This document provides an overview of Wardley Maps, which are used to understand an organization's security landscape and strategy. It describes how to create Wardley Maps by starting with user needs, adding capabilities, and mapping evolution over time. Various examples are given of mapping security topics like threat landscapes, compliance, and cyber attacks. Community resources for collaborating and learning more about Wardley Mapping are also provided.

1. @DinisCruz
Using Wardley Maps to
Understand Security's
Landscape and Strategy
V0.9, Nov 2019

2. @DinisCruz
Simon Wardley

3. @DinisCruz
My journey started in May 2018

4. @DinisCruz
Wardley Map of Wardley Maps

5. @DinisCruz
Map your kids

6. @DinisCruz
Key Concepts, Sun Tzu and OODA loop

7. @DinisCruz
Value chain mapped to Evolution

8. @DinisCruz
Creating a Map

9. @DinisCruz
Start with the users and their needs

10. @DinisCruz
Add capabilities

11. @DinisCruz
Create Value Chain

12. @DinisCruz
Create a Map

13. @DinisCruz
Evolution, Climatic
Patterns and Doctrine

14. @DinisCruz
4 types of Evolution

15. @DinisCruz
Zooming in on Evolution

16. @DinisCruz
Zooming in even more

17. @DinisCruz
From Genesis to Commodity

18. @DinisCruz
Use appropriate methods

19. @DinisCruz
Climatic patterns

20. @DinisCruz
Doctrine principles - Phase 1

21. @DinisCruz
Doctrine principles - Phase 2

22. @DinisCruz
Doctrine principles - Phase 3

23. @DinisCruz
Doctrine principles - Phase 4

24. @DinisCruz
Doctrine by Area
https://twitter.com/spurkis/status/1187730682589659136

25. @DinisCruz
Your Roadmap (Doctrine)

26. @DinisCruz
Map your competition (Doctrine)

27. @DinisCruz
PST (Pioneers, Settlers, Town planners)

28. @DinisCruz
Organise Teams using PST

29. @DinisCruz
GamePlay

30. @DinisCruz
Security Maps that are not maps

31. @DinisCruz
Security MindMap (where to focus?)

32. @DinisCruz
CISO MindMap

33. @DinisCruz
But in Maps space has meaning

34. @DinisCruz
Merge Maps
(and discover duplication)

35. @DinisCruz
Consolidate maps

36. @DinisCruz
Map Duplication and Bias

37. @DinisCruz
Discover clusters

38. @DinisCruz
Mapping Money Flows

39. @DinisCruz
Mapping a cup of tea

40. @DinisCruz
Understanding P&L and cash flows

41. @DinisCruz
Example: Mapping a Digital Product

42. @DinisCruz
Start with Value Chain
https://medium.com/@erik_schon/the-art-of-strategy-811c00a96fad

43. @DinisCruz
Use Evolution to turn Value Chain into a Map

44. @DinisCruz
Mapping products available in market

45. @DinisCruz
Capture movement and next steps

46. @DinisCruz
Example: User need ‘Find right home’

47. @DinisCruz
From value Chain to map
https://medium.com/@chrisvmcd/mapping-maturity-create-context-specific-maturity-models-with-wardley-maps-informed-by-cynefin-37ffcd1d315

48. @DinisCruz
Adding more paths

49. @DinisCruz
Adding Movement

50. @DinisCruz
IBM case study

51. @DinisCruz
Mapping ‘Who Says Elephants can’t dance’ book
https://medium.com/@juliusgb2k/wardley-maps-an-illustration-from-gerstners-book-9ff29a244e8a

52. @DinisCruz
State of IBM in mid-1990

53. @DinisCruz
Using Doctrine to understand Lou’s actions

54. @DinisCruz
Decisions and Actions in Map

55. @DinisCruz
Areas of doctrine affected by actions

56. @DinisCruz
Initiatives change the map

57. @DinisCruz
Doctrine improves

58. @DinisCruz
GDS* Case study
* Government Digital Services

59. @DinisCruz
Start with User needs
https://hackernoon.com/rebooting-gds-96b1595096fa

60. @DinisCruz
Know the details

61. @DinisCruz
Remove duplication

62. @DinisCruz
Challenge and Question (why are we building this?)

63. @DinisCruz
Focus on Doctrine (Phase I)

64. @DinisCruz
Break into small contracts/projects

65. @DinisCruz
Use appropriate methods

66. @DinisCruz
Understand what works on each area

67. @DinisCruz
Pioneers, Settlers and Town Planners

68. @DinisCruz
Example: Blockbuster vs Netflix

69. @DinisCruz
Mapping blockbuster (addition to late fees)

70. @DinisCruz
Mapping Netflix, start with Value Chain

71. @DinisCruz
Create a Map

72. @DinisCruz
Netflix strategy: Productize Content Creation

73. @DinisCruz
Amazon Strategy

74. @DinisCruz
Commodities creates new opportunities

75. @DinisCruz
Co-Evolution

76. @DinisCruz
Key Pattern
1. Create Platform
2. View what users are doing in your Platform
a. What they are moving from Genesis to Custom Build
3. Productize and Commoditize that
4. Rise and Repeat
● For example:
○ EC2 -> Lambda
○ EC2 -> Lambda -> API Gateway automations
○ EC2 -> MySQL as a Service -> Serverless MySQL
○ EC2 -> Elastic Container Service (ECS) -> Fargate
○ EC2 -> LightSail

77. @DinisCruz
More industry examples

78. @DinisCruz
On Healthcare
https://wardle.org/strategy/2018/07/19/mapping.html

79. @DinisCruz
Understanding Strategy and Bias

80. @DinisCruz
NSO (National Statistic Offices)
https://drive.google.com/file/d/1syRvOQiIc-cMri3Dq4YQtRa9502wc4cS/edit

81. @DinisCruz
Venture capital
https://www.map-camp.com/assets/slides/london-2019/prasanna-krishnamoorthy.pdf

82. @DinisCruz
Mapping a Manager’s activities
https://www.quora.com/What-problems-does-serveless-development-AWS-Lambda-solve/answer/Slobodan-Stojanovi%C4%87

83. @DinisCruz
Security Wardley Maps

84. @DinisCruz
Bug Bounty Workflow

85. @DinisCruz
Threat Landscape

86. @DinisCruz
SOC

87. @DinisCruz
Mapping: Handling an Security event

88. @DinisCruz
GDPR Analysis

89. @DinisCruz
GDPR Readiness

90. @DinisCruz
PCI Audit (before and after)

91. @DinisCruz
PCI Audit (maturity)

92. @DinisCruz

93. @DinisCruz
Privacy Preserving techniques
https://drive.google.com/file/d/1syRvOQiIc-cMri3Dq4YQtRa9502wc4cS/edit

94. @DinisCruz
MPC Submap (MultiParty Computation)

95. @DinisCruz
Mapping a Security Champion Programme

96. @DinisCruz
Threat Modeling Maturity

97. @DinisCruz
Mapping Cloud Security (SecOps)

98. @DinisCruz
Mapping Cyber Attacks

99. @DinisCruz
Mapping Security Domain Knowledge

100. @DinisCruz
Mapping SOC Analyst activity

101. @DinisCruz
Mapping Security Testing automation

102. @DinisCruz
Mapping Endpoint Security Compliance

103. @DinisCruz
Automatic Generation of Maps

104. @DinisCruz
Slack Bot

105. @DinisCruz
Jira and Jupyter Notebooks

106. @DinisCruz
Using Jira to capture data

107. @DinisCruz
Cynefin Framework

108. @DinisCruz
See also Cynefin Framework
https://academic.oup.com/heapro/article/28/1/73/576131

109. @DinisCruz
Cynefin and Wardley Maps

110. @DinisCruz
Community

111. @DinisCruz
https://learnwardleymapping.com/

112. @DinisCruz
Collaborate

113. @DinisCruz
MapCamp 2019

114. @DinisCruz
Thanks