Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Wardley Maps to Understand Security's Landscape and Strategy

1,265 views

Published on

Presentation delivered at the 'Security 360-Talk to the Board!' conference in 7th November 2019

Published in: Technology

Using Wardley Maps to Understand Security's Landscape and Strategy

  1. 1. @DinisCruz Using Wardley Maps to Understand Security's Landscape and Strategy V0.9, Nov 2019
  2. 2. @DinisCruz Simon Wardley
  3. 3. @DinisCruz My journey started in May 2018
  4. 4. @DinisCruz Wardley Map of Wardley Maps
  5. 5. @DinisCruz Map your kids
  6. 6. @DinisCruz Key Concepts, Sun Tzu and OODA loop
  7. 7. @DinisCruz Value chain mapped to Evolution
  8. 8. @DinisCruz Creating a Map
  9. 9. @DinisCruz Start with the users and their needs
  10. 10. @DinisCruz Add capabilities
  11. 11. @DinisCruz Create Value Chain
  12. 12. @DinisCruz Create a Map
  13. 13. @DinisCruz Evolution, Climatic Patterns and Doctrine
  14. 14. @DinisCruz 4 types of Evolution
  15. 15. @DinisCruz Zooming in on Evolution
  16. 16. @DinisCruz Zooming in even more
  17. 17. @DinisCruz From Genesis to Commodity
  18. 18. @DinisCruz Use appropriate methods
  19. 19. @DinisCruz Climatic patterns
  20. 20. @DinisCruz Doctrine principles - Phase 1
  21. 21. @DinisCruz Doctrine principles - Phase 2
  22. 22. @DinisCruz Doctrine principles - Phase 3
  23. 23. @DinisCruz Doctrine principles - Phase 4
  24. 24. @DinisCruz Doctrine by Area https://twitter.com/spurkis/status/1187730682589659136
  25. 25. @DinisCruz Your Roadmap (Doctrine)
  26. 26. @DinisCruz Map your competition (Doctrine)
  27. 27. @DinisCruz PST (Pioneers, Settlers, Town planners)
  28. 28. @DinisCruz Organise Teams using PST
  29. 29. @DinisCruz GamePlay
  30. 30. @DinisCruz Security Maps that are not maps
  31. 31. @DinisCruz Security MindMap (where to focus?)
  32. 32. @DinisCruz CISO MindMap
  33. 33. @DinisCruz But in Maps space has meaning
  34. 34. @DinisCruz Merge Maps (and discover duplication)
  35. 35. @DinisCruz Consolidate maps
  36. 36. @DinisCruz Map Duplication and Bias
  37. 37. @DinisCruz Discover clusters
  38. 38. @DinisCruz Mapping Money Flows
  39. 39. @DinisCruz Mapping a cup of tea
  40. 40. @DinisCruz Understanding P&L and cash flows
  41. 41. @DinisCruz Example: Mapping a Digital Product
  42. 42. @DinisCruz Start with Value Chain https://medium.com/@erik_schon/the-art-of-strategy-811c00a96fad
  43. 43. @DinisCruz Use Evolution to turn Value Chain into a Map
  44. 44. @DinisCruz Mapping products available in market
  45. 45. @DinisCruz Capture movement and next steps
  46. 46. @DinisCruz Example: User need ‘Find right home’
  47. 47. @DinisCruz From value Chain to map https://medium.com/@chrisvmcd/mapping-maturity-create-context-specific-maturity-models-with-wardley-maps-informed-by-cynefin-37ffcd1d315
  48. 48. @DinisCruz Adding more paths
  49. 49. @DinisCruz Adding Movement
  50. 50. @DinisCruz IBM case study
  51. 51. @DinisCruz Mapping ‘Who Says Elephants can’t dance’ book https://medium.com/@juliusgb2k/wardley-maps-an-illustration-from-gerstners-book-9ff29a244e8a
  52. 52. @DinisCruz State of IBM in mid-1990
  53. 53. @DinisCruz Using Doctrine to understand Lou’s actions
  54. 54. @DinisCruz Decisions and Actions in Map
  55. 55. @DinisCruz Areas of doctrine affected by actions
  56. 56. @DinisCruz Initiatives change the map
  57. 57. @DinisCruz Doctrine improves
  58. 58. @DinisCruz GDS* Case study * Government Digital Services
  59. 59. @DinisCruz Start with User needs https://hackernoon.com/rebooting-gds-96b1595096fa
  60. 60. @DinisCruz Know the details
  61. 61. @DinisCruz Remove duplication
  62. 62. @DinisCruz Challenge and Question (why are we building this?)
  63. 63. @DinisCruz Focus on Doctrine (Phase I)
  64. 64. @DinisCruz Break into small contracts/projects
  65. 65. @DinisCruz Use appropriate methods
  66. 66. @DinisCruz Understand what works on each area
  67. 67. @DinisCruz Pioneers, Settlers and Town Planners
  68. 68. @DinisCruz Example: Blockbuster vs Netflix
  69. 69. @DinisCruz Mapping blockbuster (addition to late fees)
  70. 70. @DinisCruz Mapping Netflix, start with Value Chain
  71. 71. @DinisCruz Create a Map
  72. 72. @DinisCruz Netflix strategy: Productize Content Creation
  73. 73. @DinisCruz Amazon Strategy
  74. 74. @DinisCruz Commodities creates new opportunities
  75. 75. @DinisCruz Co-Evolution
  76. 76. @DinisCruz Key Pattern 1. Create Platform 2. View what users are doing in your Platform a. What they are moving from Genesis to Custom Build 3. Productize and Commoditize that 4. Rise and Repeat ● For example: ○ EC2 -> Lambda ○ EC2 -> Lambda -> API Gateway automations ○ EC2 -> MySQL as a Service -> Serverless MySQL ○ EC2 -> Elastic Container Service (ECS) -> Fargate ○ EC2 -> LightSail
  77. 77. @DinisCruz More industry examples
  78. 78. @DinisCruz On Healthcare https://wardle.org/strategy/2018/07/19/mapping.html
  79. 79. @DinisCruz Understanding Strategy and Bias
  80. 80. @DinisCruz NSO (National Statistic Offices) https://drive.google.com/file/d/1syRvOQiIc-cMri3Dq4YQtRa9502wc4cS/edit
  81. 81. @DinisCruz Venture capital https://www.map-camp.com/assets/slides/london-2019/prasanna-krishnamoorthy.pdf
  82. 82. @DinisCruz Mapping a Manager’s activities https://www.quora.com/What-problems-does-serveless-development-AWS-Lambda-solve/answer/Slobodan-Stojanovi%C4%87
  83. 83. @DinisCruz Security Wardley Maps
  84. 84. @DinisCruz Bug Bounty Workflow
  85. 85. @DinisCruz Threat Landscape
  86. 86. @DinisCruz SOC
  87. 87. @DinisCruz Mapping: Handling an Security event
  88. 88. @DinisCruz GDPR Analysis
  89. 89. @DinisCruz GDPR Readiness
  90. 90. @DinisCruz PCI Audit (before and after)
  91. 91. @DinisCruz PCI Audit (maturity)
  92. 92. @DinisCruz
  93. 93. @DinisCruz Privacy Preserving techniques https://drive.google.com/file/d/1syRvOQiIc-cMri3Dq4YQtRa9502wc4cS/edit
  94. 94. @DinisCruz MPC Submap (MultiParty Computation)
  95. 95. @DinisCruz Mapping a Security Champion Programme
  96. 96. @DinisCruz Threat Modeling Maturity
  97. 97. @DinisCruz Mapping Cloud Security (SecOps)
  98. 98. @DinisCruz Mapping Cyber Attacks
  99. 99. @DinisCruz Mapping Security Domain Knowledge
  100. 100. @DinisCruz Mapping SOC Analyst activity
  101. 101. @DinisCruz Mapping Security Testing automation
  102. 102. @DinisCruz Mapping Endpoint Security Compliance
  103. 103. @DinisCruz Automatic Generation of Maps
  104. 104. @DinisCruz Slack Bot
  105. 105. @DinisCruz Jira and Jupyter Notebooks
  106. 106. @DinisCruz Using Jira to capture data
  107. 107. @DinisCruz Cynefin Framework
  108. 108. @DinisCruz See also Cynefin Framework https://academic.oup.com/heapro/article/28/1/73/576131
  109. 109. @DinisCruz Cynefin and Wardley Maps
  110. 110. @DinisCruz Community
  111. 111. @DinisCruz https://learnwardleymapping.com/
  112. 112. @DinisCruz Collaborate
  113. 113. @DinisCruz MapCamp 2019
  114. 114. @DinisCruz Thanks

×