On Wardley Mapping Cyber Security

If you’re not sure what Wardley Mapping is, this two minute video is a good and very short summary. It’s basically a way of thinking about technological solutions and how they are likely to evolve in future, to enable you to make decisions about those technologies. In particular it’s designed to be used by groups so they can have better conversations in this area.

A few weeks ago I participated in online Wardley Mapping sessions of the Cyber Security industry, hosted by Simon Wardley of DXC Leading Edge. This was interesting and thought provoking for all kinds of reasons, which I’ve listed below.

My groups looked at “Threat”, which was a particularly vague concept, but it was thought provoking in many ways, mostly useful ones.

My thoughts, in very loose groupings:

As an opportunity to rethink concepts

• It was beneficial to think through cyber security concepts with fellow experts, to get different viewpoints when so much of my background is based on Penetration Testing.
• But similarly useful to think through cyber security concepts with non-experts, just to realise how much I know. I’ve been lucky to know some of the smartest people in the industry, which can be intimidating - this exercise helped me grade myself more accurately “on a curve”.
• Beyond realising how much I know, smart non-experts brought in new concepts and fresh viewpoints, either from other fields, or just from being clever interested people.
• Similarly working with smart people outside of the field meant having to rethink justifications for the common statements and cliches of cyber security, which helps you step back and get a bit of perspective.

The benefits of virtual meetings

• At its most populous I think there were seventy people present, from all sorts of timezones. This level of voluntary participation is simply impossible in a physical space.
• Many ideas were formed on Miro boards, which could be manipulated by many people simultaneously, and were easy to backup, to copy and paste on, and so on. Rather than trying to fully emulate a physical interface with a virtual one, it was good to see someone use a virtual interface to its fullest extent.

More specifically about Wardley Mapping as a practice

• I’m still not sure about the Y Axis.
• Maybe my group picked a particularly abstract subject, but we had many pipelines, as shown below. A pipeline represents a component that can be found at many of the different stages of evolution at the same time.

• I’m still struck that the conversation around building the map is arguably more useful than the end result. Which is good, but still - I think isn’t fully realising the benefit of this kind of tool.
• Having taken part in this graphical exercise, over several two hour sessions over a couple of weeks, I’m struck by how useful text can still be. Mainly because text gives you an historical record of decisions, and also the “version control” is easier going backwards and forwards. I wonder whether mapping sessions would benefit from uninvolved scribes¹, or tie-ins with popular AI transcription services so that changes to the map could be attributed and explained. AI transcription services are so very quick, and might be better than a human scribe at avoiding filtering what comments should be recorded.

On this effort in-particular

• As with any conceptual discussion around cyber security we got into semantics about definitions, what is a threat, what is risk, and so on. But in this case it was useful to think about, and the wide variety of participants made it useful.
• All those pipelines did indicate something, that the speed of evolving an offensive or defensive tactic or tool, was so important². Also slowing down the other side’s ability to evolve the same component.

• As the user - the anchor in a Wardley Map that gives the map a perspective - we simultaneously looked at this from both a “Good Actor” and a Bad Actor" perspective. It was useful to see how much a good and bad actor has in common, the requirement to evolve tools and tactics at speed mentioned in the previous point being one.
• Also of benefit to both Good and Bad Actors, for a platform under attack, was for the platform to remain operational, and it’s external connections to be accessible. Depending on the platform and the attack that might actually be more important to the attackers than the defenders, which leads to all kinds of possibilities.
• As per my recentish design of the Arctic Blockades game, having a clear bias to action, with a similar clear remit that changes or suggestions can be rolled back if they don’t work out, really helped. Especially that you could take an attitude of just trying something, and going with “this feels right”, rather than having to clarify an objective viewpoint before putting any idea forward.
• Having a timed session with a clear deadline also helped. Partly an immovable deadline gave everyone that “bias to action” I just mentioned. But also a timed session means that you don’t stop thinking about the problem when the session “feels done”. By giving you more time to ponder, or to think out loud, everyone has an opportunity to create more ideas and take your thinking further.
• A thought that comes up a lot when discussing frameworks is how much the benefits of the framework are down to the quality of the facilitator and their facilitation. I was impressed by Simon managing such a large crowd of seventy attendees, from many different cultures, and with the occasional connectivity mishaps that come with working online. I wonder how others would fare.
• I haven’t seen it in practice for a while but the benefit of using a map was clear for our discussion, rather than more abstract statements, or being asked to come up with a simple list. But I wonder how much of this is down to Wardley Mapping, or whether a similar result would come from using any “map” - meaning a diagram where the location of each component, both on the map and in relation to all other components, is important.

Working with people

• I’ve come to realise how much I enjoy working with people, especially in groups that easily build a rapport so quickly.
• I feel that Wardley Mapping is better than just a discussion, but you still need to protect yourself against all the standard issues from meetings… where who thinks first or thinks loudest gets to make a point.
• Talking with non-native speakers of English, or multi-lingual people, was particularly useful because you think about words a lot more, and I think part of groupthink is everyone having approximately the same understanding of meanings and so bypassing a lot of useful thinking. Even the difference between British English and American English is useful here.
• And people just with a better vocabulary than mine - I imagine I’ll still look it up every time but “aberrant” and “abhorrent” are very different things.

Epilogue

Wardley Mapping is definitely something I need to spend more time on. I’m particularly interested in thinking about the climate patterns described in Wardley’s book, and looking for signs of their presence; and also the opportunities for “strategic gameplays”, using Wardley Mapping to see what factors to manipulate to gain a commercial advantage.

If you’re intrigued by the concept I think this piece by David Anderson gives more detail, and has a nice example. And watch this forty minute presentation by Simon on Wardley Mapping; where he’s at his Wardliest, but I did just check it was the right one by watching it on 2x speed.

---