Three episodes of the WB40 podcast to listen to if you’re into Cyber Security Episode 209 - if you’re part of The Great Resignation, or considering moving out of cyber security, or coming in, it’s worth listening to the hosts and Lee Cox thinking through this kind of career change. Although not directly related to cyber I’d expect you to find the decision process, and the successes and failures, very relevant; as well as the importance of an ability to learn, rather than being a life-long subject matter expert in just one area; as well as the importance of transferable skills… as well the lack of innovation from employers… and and and… convinced yet? Go listen. ...

My previous week: Provided some feedback for a game/exercise design, which was enlightening because it’s rare that I’m in that situation, rather than being part of the design or operational team. Some thinking around the forthcoming Enterprise Circus. I’ve some trepedation about whether we can make the Circus metaphor work, but I think that is what makes this event work doing. As per our “pitch”, written by Phelim Rowe, using this metaphor is an “engaging prism”, which I hope will spark some new ideas. I enjoyed attending Level Up: Gamification as an innovative tool for public service design; this was particularly enjoyable due to the talent and experience on display - I essentially watched three people build a pitchable business idea in a little over half an hour. There’s some really interesting things happening in game-based methods right now. I was on a panel at the CISO Ensemble, and ran a panel as well. Running the panel was particularly difficult and enjoyable, great to get a range of views, and to figure out on the fly how to give everyone a chance to speak, forewarn them when they were “up”, while paying enough attention to the conversation. On that particularly busy day I also attended Cardstock; very useful, very interesting, I came out of with lots of ideas and a connection or two. One thing that particularly struck me, it might be observation bias, but for a generally skeptic-minded person like me, some of the greatest insights and mental leaps seemed to come from those with the greatest affinity to “magical” concepts such as astrology and tarot. Something to ponder. I finally made time to watch the Georgetown University Wargaming Society’s recording on WATU, presented by Sally Davis of DSTL. Good points well made, and also packed with useful academic references to strength through diversity. And I continue to play fantasy football, which I find such an interesting way to follow the NFL. For me in-particular it brings home just how big a part injuries play in the game, and the operation of the teams. A team figuring out CISO as a Team at the CISO Ensemble event

My previous week: Thinking through different and underused game formats: board games that support simultaneous or asynchronous movement, where a wall-mounted magnetic board would make “Play By Video” easy, and so on. A great chat with someone looking to use me as a cyber security associate, who asked all the right questions… such as “what are you interested in?” rather than “what do you have five years’ experience in?”. Other useful conversations about forthcoming projects and events, or working on existing ideas. Some “cyber security strategy” work, just helping someone think through their security roadmap and highlighting what they might have missed, or giving them a chance to explain their choices out loud to me before they face their stakeholders. And as always, I’m finding it useful to write up these weeknotes. I just wanted a free pixabay graphic about studying or thinking... but now I have to know why she's studying on a roof...

My previous week: I was kind of thrown into the role of Game Control for an online playtest - which I found a little stressful, but illuminating and useful as well. Lots to think about, especially running other people’s game designs. A really useful conversation on how to make money out of game design. I’ve been put off the idea because so many game designers make a point of explaining that it’s not well paid, but as always I’m trying to find a different angle. The online services provider for my work went down temporarily. While there was really no harm done, and I was kind of covered, I was reminded that we all need to test all fallback procedures in advance. I was reminded of this recent post on hybrid gaming when your Internet connection goes down. Inspired by this tweet I’ve been thinking of how to design Play By Video games, both as the desired format for the game, and as a way to playtest them. It’s a particularly difficult design problem for anything beyond a simple game like chess because the players have to trust each other with anything hidden or shared… lots to think about. Also I don’t have the space to leave these kind of games out, but I’ve ideas around that too. I was the remote adversary for the Ransomware workshop at BSides London. The event went well, I’ve received some good feedback, so I’m looking forward to where we go with the idea in future. Also I’m looking forward to seeing the recording of the presentation my rookie presenter mentee put together, a cross reference of penetration testing and Persona 5. We watched Shang Chi and the legend of the ten rings; in some ways not a typical Marvel film, and the better for that. We also watched Red Notice and, as many have said - an unsurprising film by numbers. It works as an “enjoyable romp” if you’re drinking, or not particularly awake. And lastly, with the unscripted excitement of a game but the budget of a movie comes watching the Seattle Seahawks. After navigating poorly described and outdated contractual restrictions I managed to get access to the game… was it worth that level of effort? Every week Lee Sharpe creates these great gifs, that map each team’s Win Probability as the game progressed, which give you a really great idea on the flow of the game. You can figure out the flow of this one pretty easily… So little time on the Seahawks' side of that 50% chance line...

Last Week: A very thought provoking conversation with a former Police officer about innovative tactics to use against organised crime. A useful conversation with someone in a similar position to me, a square peg looking at round holes, and the attitude required for that kind of situation. While there’s a lot of nuance required, “keep going” is an effective summary. Providing training on assessing and using penetration testing results, it was interesting to see how much I still know - and how far some aspects of the practice have gone, and how many haven’t changed in the last decade. Finishing off plans for the Ransomware workshop I’m helping run at BSides London, I’m very much in the “sidekick” role, helping James Bore think through the idea, and he’ll be onsite on the day.

Last Week: I used FreeBusy to schedule some meetings, there’s still some problems with the way I use it to be ironed out, but I still think it’s been relatively smooth rather than trying to organise multiple meetings simultaneously. I attended BeerCon3, which had an impressively diverse range of mainly “rookie” presenters. I kind of drifted in and out so need to catch up with the recordings once they’re on YouTube. My car was in for an MoT, which was a mess for a variety of reasons… a “wrap around” for the service which appeared to just add a two to three hour delay to all communications, inconsistent interpretations of the MoT criteria, and a vehicle manufacturer embracing the concept of built in obsolescence. No-one to really point the finger at, and I think I’ve found a new garage to use much closer than my previous choice, but still a lot of additional overhead I didn’t need. I had a bit of a rest for at least a day, which might be why this post is so sparse. I often advocate for framing such time as “recharging” to others, so decided to heed my own advice. How I felt over the weekend...

Weeknote 25th October 2021 Taking a cue from Sara Campbell of the Foster writing community, I’ve come up with a more interesting title than “Weeknotes”, but maybe this isn’t the most appealing title. Baby steps. I finished watching The Goes Wrong Show which has to be one of the funniest things I’ve watched over the last decade or so, along with Ted Lasso, and Community. I think I tend towards angry and/or painfully intelligent comedy, but we had to institute a house rule not to eat or drink while watching this, to prevent any unfortunate accidents. I’ve been drained and disappointed by the poor threat modelling that leads to the response to the death of Sir David Amess being a call for less Internet anonymity, and the response to the death of Sarah Everard being a call to contact the Police; but I suspect I’ve been naive about the intention behind those suggestions. I gave that training I mentioned last time, on common threats from the Internet, and only had time to scratch the surface when covering ransomware. I can only see that situation getting worse. I thought far too much about The Chair Game; a very simple idea, but surprisingly revealing in what thoughts it prompts. I look forward to playing and/or discussing it at some point. I fell behind on meetings, then fell behind further while looking at automated scheduling services to help me suggest times to several people, without getting into multiple simultaneous games of “email tennis”. I was disappointed at how many were just simplified clones of Calendly, requiring you to spend time in your calendar interface and scheduling interface simultaneously to manage your avalability, when the aim is to save your time. It took quite a while, But I was finally impressed by FreeBusy; particularly by its Guarded Availability functionality.

Last week Gave some training on common cyber security attacks, moving on to ransomware next session, where the challenge is limiting so much available material. Discussions on exercises with James Bore, other collaborators welcome. Some mentoring of a rookie speaker for BSides London on an interesting analogical approach they’re taking One of my game designs is getting out of hand, I’m regarding a lot of what I’ve done as “design notes” listing intriguing but rejected ideas once I publish something. I’m behind on scheduling meetings so I worked through some automated and semi-automated scheduling services, which just made me more bitter about the state of the technology in general; and also means I understand why virtual assistants are still so popular. I had my last coaching session with a kind of business coach, which has helped change my mind on the benefits of coaching. Get in touch if you want a recommendation. I attended the Autumn virtual meeting of Wargame Developments, a couple of sessions anyway. They/we are putting an updated version of the “WD Handbook” together, to act as a guide and introduction to the group. I’m very interested to see what comes out of that process. For years I’ve had an idea for a kind of “psychic massage” app, something that would give you an emotional boost when needed and/or at random - a lot of people, myself included, find those “you’ve got this” messages inspiuring even though we know how vaccous their source is. But it’s on the big pile of possible ideas, whereas Sarah and Leila have done something with their Feel Better Cards; worth checking out. In having done these weeknotes for a while now, I realise how often I would type out the same thing every week - for example trying to build something to make money, while also needing to earn money doing “day rate” work; also I realise how much I achieve, but also how unrealistic my plans are for what I can achieve each week. I wonder if the bottom of each weeknote should have an “ongoing whines” section, with a counter…

Last week Mostly work I can’t discuss. I’m behind on a lot of meetings, and thought it would be a good time to finally look at automated scheduling services rather than email everyone the same options and hope there’s no clashes. All the scheduling services appear to assume you work in just one way - you’re available unless specified otherwise, and free time is offered to all contacts or none. Disappointing, but I might play around with scripts a little, or search a little harder… A really thought provoking demonstration of a business game, lots of ideas around how it did and didn’t work, and where it could be used. Attended very little of a NATO conference, but got lucky and caught really intriguing ideas on modelling cyber conflict, and python based efforts to run through those models. This fits in with similar ideas I’ve discussed with people elsewhere, I just need to glue them together. And again trying to square the circle where I need a lot of time to work on products and ideas and games that would make money and make a difference, but having to spend most of my time and energy earning money to pay the bills doing “day rate” consultancy has doesn’t have such long term value to me. Suggestions or investment welcome. On a happier note, I had a very wholesome weekend, watching the funny and lovely Free Guy, and it was also my birthday in Animal Crossing… Happy Birthday to me...

Last week Mostly work I can’t discuss. Worked Control for another wargame, lots of thoughts about how to run a megagame with highly variable parcipation. Working with Stone Paper Scissors again. Oh, it’s going to be one of those seasons.