the operating system
+against Red Hat, Microsoft, they had all the money, all the people and
+everything else. Took us 18 months. We took 70% of all cloud. Not
+because we're genius, we just knew where to attack. Really simple.
+
+Simon Wardley - 12:36
+All right, so when it comes to weak signals, there are a whole bunch of
+things you're looking for when it comes to this particular set of patterns or
+this sort of change, evolutionary change, past success, breeding inertia,
+lots of people complain, dismissing the future system, high levels of
+efficiency of the future system. A new set of changing practices should be
+emerging which are associated with speed. You should see rapid
+innovation with people built on top and those new systems creating value.
+And those are things that you can look for if you're looking for a change
+in the marketplace caused by climactic patterns. And a classic example of
+this we saw in 2014. So by 2010, the emerging practice got new name
+DevOps. By 2014, the runtime further up the stack started become more
+of a utility and it had exactly those patterns.
+
+Simon Wardley - 13:31
+Which is why in 2014, you should note, should have known AWS Lambda
+was going to become huge. This is where we need to go much more into
+the serverless space. Which is why your strategy should have changed
+because everything underneath it eventually is now heading towards the
+new legacy. Your strategy in 2016 is completely different from what it was
+in 2008. Your focus should have been on serverless, the emerging practice,
+et cetera. And that's what we're seeing grow today. All perfectly standard.
+I just want to reiterate that your strategy in 2016 is totally different from
+what it is in 2008. And the guide to it should have been those signals.
+
+Simon Wardley - 14:13
+You should have seen the efficiency, you should have seen people building
+things rapidly on top, lots of inertia, lots of people resisting this change,
+those practices associated with speed, rapid development of new things,
+with new sources of value, et cetera, they're all the sort of signals that you
+look for. So you can read more about that in a wonderful book called The
+Fly will Affect by Dave Anderson. And then you get to another set patterns,
+leadership. So let's have a look at those. There's a whole bunch of them
+which we're not going to go through except for one. Sensing engine is a
+particular model called ILC. It's a very simple model. You take something,
+you turn it into a commodity, you expose it as an API so other people can
+build on top.
+
+Simon Wardley - 15:00
+You mine the metadata because they're building on top of your API, so you
+have to bill them. So you mine the billing data, see what is becoming
+popular. So you identify new components in that industrialized new
+component services. The people you've just chewed up scream, oh, they've
+eaten our business model. Everybody else cheers because they can more
+rapidly build new things. On top of that, it's a very simple model. You get
+everybody else to innovate for you. You mine metadata to spot future
+patterns, you commoditize to component services. And the reason why you
+use this model, it's written back in I wrote it back in 2005, is now your
+rate of innovation, customer focus, efficiency, all increase with the size of
+the ecosystem people building on top. You use it to climb up the stack on
+the right hand side.
+
+Simon Wardley - 15:51
+So you compute machine learning, engines, platforms, whatever it
+happens to be, you're building up on the right hand side of the stack. Now,
+you'll read about this in a book called Reaching Cloud Philosophy. AWS's,
+second ever book. It's got about 17 pages of mapping in there. It's got the
+IRC model in there. Basically, it describes how they chew up industry after
+industry. It's very simple to spot. You look for certain patterns. So known
+for providing components focused on enabling others to build harvesting
+of ecosystem, obsession with efficiency, obsession with customer focus,
+considered highly innovative, despite the fact they're not doing any of it.
+Rapid growth up the stack. So if you spot those particular signals, you
+know somebody's playing that game against you. Now, that's one bunch of
+climatic patterns and a bunch of signals associated that's one specific
+leadership pattern.
+
+Simon Wardley - 16:46
+There's a bunch of signals associated with that. Of course, there's a
+massive amount to this field, but you can reapply this in other areas. So if
+I look at something, this is the automotive industry. This was done in 2015
+at DVLA, looking at how it was changing. So this was where it was going
+in 2025. Many, many things becoming much more commodity like
+increasing use of intelligent agents, et cetera. You simply overlap China's?
+Gameplay? We see them doing exactly the same sort of game. Heavier
+focus in terms of climbing up the stack, efficiency one side, they're
+encouraging joint ventures and of course, accused of harvesting the
+ecosystem. It's all the same thing. It's basically a classic ALC model.
+
+Simon Wardley - 17:33
+And if you know that the bigger their ecosystem gets, the same with
+Amazon, the more innovative, efficient, customer focused they are, the
+more impossible they are to play. There are ways of countering that, but at
+least you know the game they're playing, right? So now here's the
+problem. That's all wonderful stuff, and there's a wonderful book come
+out called Leading by Week Signals, which has loads of maps in there. It's
+by Peter Gomez and Mark Lampert. So I've been having a look through
+that. It's got lots of forms of maps in there, but the problem with the book
+is it's probably only got an audience of about a thousand people. The
+reason people is most people don't understand their landscape. We
+compete in multiple landscapes, not just territorial, but obviously
+technological, economic, social and political landscapes.
+
+Simon Wardley - 18:22
+And if we just have a look at the economic and technological landscapes,
+we have very poor understanding of the environment. We've seen this from
+all the problems we've had with supply chains in the economic space. So
+our first problem is we've got very poor awareness of the landscapes we
+are competing in. That's assuming that we realize that we are actually
+competing in landscapes. But there's a second problem, and for that, I'm
+going to share something else. Can you see a mirror board?
+
+Dinis Cruz - 18:58
+Yes, I can. And that's leading by week signals by Peter Gomez. Right.
+
+Simon Wardley - 19:04
+Yes, it is. And Mark Lambert. So what I did is I took about 60, OD people
+who are all so I run these groups where we look at an industry like
+defense, like healthcare, like finance, education, and we try and map out
+the space and understand what's important, where to invest. And so we
+did one on cybersecurity. So I took about 60, 70 people, all from different
+parts of cybersecurity. And the first thing we do is ask them what matters.
+And so they came up with a load of things that matters phishing attacks,
+security target attacks, detection, disk, trust loads. All of this stuff
+matters. All right, that's great. How do we work out what of all of this
+stuff actually matters? Well, the first thing I ask them to do is group it into
+themes, or what we call perspectives.
+
+Simon Wardley - 19:58
+And so they group this into things like risk management, security
+awareness, procurement, infrastructure, threat, identity, data, people, a
+bunch of different themes. And then what we do is we ask them self
+organizing to group map out the most of those themes. In fact, they
+choose a number of them, I think it was about six. And they chose to map
+out people, technology advancements, risk management, security
+awareness, data and threat. Now, this is all done over a period of 10
+hours. And so what they do is they go and map out each of these areas.
+Now, why would you do that? You do that because I want you to imagine,
+you want to find out what are the most important landmarks in, say, Paris.
+But no one's ever been to Paris.
+
+Simon Wardley - 20:47
+So you send one group out there to map Paris, and they come back with a
+map. They've obviously mapped it from a perspective how do you know
+the map's right? It's wrong. They might have mapped it from the
+perspective of the nicest places to buy pizza. And so they will say the
+number one place is Pierre's Pizza Parlor. Okay, fine. So what you do is
+you send multiple groups out to map it from different perspectives, and
+then you can ask the question, what are the most important landmarks
+across multiple maps? And then you can aggregate that together. So this is
+what they did they went through as a group, they map.
+
+Dinis Cruz - 21:22
+Out their particular overall and now he's going through the sorry.
+
+Simon Wardley - 21:29
+That's all right. Does that make sense, by the way?
+
+Dinis Cruz - 21:31
+Yeah, no, it's really good. No, exactly. I was just seeing your praises here,
+but keep going. I unclick the mute.
+
+Simon Wardley - 21:40
+Hey, no problem at all. So they map out things like cybersecurity from the
+perspective of people. So they've added a whole bunch of components in
+here and they're looking at things like risk management, total
+stakeholders, assets, situational awareness, protection, et cetera. And then
+they do it from all of these. So they're broken into different groups. We
+run this all in parallel. So you've got one group down here who was
+mapping it from the point of view of awareness, and one group who are
+mapping over here from the point of view of risk management. Now, you
+can see they circle around this area because that's when we ask the
+question. Once they've got a map and they've got embedded in their
+perspective of the landscape, we ask them the question, what matters?
+Okay, where should we invest?
+
+Simon Wardley - 22:27
+And get them to highlight the most important area. So, from the
+perspective of cybersecurity risk management, they highlighted things like
+better risk analysis skills, LLM data. Now, that's not that one.
+
+Dinis Cruz - 22:40
+Sorry, can you just zoom in? Because I think that one for me has one of
+the best examples of why LLM is going to completely make a massive
+change in our industry. So let's zoom out a little bit. Sorry. So you can see
+what we've done here, if you look at it, is that you basically have multiple
+elements of the cybersecurity industry, right. From a risk point of view.
+Right. And then the interesting argument was you see that LLMs in the
+bottom right? Kind of they're allowed the LLMs that it's allowed on the
+bottom right. Yeah. Your mouse. The argument were talking about was
+that before Shi GPT, that was all the way to the left, right? So for me, it's
+a great example.
+
+Dinis Cruz - 23:25
+I've used it several times to explain why sometimes things change
+overnight or change very quickly, is because that LLMs before track GPT.
+And you probably can argue, maybe even now with the visual element, the
+multimodal was kind of to the left. Now that it's there, it means that all
+those security LLMs, which are pretty primitive, are going to go very fast.
+In the past, I almost sometimes view this as gravity, right? In the past, the
+security LLMs struggle to move to the right because they were anchored
+by the LLMs Foundation. That was, in a way, on Genesis. Now that the
+LLMs are getting close to commodity or very productized, they're going to
+pull, right? The gravity is going to pull all the security LLMs.
+
+Dinis Cruz - 24:08
+And if you're one of those guys at the top, in a way, you either embrace
+that and then your strategy should be changing because you'd know the
+security alms are going to move all the way to the right very quickly.
+
+Simon Wardley - 24:21
+So one way to test whether that is true is going all the way back to the
+weak signals in here. And here we have our pattern, things industrialized.
+So are you seeing lots of signs of inertia because of past success in
+previous ways of doing it? Are you seeing this as an evolutionary change
+associated with efficiency? So is that going on? Are you seeing a change of
+practice associated with speed? Maybe it's got new terms like prompt
+engineering or whatever. Are you seeing rapid innovation built on top with
+new sources of value being created? Because if you are, then you know
+this is the stage that you're actually at.
+
+Dinis Cruz - 25:00
+Yeah, well, I guess the answer to every one of those is check. Right? And I
+think the thing that I found most fascinating is the inertia. I have to say
+that I see so many people, even companies or individuals, that I could
+totally see the inertia because I could see that they look for the flaws and
+going, oh, that's not why it's relevant. And I'm like I have this analogy of
+talking to somebody, saying it's like Jarvis, right? You know, iron man
+jarvis. That we have Jarvis. And people now say he's not good enough.
+Because when we asked Jarvis to sing, he didn't do a good job. Or we ask
+him to do hallucinates. Jarvis hallucinates. Yeah, but what do we think
+innovation.
+
+Simon Wardley - 25:39
+Is other than a hallucination? I mean, hallucination is not a bug, it's a
+feature. But anyway exactly. Now, anyway, we do this across all of these
+different maps and then what you do is you've now got multiple
+perspectives. So we've got in total, here we are, nice little summary
+diagram. We got six different perspectives. Data organization,
+cybersecurity in the perspective of awareness from risk management. And
+on each of these maps now, the group have highlighted what's important.
+So with people regenerative culture, regenerative supply chain, these are
+the words that they use. Risk management skills, better risk analysis,
+security awareness, et cetera. They've highlighted the most important
+areas. And then what we do is we aggregate across the lot. Okay? So it's a
+simple task and bring it all together, aggregation. And then by finding
+themes which are most common, you create a priority list.
+
+Simon Wardley - 26:43
+And it turns out that your priority list in cybersecurity is about building a
+resilient culture. That the top four things seem to be about building a
+resilient culture. Rapid growth of AI, cyber immunity, I. E. Organizations
+constantly attacking themselves and getting used to being attacked in
+order to harden themselves up and learning. So you end up with these sort
+of core themes, which then what we do is we go and do an examination of
+what's going on in the wider space. This is by comparing analysts against
+what the actual group comes up with and what we discover is that the
+analysts are mostly focused on process automation, continuous
+monitoring, digital sovereignty, nation state, god knows why. They get
+excited by that sort of stuff.
+
+Simon Wardley - 27:34
+Whereas the group itself was more about resilient culture, cyber immunity,
+rapid growth of AI, and actually awareness of the supply chain
+management. You got to learn about that sort of stuff. So this is where
+Spons and all the rest of it come into play.
+
+Dinis Cruz - 27:48
+Could you just explain me better, Mark, how to read this? So what does
+the colors it will.
+
+Simon Wardley - 27:56
+Be when I write it up. So the yellow dots is I aggregate a whole bunch of
+analyst reports and run them through the same process so I can see what
+they think is high priority, what they think is low priority. The purple dots
+are where the group was. And then what I do is also I take the entire list
+and I send it through Chat, GPT and Bard because they're trained on
+large sets of data, so they give me a sort of background signal of what the
+general market feels. So I ask Chat, GPT and Bard to order them as well.
+And so that's the red and the blue. So the ones you concentrate really on
+are the yellow and the purple. And you can see there's quite a big
+distinction.
+
+Simon Wardley - 28:36
+So the only area that the group agreed with the analysts on was the rapid
+growth of AI. That was the only space. Otherwise there's quite a big
+distinction between what they thought was important. Now, the reason
+why I mentioned this is because you think about resilient culture, cyber
+immunity. So it's about making your organization capable of coping with
+shocks and being constantly under attack. So improving its hardness to
+those sorts of shocks. I mean, those are obvious sort of things, but that's
+not what was being mentioned in the analyst report. And I think it was the
+next day, I think, Denise, it was either yourself or with another group. This
+whole conversation, this ridiculous idea there was a CISO quite proudly
+showing off a board of shame that they were using in their organization.
+
+Simon Wardley - 29:27
+So they would do phishing attacks and everybody failed, went on the
+board of shame, which is almost the reverse. This is not how you build a
+resilient culture or build up cyber immunity. This is actually how you
+dismantle any form of culture that you have within that organization. You
+create a system of fear and it's almost the reverse of what you want to do.
+So this leads me to the second problem, because the first problem is that
+we don't understand our landscapes anyway. So the weak signal stuff is
+really exciting. I'd love it, but for most people it's fairly irrelevant because
+we don't actually understand our landscapes. And the second problem we
+have is the utter idiocy that we do in places, even basic things like how we
+build resilient cultures, which obviously should be a focus, I'm afraid.
+
+Simon Wardley - 30:18
+In some places, we're not even doing that at that point, I'll go quiet.
+
+Dinis Cruz - 30:25
+So how do you measure that? Because I have to say, one of the
+frustrations that I feel we still have this is a good one to bring Mario's on
+this is that I still feel that a lot of security, it's still a marketing exercise.
+And I'll give you an example. Imagine three organizations. One has that
+CISO, one has maybe the other extreme super more enlightened. And I
+completely agree that's what not to do. By the way, one has great
+practices responding quite well, and then one in the middle. At the
+moment, we don't have a good way to let the market promote and reward
+the good player.
+
+Marius Poskus - 31:12
+Yeah, I think you're very right. I think it all stems from what Simon
+mentioned about the culture. I think loads of organizations are still
+carrying that legacy view of security, saying no security being stick instead
+of a carrot. So I'm always the kind of person that always thinks about
+how we can communicate and collaborate with people to actually help
+them understand how the security work. Like phishing simulations. It's
+never a blame culture. It's always about how you encourage people to
+report bad behavior because you build a two way collaboration. You
+always encourage instead of noticing someone who failed you're, noticing
+people who might detect the emails and praising people for their good
+work. That's how you breed. I think the culture sort of spin. We never say
+no. And that's one other thing. We actually talked within my team last
+week.
+
+Marius Poskus - 32:25
+When did the last time we said no to someone in security? And we couldn't
+remember. We never say no. We always say yes. But let's look at from
+security perspective, what do we need to be able to say? Yo, yes. For
+example, what are requirements of security to be able to say yes? And
+that's how we always we're always playing around availability and
+security. Because I think sometimes people forget there's loads of
+organizations that add security for the sake of security.
+
+Simon Wardley - 32:55
+Can I just say I love that? Absolutely love that. Thank you. Back in the
+1990s, I used to run security for an organization called Harrods, which
+obviously as in the It security. And one of the things I would do is attack
+the organization. Of course, when we found weaknesses, rather than go
+round them, because unfortunately, there was a big culture of fear in that
+organization. Rather than go around, beat people up, we'd involve them in
+the group to do the next round of attacks. Because you'd learn from the
+process. So it wasn't a case of go and hit somebody with a stick, put them
+on a wall of god, I can't believe in 2023 somebody puts up a wall of
+shame. I mean, that's just anyway, I love hearing the words that you were
+saying.
+
+Marius Poskus - 33:46
+Yeah, it's always either involvement or another thing that really helps. I
+think for us is make it personable. Whenever we have examples of safe
+phishing, we always trying to relate examples of various banking scams,
+SMS scams that we find in the wild and how it relates to people's, external
+families, external sort of known people circle, and how we can relate. That
+how you're enhancing your security knowledge, not only for the job you
+do, but your personal life, how you protect your personal bank details,
+your personal money and personal details, as in what can be used for
+nefarious purposes. So I think when you connect those two dots, it always
+sort of a big light bulb goes up in sort of people's head.
+
+Dinis Cruz - 34:33
+But we need a way to share this information. And I think a really good
+sign is a sign that the insurance industry is really raising the bar because
+they got burned quite spectacularly by distributing insurance as confetti
+for a while and then got burned right. Because they were not evaluating
+correctly the security posture. And now they're starting to put pressure.
+And even if you look at that simple example, which I would argue, it's
+almost like if they don't have the awareness to understand why that's a
+problem, we can bet that there's going to be another 40 things they're
+going to be doing wrong. It's almost like the canary on the coal mine. But
+we need a way to expose that. We need a way for the market to become
+more efficient.
+
+Dinis Cruz - 35:15
+In fact, we need a way for the senior management to understand that's
+what's happening and the need. Right? And maybe the senior management
+loves it. Great. And maybe it's a cultural problem within the organization.
+Okay? Right. There's a moment where you draw the line a bad company is
+going to be a bad company. Right. But it might not be that their customers
+are that happy with it's. Kind of like pollution. Right? So in a weird way,
+we now have very little acceptance for companies that claim all sorts of
+things and behind the scenes they polluting like mad and they're
+destroying environments and they have really bad ethical practices. I think
+we need a way and I think Maps is part of the solution. I think Maps is one
+of the ways this can work quite effectively and also translating it to
+particular audiences.
+
+Dinis Cruz - 35:59
+So you reward the teams that are doing a good job, the teams that build a
+good culture. If anything, Mares is giving us better arguments when we
+justify why we do certain things. Right.
+
+Marius Poskus - 36:10
+Yeah, I think I'm a big proponent as well. Sometimes people forget that
+security is part of the business. We need to align security to business. How
+comes some of the security professionals, when you talk, when you ask for
+a security professional, how does your security program help your
+business? Bottom line, they always get mind boggled. Oh, bottom line is
+not our concern. But that's the thing. How do we build accountability?
+How do we make people understand what security is all about. That's one
+thing that is always.
+
+Dinis Cruz - 36:45
+I.
+
+Marius Poskus - 36:46
+Guess it's not portrayed very well because sometimes people hide behind
+accountability and that's what needs to change, I guess, as our industry
+matures.
+
+Dinis Cruz - 36:58
+But then we are the problem, right? The security professional is the
+problem.
+
+Marius Poskus - 37:02
+Some of them, yes, some of them are.
+
+Dinis Cruz - 37:06
+I think there's maps. What I like about, and I'm going to keep throwing
+the other lens into this. I think we can scale that now in ways that before
+whereas it's not possible I think it's now possible to take a map, a
+visualization of practices that a company is doing, and provide narratives
+that are anchored in a way I bias throws a particular way that we can
+then get some good data on the back of it and going, that's okay. That's
+not okay. I'm telling you, I have that problem. I have freaking suppliers
+coming out of every bed of the organization and it's going to go even more
+because we're going to get a marketplace, right? So I really want to make
+sure that I can push security down and understand the metrics in my, for
+example, third party supply environment.
+
+Dinis Cruz - 37:58
+So how can we scale that, Simon? How can I get I will put a policy that
+says I want every team to give me a worldly map of security, of how you
+operate.
+
+Simon Wardley - 38:10
+It's not just an organization in terms of a company problem. This is a
+massive problem from a.
+
+Dinis Cruz - 38:15
+Nation state, but let's solve an organization problem.
+
+Simon Wardley - 38:21
+But a classic example of this, one of the best I've seen, it's not a map, it's a
+graph is the work which was done by the Complexity Group in Vienna for
+Hungary. So what they did is they took VAT transaction. You know,
+whenever you transact with someone else, there's value added tax and
+Hungary collects them at transaction level. So they were able to graph out
+the entire economy, which is amazing. And what they found is there were
+90,000 old companies, and I think it was about 100 companies
+represented about 70% of the systemic risk of the entire economy. And it
+was something like about 30 companies were about 25% or something. So
+any one of those 30 having a problem, you lose 25% of your GDP. But
+most companies have that terrifying thought.
+
+Dinis Cruz - 39:12
+Most companies are like that. In fact, I would argue that most internal
+systems are like that. The challenge is, in fact, I had this exact
+conversation with my team a couple of weeks ago where we had a big
+incident and we're now mapping, for example, which parts of the
+organization that we going to leave to burn, which parts well, in a nice
+way, but which parts we're going to run straight away. Because those are
+the 20% that keep the stores open, right? They are the 20% that if they are
+alive, we can deal with the rest. Okay? But if they have a freaking heart
+attack, then we have a problem. No.
+
+Marius Poskus - 39:49
+Go ahead, Sam.
+
+Simon Wardley - 39:49
+Well, I was going to say if you think about the Hungary example, other
+nations can't do that. The UK, we don't collect transaction level VAT
+records. France won't do so until 2030. So they're operating in spaces
+where they do not understand their landscape. So you cannot see the
+pattern. So we get hit by shops all the time and yes, absolutely, it's true
+with organization. This is why things like Spom software bill and
+materials, okay, it only gets you to the point of graphing and there's a
+world of difference between when something's a commodity and when it's
+custom built. So ideally we want to get to math, but we're lacking the
+basic information. This is why the Typhoon this was about weak signals.
+Weak signals. It's like Irobot, we're like hacker, bloke blah. That's great,
+but it's fantasy for most people.
+
+Simon Wardley - 40:37
+And it's fantasy because they don't even have the basic understanding of
+the landscape. And even more terrifying, they're not even doing the basic
+simple things of building resilient cultures within what they've got already.
+So there's an awful lot of groundwork which is almost why Weak Signals
+is I love the topic, I love books like this. I think this book is great and
+there's some really good stuff and I can see but it's a bit like how the
+analysts always want to talk about nation state security. What's the point
+if you don't actually understand the landscape?
+
+Marius Poskus - 41:09
+That's the thing, I don't know why, but for some reason nowadays we keep
+talking about tools, about innovation and about this new shiny blinker
+3000 that's going to solve all our problems. But people keep forgetting
+why would you start talking about nation states if a script kitty can breach
+your defenses? Because maybe you don't have ten visibility in your assets.
+Maybe you don't even started doing the basics. Like you don't have your
+data flow mapped and you don't know where the data is going and where
+it's stored, how some of your assets are managed from hardening
+perspective. That's why I think in a way it sort of underlines the problem
+because what we spoke within when I was in Sansis or Network event
+2010s was all about reducing the likelihood of risk.
+
+Marius Poskus - 41:57
+And I believe that 2020s are shaping now in saying we can't reduce
+likelihood anymore because it's inevitable that something's going to
+happen. So let's work on resilience how we can maintain business
+operations and reduce the impact of that cyber attack and let's not focus
+about likelihood anymore.
+
+Dinis Cruz - 42:15
+Look, I argue that my job as a CISO is to allow the business to take risk.
+Yeah, that's my job. My job is to make sure the business takes the right
+amount of risk with the right amount of understanding, with the right
+amount of mitigations in a way that incidents don't become crisis because
+the business needs to operate at a level of risk. It happens all the time. We
+have stores open, right? You can walk into a store, right? We don't have
+military guys at our stores. When you go and buy your vitamins, by the
+way, we have great new products, poland America. Yeah.
+
+Marius Poskus - 42:49
+Because there's a thing like if you.
+
+Dinis Cruz - 42:50
+Look at the latest, very healthy, but a dude with the machine gun and a lot
+of security guards at the entrance is not going to really work very well.
+Although it might make it more secure.
+
+Marius Poskus - 43:00
+If you look at the latest Greg's von de Gras book, he's poised a very
+important question. Every year the cybersecurity budgets are getting
+bigger, but we're not getting less breaches. We're getting more breaches
+every year while we're spending more on cybersecurity. So there is a
+fundamental yeah, but.
+
+Dinis Cruz - 43:21
+We also have a lot more interconnectivity, right? Like, come on. If you look
+at the side effects of a cyber breach in 2023 versus 2020 or 2010, right?
+It's kind of like it's very different, right? And there's a lot I think hang on.
+
+Simon Wardley - 43:37
+Yes, but remember, we also have very little understanding of the landscape
+itself. Most organized, very poor understanding of the space. And I think
+Marius is hitting on a really important point because from what came
+from that cybersecurity group was the critical things of the four things
+was awareness, CPA, landscape supply chain, software bill and material
+supply chain management was in that group of four. And rapid growth of
+AI. So that's the technology thing. But the real two big ones were resilient
+culture and cyber immunity. And they're about people, not about
+technology. So that's about how you build a culture which copes with
+shocks and manages those shocks, and how you toughen up that culture
+so that people become sensitive.
+
+Simon Wardley - 44:23
+And this is why that whole sort of wall of shame thing is such a daft or
+creating cultures of fear are so incredibly daft things to do. So,
+unfortunately, when I look at sort of the analyst reports, it's a continuous
+monitoring, it's more analytics, more big data process, automation, big
+one. Big one that's all about technology. So I think there's some
+fundamentals here in terms of we've got to focus on the people and
+building a resilient culture and building that concept of cyber immunity
+within an organization. I think then, on top of that, we've got to improve
+our awareness. Then we can start talking about these wonderful new
+things. I think the real danger is people say, oh, well, AI will magically
+solve this. I've got to say, I'm gray. Maris on here.
+
+Simon Wardley - 45:08
+Sort of the magical sort of like it is piece of data will magically do it.
+We've got to get back to fundamentals.
+
+Marius Poskus - 45:14
+And I think on the back of that simon I think the great point is the big
+talent shortage is another bull because we all know to me personally as
+well, yes, you need some of the skills in specific niches. But when you
+hiring security teams, most of the two of the most important skills for
+myself is aptitude and attitude. You can teach the rest of them, but if
+someone has the right attitude and aptitude to learn, it will be very easy to
+get them and learn. The tech sometimes job descriptions and people hiring
+teams saying, oh, we don't have specific talent shortage, I love that.
+
+Simon Wardley - 45:56
+And the reason why I love that, thank you so much for saying that, is
+because it's often we've got a talent problem. It's always the people are
+the problem. No, the people are the solution. They're your positive things,
+they're not the problem. They are where the answer actually is, we've got
+to change this sort of aspect.
+
+Dinis Cruz - 46:19
+So I've been trying to do this quite a bit, right. And actually, Sam, I would
+like your views on this. So I'm a big fan of first of all, I completely agree.
+We don't have a skills shortage. I think we have a skills transfer problem.
+Right. What we need to get into cybersecurity is a lot more people from
+other fields, because what they have is an attitude and a motivation and
+an understanding and a maturity that we don't have right now. Right. The
+way I think about this is I can hire somebody, let's say bands one to five,
+right? Five is top, one is lower. I can hire a cybersecurity analyst at band
+three, which is actually quite expensive if you think about it. Right. And I
+would argue today there's a premium that we're paying because of the
+skill shortage.
+
+Dinis Cruz - 47:01
+What I want to do is I want to hire a specialist at Band Four from another
+industry, a doctor, an engineer, a poet, a restaurant manager, an individual
+that really has a lot of great knowledge. And I want to bring them to
+cybersecurity because they have that experience. The problem in the past,
+and I've done a couple of cases, they've been successful. My challenge was
+how to infuse that person with cybersecurity knowledge once they're ready
+and once they want to drink it. And I have to say, I know that not a tool, is
+not suit for everything but the gen AI ability that we will have not yet to
+create customized learning paths, to create agents, bots training
+environments that allow an individual to learn a much faster pace.
+
+Dinis Cruz - 47:46
+I feel that can be a piece of the puzzle that allow us to bring a lot more
+people into our industry in a much more effective way.
+
+Simon Wardley - 47:53
+You do, but obviously I mapped out the education system with a whole
+bunch of professors of education. We thought the education system was all
+about maximizing opportunity and critical thinking, and it's not. It's about
+producing social cohesion and useful economic units.
+
+Dinis Cruz - 48:10
+I'm going to start at the more.
+
+Simon Wardley - 48:11
+Involved bots and tools can have the dupe be used in a way that does what
+you say, but it can also be used to create new balls of shame. So I would
+be careful. You got to think about those. So we've got some questions.
+
+Dinis Cruz - 48:29
+One of them is Jim, do you want to jump in? Because I think you can ask
+your question.
+
+Simon Wardley - 48:33
+So yeah, cheers.
+
+Speaker 4 - 48:34
+So Simon, I came to your session at the Center Park years ago and asked
+you about risk and you pointed me this book which you can't see. It's
+called The Search for Value and it relates ask you a question about risk
+and you pointed to that book which has got lots of equations in it. But I
+think the most useful thing it does is it shows that risk is in some ways a
+reciprocal of business value, of stock value. It's a direct relation. So I
+know that you're a risk guy and thanks so much for sharing the research. I
+saw that risk analysis was an area of focus. I just want on that.
+
+Simon Wardley - 49:14
+Well, so the risk analysis in terms of this group, it was what are the major
+areas? The ones that were right at the very top were very much about
+people type stuff. So very much culture and cyber immunity and lower
+down there was the concept of risk analysis. Now, from my point of view,
+when we start talking about risk analysis, I'm talking about value, I'm
+talking about things like capital flow. I'm using maps because I'm actually
+using the interconnections between the different components because
+every line in a map is a bi directional exchange of value or I give money
+for a cup of tea or whatever and risk itself is just another form of asset
+that flows in these sorts of maps. But in order to assess that, I've got to
+actually understand the landscape.
+
+Simon Wardley - 50:00
+And so I've got a fundamental problem, is that I generally don't
+understand the landscape. So without this sort of stuff, it's the same with
+the economic system, it's mostly sticking fingers in the air and having a
+good guess. It's exactly the same with sustainability scope three. It's all
+estimation because again, we don't understand the components and the
+connections between them. So I do like the risk management stuff, the risk
+analysis. I'm going to say from my point of view, we've still got huge
+weaknesses in actually understanding the environments that we're actually
+operating. And until we do start to understand those, we're still going to
+be in the world of guessing. Does that make sense?
+
+Speaker 4 - 50:43
+Yeah, it does. I suppose I was hoping that you'd talk about some technical
+framework or decision making framework or ways of gathering
+information. What do you think about the large language models? Do you
+think they can help with risk analysis?
+
+Simon Wardley - 50:57
+So, as I said in the beginning, I think there's a huge change between Chat
+GPT four and the multimodal form of Chat GPT because now we can
+actually start having a conversation with them. It's huge, it's night and
+day. It's that sort of scale and so I think there are I'm already using them
+to help create maps and so forth off the space and starting to have
+conversations. I think we're still very early days. I think there's some real
+potential there once we get a handle on the landscapes because we
+compete across multiple landscapes, territorial, technological, economic,
+political and cultural landscapes. Only one of them, the territorial, do we
+have a handle on, do we have maps and radars and all the rest of it and
+that sort of stuff? The other four, it's often people talk about digital
+sovereignty.
+
+Simon Wardley - 51:51
+Well, where are your borders? Where are you going to compete? Or
+conflict with others, I should say, where are you going to cooperate?
+Collaborate. You can't answer those questions without actually
+understanding the landscape. We can do that in territorial. So we're
+lacking those basic things. So your question, can it help? I think we're
+getting there. We're starting to be actually able to have conversations
+outside of the world of text. And so I think that's a massive improvement.
+Does that answer your question, Jim? Yeah.
+
+Speaker 4 - 52:20
+Thanks so much and thanks for sharing the research.
+
+Dinis Cruz - 52:22
+Really interesting.
+
+Simon Wardley - 52:23
+Pleasure. Pleasure. Absolute delight.
+
+Dinis Cruz - 52:25
+So Jim, the way I connect that and I feel again, I think we have a golden
+opportunity now to really make sense is to connect risk with other parts,
+to have that situation awareness where in the past risk at top level was a
+bunch of spreadsheets. Then you have a gap, then you had reality, then
+you might have maps. I think we now can start to be able to graph them
+out, connect them, create narratives and then use the maps to drive
+behaviors, right, and to drive situation awareness. But it's the connectivity
+that is super important. Like for example, do people understand the risks
+of what the decisions they're making? A project, doing a project, does he
+increase, does he decrease? Does he maintain your risk? I think that was
+the thing that was always missing.
+
+Dinis Cruz - 53:05
+When the exec make a decision, do they understand the ramifications of
+the decisions they're making? Right. And I think that in the past was
+impossible. It was air gaps, right? It was spreadsheets or even system A
+and system B, like Simon daddy's great picture of a company has 25 risk
+systems, or 100 systems or 1000 systems. But I think we now have an
+opportunity to connect them. There's a bunch of technologies and
+processes and thinking that are converging, but I feel the LLMs provide
+the connection dot between them that allows us to do translations in a
+way that in the past was impossible or requires so much engineering cost
+that nobody could do it. So watch this space. I think it's really cool. So,
+final thoughts on last couple of minutes. You got another question from
+Tristan. Yes, you're right.
+
+Dinis Cruz - 53:57
+If you can unmute yourself, you should be able to. But I can ask is what's
+the threat intelligence equivalent of the hungarian VAT Records graph,
+that graph that we can do on threat intelligence that gave us that visibility
+and find those 50 or 20 mission critical spots.
+
+Simon Wardley - 54:19
+I think you're starting to see the requirement for the US government, the
+Executive Order, the spombs, that's fashioning positive mean within the
+Mozilla Group, they've got a particular system which is all about funding
+open source projects which is coming out and it has some incredible
+graphing capability because of how it redistributes funds within that
+system. So there are ways of doing this sort of stuff. We're not there yet
+though, to be blunt. We're not even talking maps here. We're talking
+graphs of the connections between things. To be blunt, the only places that
+I've actually seen where the market was able to create a deep
+understanding of the supply chains is the International Material Database
+System, which is in the automotive. And that's because the European
+Commission came out with some pretty hefty legislation forcing to do so.
+And pretty much that's about it.
+
+Simon Wardley - 55:36
+I mean, Spom is government action. I think it's going to require
+government action. I think we're not going to get it until actually we have
+a government department of the supply chain or equivalent across
+multiple. I hear a lot of talk, people say we'll come together again, magic
+technology, it will be sorted on the blockchain. I'm sure they say just throw
+a bit of AI on there and magic will happen. But people like to keep their
+information in silos, even though it doesn't make a great deal of sense,
+even though the value is amplified by sharing it, they don't want to. So to
+solve these problems, I think eventually you're going to need government
+legislation.
+
+Marius Poskus - 56:26
+I would add a couple of things. I think one thing is we're currently severely
+lacking is collaboration. So as you guys probably are aware, not that long
+ago, only US government signed an Executive Cybersecurity order for
+governing departments to collaborate on various cybersecurity issues,
+which is just recent. We have a breakdown between government, private
+industry and then vendors. I've been sharing my ideas about various
+vendors and I think there are some vendors who are really changing the
+landscape. I've been to a few calls where there's nothing talked about
+sales pitches. It's a collaboration culture where people are allowed to
+discuss various subjects under Chatham House rules.
+
+Marius Poskus - 57:24
+So I think vendors, private sector and government collaborating and
+sharing knowledge, in some ways it's a way forward because it's us
+against the bad guys and the more we can work together, the more we're
+going to achieve. So how about some of the vendors? They're potentially
+working with hundreds or thousands of companies, so they have a lot of
+intelligence that could benefit the industry. So how we can collaborate and
+share and knowledge and advance our collaboration, that's the way
+forward, I guess.
+
+Dinis Cruz - 58:00
+Well, the Open Security assignment on that final note, right, is trying to do
+is bid for collaboration right. I think we do a lot of collaboration here get
+a lot of people together, share a lot of information. Everything is posted
+on videos is out there. Right. But I agree we need a lot more and we need
+to get some of us physically together but yeah, absolutely. All right on top
+of the hour on this simon, thanks again. Always brilliant I love that you
+gave actually what you created was a really lovely which I need to
+package and publish in the summit side on I always need people tell
+volume maps take one thing for I just tell you, and I go read that. See
+that? The first 15 minutes. Nice and easy again, Marius. Thanks for
+collaborations, and I see you guys next time.
+
+Marius Poskus - 58:43
+Thank you.
+
+Simon Wardley - 58:44
+Absolute pleasure. Take care. Bye.