Now, please welcome Marcel Zamzow. He's going to talk about the Machine-readable Cyber Security Framework or how to Shred Drawerware. Please.
Yes, the floor is yours. Thank you very much. Thank you to Shika. Your word taxonomy really opened my heart because I will talk about this also. And this is a problem we are facing right now, mapping all those requirements to our governance framework. So this will be also a topic in my talk. So maybe we should later on talk to each other. So I'm Marcel Zamzow. I'm Governance Risk and Compliance Manager at EON. So I'm coordinating the cybersecurity governance framework at EON.
And EON, meanwhile, is a very large energy company. So we produce energy, we distribute energy, we sell you energy. Do you want one? Yeah. So we are really big. That's also from a governance perspective quite a problem. So we have a lot of subsidiaries, subsidiaries in a lot of countries under different legislation, under a different regime. And we have to balance all those requirements at EON. As a GSC manager, I'm not a technician. I was a technician before, a long time ago. That was a time when computers made screaming noises when you connected them to the internet. You should have listened.
And when I started this project in 2022, I found a lot of documents. And my way of fostering that and developing that further, I want to show you. And maybe that could be also something for you. If you read between the lines, you have to really look very carefully. You will see the word policies. So I hope you aren't in a hurry now. A question to you. Please raise your hands. Who of you really, really by heart loves policies? I count.
Zero, zero, zero. Okay. Interesting. Yeah. I quite adapted that a bit. So virtually nobody likes policies. I'm responsible for this, but I don't drag it out under the pillow at night and look at it and say, oh, what a nice control. I don't do that. Do you? Yeah. Nobody does.
But still, most of you, I would say all of your organization will have policies then. Yeah. So counter question then. Who of you really hates policies then? Come on. Be honest. Yeah.
One, two. Okay. Okay. That is a majority here. Yeah. And that means I will walk this talk with the haters. Yeah. To those who haven't raised their hands yet, please think of that moment. For example, in February next year, when there is a vote ongoing for the parliament and so on. Yeah. Because now I have to walk this talk with the majority, which are the haters. So I give you six tips how to wreak havoc with your policy framework. Yeah. Just with your policies. Yeah. And the first one is goals. Don't give them. Yeah. Don't give people any overarching goals what to reach.
Give them simply checklists. Yeah. Checklist of checklists and you will find friends with that approach. Yeah. People come to you and will say, finally, somebody says what I really, really have to do. Yeah. Done. Done. Not applicable. Not applicable. Not applicable. So if you don't give any overarching goal, you will miss a point at a lot of time because you cannot define everything granularly for every machine, for every environment, in every situation. So you have to go overarching goals.
Otherwise, when you don't say what you want, you get confusion. So if you don't give people the skills they need, you create anxiety. Yeah. Don't do any awareness training in the company. Don't explain what you want. Yeah. Just put it out. It was hard to write and it should be hard to read. Yeah. Next one is incentives. Yeah. Also don't give them. Yeah. Make it complex. Yeah. Then audit them to help. Yeah. Then you create a lot of resistance. Yeah. And don't give people resources so they get frustrated. Never automate anything in your company.
Then some compliance workflows where they have to fill lines with, oh, I done that in this way, and here's evidence and so on. And don't give an action plan. Yeah. People need to have a plan, but don't give it. Yeah. Don't explain the house. It's the opposite of the one. You should do something like explaining the house and defining the house. And the last one is trust. And that is the best one. It even has four dimensions. We don't have the time here. So I normally discuss this at length. But one good tip is don't give people requirements. Yeah.
Give people policies and change it immediately as often as you can before they implement it. Then they get in the mode of bend and wait. And if you see them swinging on the chair, you have reached your goal. So all of you, I think, will have something like that. So a pyramid scheme, to say, where you have defined the why on the top, your business obligation, which fits into the cybersecurity requirements. You explain who has to what, to do what. This is a function policy at our side. So who has which obligation and which is what's saying in the cybersecurity field.
And we have people guidelines. So people know the do's and don'ts. And the what's are the ISS's at our companies, the information security standards and the house, the directives. And you could argue that it's not enough. You have to have a solution bias directive and procedures and so on. For the sake of simplicity, I leave it here. I think most of you will have that. We were there and we thought, OK, how, as this is a cyber evolution, how to evolve that.
How to evolve that, for example, it would be cool if you would throw all those requirements we have to the machines and they do the hard work. We automate stuff. It would be cool when it would be written in a language the machines understand. Common language of this is a structured format like JSON. And it would be cool when you have an API to call to this. And it would also be cool if people could not read all your pages. We had a lot of word documents. Those word documents came into a PDF format. It was on the Internet. Everybody could read it, load it down, see what is relevant for them.
But what would be the case if all your employers, your people, your give services to you, have their own view on your policy framework? So, they can filter. I'm a service owner. I have a special use case. My application must be deemed confidential. It must be highly available. What are my requirements? Get my standard, please. That would be cool. That would be the idea. The first thing we did, of course, was let's throw them at Gen AI. Let's throw them at GPT. And we have a fine team at our organization that's called expert services. They deployed it not only for us, but for the whole company.
It's called Eon GPT. It's basically an Azure service. You can book. And it ingests all our Internet and what is found to be there. And also our governance framework. And one first early MVP, it got much better, of course, was we saw our governance framework and asked it, okay, say something about the ISS02. I said our information security standards are abbreviated as ISS.
So, that was truly the first question. Because how was this the case?
Well, it had much more knowledge about the space station and read that in the Internet than our policies. So, it made a probabilistic approach and said, okay, most time I see he will maybe see something about the space station in the orbit, not the standard.
So, this was a problem with Gen AI that persisted. And how do we overcome that?
Well, it's trivial in a way. If there is not the information in the governance framework, how it should be found, yeah? Information which isn't there can't be trained. Information which isn't structured can be magically structured. It's a training data contains information which is well understood in the organization, but has different meaning outside that happened a lot of time. We saw the operating model at it and got back a lot of interesting knowledge what, for example, our threat intelligence team does. They seem to do everything at our company, which is, of course, not the case, yeah?
But sometimes you write something and the word is not a crystal. It's a skin of a living thought, yeah?
So, the system interprets it as it stands there. So, you have to look in your governance framework then. And if your training data is inconsistent, has double information into it, it's a problem.
And also, how do you get people's support to use a system which is basically lying to them or might lie to them? You don't know.
Yeah, okay. Then we looked at GPT a bit more down the ladder, yeah? And looked, okay, what are basically the dimension I could ask GPT, yeah? You could ask it completely different, and then will GPT do his own favor of that, yeah? It will make a guess what you want to hear.
So, if you fill out all those dimensions, you get the information you want. So, you can have a key prompt, give good advice here, yeah? That is what you really, really want. You select a niche, for example, act as an information security officer. This is the best thing for my son, who is 13 years old and is in the grammar school. And he uses, of course, act as a 13-year-old pupil at a grammar school with quite an okay IQ level, yeah? And then it looks everything at if this outcome is from a pupil.
You could also put information into it so that it is, yeah, the recipient is for child and board members, for example. Sometimes it's the same, yeah?
And, yeah, you can say what, how many answers do you want, yeah, and how depth GPT should go. But before you do that, remember the slide before, yeah? When you don't put the information into that, it won't be there.
So, what did we do is simply everything was already there. We put everything in a wiki for several reasons. First reason is the wiki was already there, and we don't have to pay for it. And the other one is it has some plugins into it where you can put structural data into it. You don't have it as a page, like in Word document, but you can do it as it was in database. This plugin is called Confiform, but you could do this with another technology stack, SharePoint or something like that, yeah? We used Confluence for that. And put every information there we could found.
We used a lot of taxonomy, and judged and attributed each information. These are some attributes. The list of attributes is really large, yeah? This is one of the ISO 2701, what we have many, many more. And as it is a wiki, we gained it on a collaborative way.
So, people come on the way and said, okay, and by the way, 75,000 people could do this at our company because this is not an ivory tower. People could say, okay, I want to have this information filtered for.
So, we have a long list of things people want to know from our governance framework. And as we have a taxonomy, and everything is now data, and I think you can't read that, yeah, you can also gain transparency out of it. When you have a Word document on an internet also, you cannot find every relation between one directive to the other. You could do that. You could read and find, okay, this is tackling an information in another policy or directive or standard, and make a list of it. But when you have it in this format, and you have it structured, you can ask the system to do this.
You can do this live. And I cut the corners on the left and the right side. It really gets interesting if you say, okay, I want to look six ways deeper. Then you see, for example, okay, people in the company are linking to that and making helpful, supportive information. And you talk to them because somebody has a clue about that, and maybe you can direct them into the process. What we also do is, and this is also related to what Chika said, is when we have it in a form of a data structure, we could map it.
We could map it to other requirements, to other standards, to other norms, to other best practices, to other frameworks, which are relevant for our company. And we did that.
So, when we then have all in place, then when every information is there, we can throw it at GenAI and get information out of it. For example, sum that up for me. Give us a synopsis.
Make, as we now have all those roles and those documents, say to me, please, what is relevant for the end user, for the business owner, which is a defined role, or the service owner, application manager, OT service owner, and so on. So, endlessly. And then you have additional value added information for your users, which has got us really good feedback, by the way.
So, this confluence space is the second most used at E.ON. You can also say, okay, what happens when we deviate? Make a list of threats, make a list of vulnerabilities, combine them, have the scenario, put them in the risk management. You can define metrics out of it.
Of course, as this is AI, you should look about what comes out of it. You should curate that. Don't put that blindly to the users. You can make quizzes out of it, compliance checklist if you want, and so on and so on.
So, if the information is there, it could be easily used, because an LLM is built for that, to go through convolutes of information. And if you have that, well, maybe people don't use GPT anymore. People use maybe the interface you give them, where they can sort through your documents, because, again, maybe GPT is lying to you. It's not legal binding what is there.
So, this is basically what we've done since 2022. We are working still on it.
So, we put everything on Confluence, put everything into confi forms. We have now the whole publishing process there.
So, we write this. We collaborate with this. Before I got all sort of feedback with teams, with mails, Excel files in mail, SharePoint, and so on. Everybody send it to different channels like they want.
So, now everything goes about this one portal. We connect it to Jira.
So, when somebody has a valuable comment, and we have to do a task with our framework, we put it into a ticket system called Jira. And we bound it to XNIV, which is our risk management system. It's a workflow tool, but we use it for our risk management. And as there is an API between the Confluence and this XNIV, we don't have to copy over information which might be error prone. We have always the newest information there, which is very helpful. We have a glossary, and we have an Eon GPT pilot.
And what is upcoming next year for us, we are exploring that now, is how to have that as policy as code so that we can ship it against the machine. As I also talk in the format of JSON, which we all have, we have to look how do we convert it in a format that it can be applied directly to the machines.
So, and well, now we can leverage all and use all the possibilities of JNI. Thank you, Marcel.
Thank you, Duke. I'm afraid we don't have time for questions, so please, a round of applause.
