September 30, 2025 • 48 mins
The cybersecurity industry has a people problem. While we chase after the latest tools and technologies, we're overlooking what Gert-Jan Bruggink calls "the human element" – the critical factor that connects technical solutions with actual security outcomes. In this thought-provoking conversation, Gert-Jan shares his journey from security engineering to pioneering scenario-based threat intelligence, revealing how his curiosity drove him to understand the "why" behind security implementations.
Gert-Jan pulls no punches in addressing what he sees as an existential threat to the Cyber Threat Intelligence field. "If the CTI industry does not resolve this situation before 2030, the current commoditized form will become obsolete," he warns, highlighting the dangerous disconnect between technical intelligence and strategic applications. His work developing the CTI Capability Maturity Model (CTI-CMM) represents a community-driven effort to bridge these gaps through continuous improvement and practitioner leadership.
The discussion takes a fascinating turn when Gert-Jan introduces systems thinking as the missing piece in modern cybersecurity approaches. Rather than viewing security in silos, he advocates for understanding the entire organizational ecosystem and the narratives that connect problems across different departments. This holistic perspective helps explain why even sophisticated security tools often fail to deliver their promised value – they're implemented without consideration for the broader context.
What sets this conversation apart is Gert-Jan's balanced view of technology and humanity. He doesn't reject technological solutions but argues for a hybrid approach that leverages both human intelligence and technological advancements. His insights on tracking subtle adversary trends over time demonstrate the irreplaceable value of human analysis and pattern recognition in threat intelligence.
Ready to transform how you think about cybersecurity? Listen now and discover why the future of CTI depends not just on better tools, but on fundamentally rethinking our approach to the human elements of security. Share your thoughts with us on LinkedIn and join the conversation about building a more resilient cybersecurity community.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Gert-Jan Bruggink (00:00):
That is all, paradoxically, part of the
problem.
These efforts overlook, like,the human element.
Rachael Tyrell (00:06):
Hello and welcome to episode 16, season
one of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
(00:36):
chat with Gertie and BruginkThanks for having me where he
pioneers the field ofscenario-based cyber threat
intelligence deliverables.
Previously, he co-foundedinnovative startups, fulfilled a
cyber threat intelligenceleadership role at a big four
accounting firm and heldsecurity engineering roles at a
security integrator.
Over to you, pedro.
Pedro Kertzman (00:57):
Gertjan, thank you so much for joining the show
.
I'm really happy to have youhere.
Excited to be here, pedro.
Awesome.
When I usually start asking theguests about their journey into
CTI, would you mind walking usthrough that please?
Gert-Jan Bruggink (01:11):
Sure Journey was pretty straightforward
Started in security engineeringafter having a long time
interest in doing the technicalstuff we do in cyber, and then
slowly moving into moreconsulting based effort, helping
organizations out why they docertain things, why they want to
(01:34):
implement a certain solution,why why is that?
That got me into consulting andat a certain point in time, I
was constantly curious,constantly constantly searching,
constantly learning, and a bigpart of that was the reason why
people implement certainsolutions is because there's
stuff happening all around theworld, so I tried to understand
(01:55):
that as well.
That led me on a journey ofleading a CTI team at a big four
company, just being overlycurious, interested in all that.
Um, yeah, and in a nutshell,I'm fast forwarding a lot of
years, but that is how I gotinto the journey and the journey
went on from there that'sawesome and uh.
Pedro Kertzman (02:18):
So you mentioned you kind of, uh, you knew
already, right, you wentstraight up to detection
engineering, but what was thelike spark, let's say to drive
you to that particular area ofthe cyber security space?
Gert-Jan Bruggink (02:33):
yeah, to be honest, um, when I, when I was
still in college, I did not havethe desire to go into cyber
security, um, that it was greatat that time.
It was definitely something.
You got all the the youngtalent being pulled out of
college with a big, fancy leasecar and all that stuff,
(02:54):
relatively high salaries, rightand I was like, oh man, I'm not
gonna do that, I'm just gonnakeep on studying and all that.
And then a mate of mine, uh,one of my best friends, he
basically went into.
He's like you gotta have take alook at this.
This is like cyber security, uh,bachelor's program, to go into
that, and I'm like it's gonna bebig.
I'm like, oh, that that indeedsounds very interesting.
(03:17):
So, um, yeah, that's uh, that'show, that's how the story began
.
But I realized over the yearsthat this is a very fundamental
thing, fundamental problem set,if you will.
And fast forward to now, like20 years later, this problem set
still is and will be.
(03:38):
And you know, looking backwards, since the dawn of mankind, you
had these kind of problems, notin the format of cyber, just to
clear, yeah, but like there'salways these kind of problems
because it's all about humans,and that actually sparks me and
keeps me doing what I do everyday yeah, no, that's.
Pedro Kertzman (03:56):
That's a good point, good analogy.
We always go for the uh,innovation advancements first,
since the you, the old empires,and only then we think of all
the consequences.
So one of the things that Ikind of got to know you and saw
your online posts and thingslike that was related to the CTI
(04:20):
maturity model.
How did you first came acrossthe team building that?
What's the, the story kind ofbehind that one?
Gert-Jan Bruggink (04:31):
yeah, so one of the things I learned in the
consulting world is that we tryto measure everything right.
And then it's just the basicnature of human behavior.
We try to measure everythingbecause that makes sense, that
is just a rational thing to do.
And how you transpose that intowider concepts in cyber, you
(04:56):
will get to a framework, youwill get to some kind of common
sense which you can measureeverything against, because that
it all makes sense right.
Because then we have logicalbuckets where we can put
everything in and classifyeverything and say how mature we
are right you know,well, in reality, it's not
always that black and white,it's usually always gray and
people are often you know, just,you know that there's, there's
(05:20):
a reason why not everyone uses acompliance framework.
But still, people love clarityand people love the fact that
you can have some kind ofmeasure to say, okay, so this is
some kind of ladder.
And this is where I am Now.
A couple of years ago, well,many years ago, I've contributed
(05:44):
to numerous frameworks,including that of my employer at
the time.
We basically built our ownmaturity framework, because you
kind of learn, specifically forCTI, a lot on.
You know, this is how it works.
This is what makes a matureteam.
Now, two years ago, I had aconversation with a couple of
very small people.
Some of them are friends, someof them are our friends, most of
(06:07):
them are also competitors, justbeing honest.
But we kind of realized we wereall facing the same problem and
that every single year there'sa new framework coming out and
that is just absolutely dumb.
Why can't we just make onething and curate that and
actually do?
What the cti industry should dois learn and improve consistent
(06:30):
.
That that was the premise.
Uh, for me to say, all right,let's go this.
I love it, I like the idea, Ilove what's going on, um and
what so the parameters on cti.
Cmm is also based on thecapability maturity model model
from a us government entity, ifI'm not mistaken and we
(06:53):
basically transpose that intothe cti realm.
It is absolutely not perfectand it is designed to not be
perfect.
It is designed to continuouslyimprove and I think that these
two elements that is what, uh,you know, practitioner lad, um
and and actually consistsconstantly improving that.
(07:14):
Actually, uh, I think that thatis a big part what drew me into
this and also that's also whatI, what I, what I at least, hope
to to contribute to these, uh,this sort of stuff man, yeah,
that's awesome.
Pedro Kertzman (07:26):
If I understand correctly, one of the
motivations to do the capabilitymaturity model for CTI was
collaboration.
Right, it's thought that everysingle different point of view
will generate a single model andstart collaborating.
So we have a more I don't know,centralized, if you will, or
(07:49):
agreed upon type of frameworkwhich makes absolutely sense.
I, I agree with you there.
Um, would you mind if we deepdive a little bit into the cti?
cmm sure that's good, okay, anylike parts of the framework that
you think like stand out, orperhaps any other parts that you
(08:11):
think, uh, you see someimprovements in the following
interactions.
Gert-Jan Bruggink (08:16):
Anything around that, yeah, that yeah yes
, there are many, many things tobe honest.
Um, yes, there are many, manythings to be honest, and I have
to say that for me it's nevergood enough.
And that is just for me, Ithink for most of us sometimes
what we put in CTI 0 or CTI 1 isalready a huge step.
(08:36):
So one of the key lessons I'velearned and I've learned that
already for many years but isthat even the first level, going
from zero to one, is already alot for a lot of people.
And this is sometimesconsidered a controversial topic
, because when you do CTI, youknow it all right, but the CTI
(09:01):
industry has to understand thatonly a small percentage of the
actual industry uses CTI the wayit should, and sometimes that
is also, you know, that dictatesthe maturity.
Even going from zero to one isa huge step for most, going from
(09:27):
no person than having you knowdifferent roles that do
everything from securityengineering to detection
engineering, to instant responseto cyber threat intelligence,
so having dedicated roles forthat and then having a team that
does all of that Right.
So that was, that was a bigthing of how you know working on
CTI with.
All these people havetremendous experience in that
you know, working on CTI withall these people who have
tremendous experience in thatyou know how they, what they
(09:48):
share back.
Another thing that we also goback from the initial versions
is again going back to themeasurement aspects is how do
you measure stuff?
How do you measure success andI have to make a little detour
to clarify that, because I'mvery interested in the
(10:13):
measurement aspects anddashboarding and all that stuff
just because I find itinteresting and I start curating
some stuff, like a little Excelfile, and all of a sudden,
after curating some things for acouple of years, all of a
sudden you're an expert.
Yeah well, I don't.
I don't consider myself anexpert in that extent one bit,
(10:34):
but I do consider myself very,uh, having a lot of experience
in this field.
Um, so one of the ideas thatcame up like can can we not
combine you know, some of theseactivities from different
practitioners also who have beenon your show, you know, can we
just throw it all on a pile andsee what sticks?
And that's what we did,actually last year as well.
(10:56):
So we created a huge metricsaddendum which is not
prescriptive, but more.
This is something you can useand have some ideas with.
It's not perfect by design, butyou can get some ideas in that.
Yeah, that was also very, verywell received now yeah well,
(11:24):
yeah, it's so stupid, but peoplejust want to show, you know
they sometimes, you know, whatI've also learned is like people
sometimes just they can saywhat they don't like, but they
cannot usually say what theylike.
And what I mean by that is, ifthere's something, you can
formulate an opinion on whatthat is, instead of coming up
(11:46):
with an idea which you neverthought about.
And, um, I think that is whatwe're trying to do, is we're
trying to open people's mind andsay, well, you, you can use
this or you can't, whatever.
Just do it whatever you wantwith it yeah and, by the way,
there's's another thing andthat's maybe going into the
future.
So one of the questions youwill also get as feedback, so
(12:10):
this active feedback loop, ishow to then operationalize it.
So you have a framework, youhave measurements, you have tips
and tricks and all that, butit's like what is the little
template we use here?
And, yeah, that is somethingwe're working on, because
obviously there is a hugecomponent of commercial
(12:31):
enablement that we keep in themiddle and full disclosure.
I run a company that basicallyworks on publishing, you know,
templated content and how to'sand threat scenarios and all
that stuff.
But I've been very clear to theteam and to everyone like I
think we need to, you know, putall our best, all our different
(12:53):
things in one basket and justsay you know, these are some of
the basics we need as anindustry and just to set set to
get people from zero to one moreeffectively.
I think that that is, uh, thatis something we're still working
on and that is something it weall have the content.
It's not the problem, it's justmore like how do we, how do we
make sure that every little stepworks?
(13:14):
And uh, yeah, that I thinkthese are three key areas where
you know CTI, cmm actually willwork and stand out.
Pedro Kertzman (13:25):
That's awesome.
Thanks for sharing that.
You got me thinking.
You mentioned about thedifferent, let's say, material
levels within most of theindividual CTI aspects that
people think they do you know alot of CTI when they actually
(13:45):
only do a little part of it.
Do you think that would berelated, or have you seen any
conversations around that thatthat could be related to those
more quote-unquote, maturepieces of the equation would be
the ones that have more ctivendors associated to that
(14:09):
particular part.
And then, I don't know, maybemust more, more buzz is created
around that particular topic andpeople keep pushing, pushing,
pushing that one withoutactually connecting to the rest
of the necessary frame to have amore complete picture of the
whole cti framework.
Gert-Jan Bruggink (14:28):
Do you think it could be anything like like
that, just maybe brainstorming abit so I have a um, another
unique take on this, but I havea bit of a contrarian take on
this.
I think that you know, at thismoment there's a lot of tool
pushing and that has been thesame since ever I started and
(14:53):
you could.
So there's an extensive push onnext generation tooling.
You know an extensive push onnext generation tooling.
You know automation, first,build up the perimeter, that
that all the craze when I wasstarting out.
Well, I think you know that isall paradoxically.
You know part of the problemand you know these efforts
(15:14):
overlook, like the human element, the systems thinking, the
narrative that connects oneproblem to the other across
different organizational silos,right, and that is actually
crucial for integration andadoption.
And I think for me this is socrucial that any decision maker,
you know, listens to this.
He or she had always thoughtabout that.
(15:37):
It's like why are thingsdisconnected?
Why can't we get that value outof that?
And it mostly has to do withthese elements being not
connected to each other.
And you know, for me, I'vespent a significant amount of
time to get these new ones intoindustry frameworks like CTI,
CMM, and I'm being very honest,like there's a clear disconnect
(16:00):
between operational intelligence, like really technical
intelligence and other, perhapsstrategic applications.
I think that is definitely aproblem and I would even go as
far as saying if the CTIindustry does not resolve the
situation before 2030, thecurrent commoditized form will
(16:23):
become obsolete, Interesting,and I'm dead serious about that.
A change needs to happen inthis industry and if it doesn't,
it will become obsolete.
And I can tell you this we arealready behind.
We are already seeing peoplesaying what is the value of cti?
Should we put it in a role?
(16:45):
Should we put it in?
It is part of a, of a tool,right?
So I think you know there'smany reasons why, why, and and
there's there's also answers towhy the situation is as is, but
there's definitely a bunch ofmisconceptions and all that that
(17:05):
I think you know.
That lead to this and to yourfirst point.
I also strongly believe thatmost mature security teams you
know, quite literally, if youjust take a, if you would
picture like a hundred percentof the entire world as all the
companies in the world, then wetend to focus, the emphasis is
(17:25):
mostly on like the well, themore wealthy, uh amount of
companies, the biggerenterprises, but the reality is
is that that is only a verysmall percentage of all the
companies in the world.
So we need to do better in youknow, addressing that and
educating people that you know,even though that you're a big
(17:47):
company, it doesn't matter howmany feeds you have.
That is not an indicator ofquality, that is a an indicator
of something else.
But, um, I'm not getting intothat, but my point is people
have to tell that storycorrectly.
If you can explain why you'reingesting all that stuff and
then what you're doing with it,what kind of decisions you're
actually driving, what kind ofimpact you're making, then the
(18:10):
story basically writes itself.
Success writes itself.
Yeah, and maybe one final thingto add on that I also think that
there is a bit of a nuance,that teams need to be very big
to be successful, and so when Idid the presentation of CTI, CMM
version 1.2 at first, it wasearlier this year.
(18:34):
The interesting bit is thatsome of the maturity is not the
bar of the ladder, right, it isactually.
You know, either this is thator is it how happy you can make
your stakeholders or how muchimpact you make, but actually it
(18:54):
is the values in the eye of thebeholder, right, and I think
these are some of the.
Also, you know some of thespecific things that we try to
tackle with this initiative, butthere's actually some, you know
, fundamental things happeningin the industry which we cannot
tackle alone and we needeveryone to do so.
Pedro Kertzman (19:14):
That's a great point and I'm kind of glad to
know I might not be alone onthis.
You touched on a veryinteresting point.
People think that, oh, to haveproper CTI in-house you've got
to have X amount of analystsfrom people doing reverse
engineering, malware analysis topeople doing this and that you
(19:36):
touched on a very good point.
That's only for know.
Big enterprises uh can affordhaving those super specialized
teams uh, but on the other hand,I think the small companies or
wanting to be mature companiesregard, regardless of the size,
cti can be more like a mindsetif they start looking at things
(20:00):
through the cti lenses, I thinkthey would just have a better
understanding of the things froma security standpoint, of
course, that I think that thatare happening uh to them or
things how they could preventcertain things just by having
that CTI mindset, and that mightbe part of the maturity within
(20:25):
the industry.
Cti mindset to connect back tomy previous point might not be
the most profitable thing tosell, so maybe not too many
vendors are kind of trying tostimulate that type of uh
thinking so so, pedro, sorry tointerject that, I think you you
(20:49):
highlight exactly the situation.
Gert-Jan Bruggink (20:51):
Now, if we're being honest, the the, the core
situation at hand is, is ashareholder driven value making
machine.
And don't get me as a socialistor anything, because I run a
commercial company as well.
But I think we have to be honest, that we all have to make a
living and doesn't matter big orsmall.
(21:13):
But there is this, thisincentive structure, which isn't
correct and I think for me, abig part of what I do as a
philosophy in business, aphilosophy in life, how I treat
my own team, how I think othersshould organize their own cti
capabilities is set up peoplefor success, and that starts
(21:36):
with the proper incentivestructure, and that is that.
That also is as part of why Ilike the metric stuff, not not
because of cool numbers and shit, but like I just find that
interesting and it's like, yeah,if we can measure how jump, how
high you can jump, then we'llknow how high you can jump.
But I asked the question likewhat if there is no height, how
(21:58):
far can you actually jump?
And the reality is that peoplecan do much more stuff if
they're enabled and all thatgood stuff.
So, yeah, there is many deeperreasons again why this happens
and what you are alluding to.
But I genuinely think that theone thing we need to fix and
(22:19):
that is not just for CTI, it isfor cybersecurity in general is
the incentive structures.
Pedro Kertzman (22:24):
I love that.
No, that's a really good way toput it.
And let's say you see thejourney that we need to go
through in the next few years,as soon as possible, I would.
I would say but uh, when youlook in the, uh, when you look
to the past, how do you see the,the, the shifts and changes
(22:47):
when we first started adoptingcti?
Maybe danish?
Gert-Jan Bruggink (22:53):
yeah back.
Pedro Kertzman (22:55):
Uh, how do you see that shift the pace, pace of
those changes since we started?
Gert-Jan Bruggink (23:03):
Yeah.
So let me just say I find thisis my bread and butter Scenario
planning and thinking backwards,thinking forwards, this is
absolutely what I love Awesome.
More specifically and I doSorry, man I do want to plug
some of the stuff I do in threatlandscaping and build your own
threat landscape type of deal.
Go for it, call me for that ifyou need help.
(23:23):
But, like, that is exactly thetype of questions we get often,
and even today I was looking atsome messaging on social media,
specifically LinkedIn, wheresomebody was asking, like, hey,
I've been informing people aboutransomware for the last 10
years and I'm like, yeah, butthis has been, this has been a
(23:45):
problem for that long.
What changed?
And I know what changed, justto be clear.
But like, it's prettyinteresting to hear people's
perspectives on that and and,for example, for ransomware, the
feedback you I received waslike it's gotten much more
sophisticated over the lastdecade, from you know little
scrabblings and dumbassencrypting to like multi-billion
(24:10):
dollar companies being crippledand completely business shut
down.
Yeah, so the role cyber isplaying in everything and the
digital connected nature of itall.
That has fundamentally changedand it will continue to change
In the next decade.
We will see even moreintegration.
(24:31):
Even with AI, agent aspects andall that good stuff, it will go
even further.
Now one of the cool thingsobviously I don't consider
myself a scenario planningexpert for all the futures for
developing a company.
I understand the way how thatis done.
(24:52):
I merely apply it to theconcept of risk management,
threat management and CTI inparticular.
Right, so how I then look atthese things is like so, back in
2014, when apt1 report got hit,uh, got released, you know, a
bit crazed about all that, butwhat the interesting bit was is,
(25:13):
through those years afterwards,there is a couple of things
happening that were veryinteresting and I'm tracking
them still.
One of them, for example, isabout the focus of certain
adversarial states on types ofinfrastructure.
So and again, I'm bringing upthis example because it
(25:33):
illustrates what the value is oftracking these kind of trends
long term.
At the time, obviously, there isjust teams you know doing
advanced, persistent, you knowtargeting, and it is every
country is doing that.
You know some have moresophisticated capability.
I'm from Netherlands.
We have a pretty sophisticatedcapability, but there's also
(25:56):
many other countries who do that.
But what I find interesting isif you just take a step back and
then look at you know, hey, sothere's teams looking at the
external footprint, certainteams from China, for example,
and they used to be the topplayers in the point to own
games, and then all of a suddenand, uh, if I'm not mistaken,
(26:18):
215 or or 16, and all of asudden you see them dropping out
for reasons of that competition.
And what is interesting is ifyou track these trends over time
and expert look look at themnow to today again I'm nerding
now, just to be clear but youkind of see that the focus of
(26:43):
these kind of Chineseadversaries on technical
infrastructure, it started inthat little thing.
Right there, you know, just astrategic effort focusing on one
particular tool set thing.
Right there, you know, just astrategic effort focusing on one
particular tool set.
And they now have dozens ofpeople.
You know reverse engineering,uh, you know 40 gates and all
that and and that, that stuff.
I find so super interesting.
(27:05):
It's like picking up theselittle threads across and
sometimes you can only see themafter a period, and sometimes
you can only see them after aperiod and sometimes you can
actually see them right now.
And that is pretty interestingbecause obviously this is the
work I do.
There is a couple of threadsI'm now pulling and I'm thinking
(27:26):
like, oh, this is not going inthe right direction.
So, yeah, so there's manythings what people can do,
should do, and how they shoulduse CTI and some very cool stuff
.
But yeah, I hope that answereda bit your question with a wider
(27:49):
turn.
Pedro Kertzman (27:50):
Yeah, no, absolutely, and to your uh, uh,
I think you were going on thatdirection.
If there was, let's say, onething you could suggest to
organizations implementing cti,any particular you know, one
single aspect to focus on, anymagic pill if will kind of thing
(28:12):
that they should focus on.
Gert-Jan Bruggink (28:17):
Yeah, I think I alluded to it before.
So for me, the one thing thatthe industry is lacking is not
showing enough value.
That is a symptom of somethingdeeper, and to me, there's
multiple reasons why that is thecase, and what I always
recommend people to do is toexplore the concept of systems
thinking, and what that is isthat you look at an organization
(28:39):
holistically, that you look atan industry holistically, and,
and and that is difficult in anindustry where everyone's a
scientist and is focused on thehere and now, where the amount
of indicators and the incidentsyou're managing now is more
important than anything else.
So, looking forward, you haveto be able to show value and
(29:12):
everything is there to dosomething different and there to
open your eyes and have adiscussion on.
Well, if we take a wider lens,we're protecting this business
process and we aren't talkingwith these people associated
with that business process.
You know the lapsus kids.
They will call everybody ineach process, right?
They will call the parents ofthese people.
(29:34):
They don't have any ethicalboundaries.
By the way, this is also one ofthese threads I mentioned when,
when I was very concerned aboutcertain things.
This is one of them.
Um, but like, that is exactlywhat how you need to think right
.
You need to to let go of thatsiloed thinking and and systems
thinking is one way to do that.
I, literally on my desk next tome, I have a ton of books on
(29:54):
scenario planning, systemsthinking is one way to do that.
I, literally on my desk next tome, I have a ton of books on
scenario planning, systemsthinking exactly.
I'm going through them, uh,regularly, and you know, I I
deeply recommend people to do sobecause just sometimes, these
ideas just help absolutely.
Pedro Kertzman (30:09):
And you mentioned something that, for me
, honestly, whenever we'retalking about any type of
intelligence in our case, cti,but could be any type of
intelligence and talking tobooks, right, probably one of
the most ancient books I evercame across is Sun Tzu the Art
(30:32):
of War, right came across, isSun Tzu the art of war, right,
if you don't know your enemyyou're mentioning they have no
boundaries if you don't knowthat, you're never gonna be able
to properly prepare to whateverthey're trying or they will try
to to do against you.
So that's, that's thefundamental piece.
Again, could be cti, but couldbe any type of preparedness, if
(30:58):
you will.
Uh, when you're tackling either, sometimes even competition,
right, not only enemies oradversaries, but even, even even
competition, right, man, that's, that's great, that's great,
thank you.
And and um, let's say, on theconsulting, you're talking about
the big four.
What would be like thedifference or the different
(31:20):
approaches you're seeing on thatparticular sector when tackling
CTI and the value from othersectors?
For example, what's the maindifference between the big four
when they approach cti and theother non-consulting sectors?
Gert-Jan Bruggink (31:38):
yeah, I think one of the changes I also saw
in the last decade is thatthere's more, much more
experience and and openness to,to, to to have people who have
any background or any experienceand translate that to today.
So the consulting model ingeneral is real and it's good.
(31:59):
People sometimes just need helpand that is just a fact of life
.
So what I've seen change overthe years is that people just
got more specific in theirrequirements and the reason why
you would hire a big four teamis it's not because of sometimes
it is because of a badge rightthat you can say that this team
(32:19):
did that, but there's all sortsof other other defense
contractors and all that whohave that same vibe.
Now the difference is is thatthey that, where are they coming
from?
And what you often see is thatthe more um, the big four
consultancy teams, they comefrom a consulting background, so
they bring that level ofexperience with them and there
(32:43):
is a plus and pros and cons tothat right.
The upside is that you get alot of content quite quickly
because they're very smallpeople and but they're expensive
.
Um, the downside is you'retrying to push their whole
consulting stack into yourorganization.
That's.
People don't like that, butthat is the reality and but you
kind of see that there's there'sdefinitely consulting expertise
(33:04):
in that, but it will alwayscome from the angle of the
product that you're selling.
And, and, just to be clear, Ihave many, many friends in all
industries and all sectors, so Itotally understand completely
how it works.
But that is what you need tothink about, you know, when you
there's also many oh, there'salso interesting there's also
(33:25):
many people who startedself-employment even me, in a
sense, in 2020.
Just building a company with acouple of uh, friends at the
time, and then we startedgrowing and then you know that
is something that everyonebasically does.
Um, there, right now, thefounder, the founder-led brands,
(33:47):
is definitely a thing.
Uh, especially in this, in thisfield, I consider myself
somebody who saw it all and thendecided there has to be a
different way.
So, you know, also beingtransparent, my way of working
is like I absolutely enjoyedevery single moment I had with
the big four consulting thing,but I realized that the
(34:09):
consulting model is deeplyflawed.
So my fundamental approach islike can we stack the incentives
in the correct way and that isnot necessarily product-driven,
but that, for example, peopleget the tools and means to do
everything themselves, and theyonly call me or my team when
(34:30):
they actually have a really,really interesting question.
And that is how I, for example,try to to to do so, to do it a
bit different.
Um, does that work all the time?
No, it is a hard journey, uh,and and I think that is also
something that people uh oftennot talk about is we understand
(34:51):
consulting and we understandproduct and I'm digressing a bit
from your question.
I know that, but that issometimes we only think in black
and white, but there's actuallysomething that can happen in
between, and that is definitelysomething.
I've seen change.
I've seen small companies.
Funny anecdote when I startedin the security engineering
(35:13):
space, there was one littlebrand that just released their
new firewall.
It was called the NextGeneration Firewall a little
company called Palo AltoNetworks.
They're now one of the biggestsecurity platforms on the planet
fast forward many years, and Ithink that is also what this
does right, no, that's awesome.
Pedro Kertzman (35:34):
And that nuance, uh, you know, not having only
black and white is so important,because those overlooked
aspects is often the ones thatare gonna come back to us in one
way or the other, because wedidn't have the ability to be
flexible and adapt to different,so many different scenarios
(35:55):
that we have in front of us.
And, uh, so you're mentioningbooks.
Any, uh, how you, you know,learn about the industry in
general?
It's a.
It's a.
It's a tricky questionsometimes when you're talking
about cti, because, yeah, Ilearned from the feeds because
we received so many informationthrough the feeds.
(36:15):
But, generally speaking aboutthe industry, the feeds will be
on the operational right at thatmoment kind of side.
But what about the broadlearning from how the industry
is reshaping maturity models aswell?
Who's coming out with a newmaturity model?
If that happens, you know how,generically speaking, how you
(36:36):
learn about how the cti industryis like, moving in and and all
that, any like you're mentioningyour books.
Gert-Jan Bruggink (36:43):
If you want to mention the names, I can
definitely put on thedescription of the podcast, but
any other you know blogs, eventsyou mentioned uh, first as well
that you like to, to be to useto kind of sharp your knowledge
yeah, so so I have a bit of anunconventional answer, because
there is no right answer to allof this yep, um, a book, a feed,
(37:08):
a podcast, I can, I can namesome of the stuff I listen to,
but in the end, well, and thisgoes back to, like a previous
question, you know, one of someof the common misconceptions is
what I see is people notthinking, and I want to
encourage people to be curiousand, um, ask to get to to a
(37:30):
certain set of books.
You know, you have to askyourself the question what do I
think is important?
What?
do I want to understand and thebiggest, the best kept secret of
our industry is that there isno one.
There is no quick win, there isno quick escape, there is no.
(37:51):
All right, let me just roll upthis AI summary and then boom,
I'm now an expert.
No, that is not how this works.
So it is absolutely in thetrenches it is boring as tease
where you will get punched inthe face and you have to keep
going.
That is this work.
So the question is how do youdeal with that?
And how we deal with that is byasking the right questions and
(38:14):
then understanding that there'ssomething fundamental going on
around certain threats andcampaigns around the
organization.
So how do I protect myorganization?
Am I looking at theorganization with the right
perspective?
And if you dive deeper in that,you should explore systems
thinking, for example, me.
For example, I'm next to CTIscenario planning, risk
(38:36):
management.
I'm also very interested inscenario planning and that's
more of a content thing, butalso I'm an entrepreneur, so I'm
also deeply curious about newentrepreneurial things,
specifically building brands andhow does that work?
And and very interesting thatthat journey leads me to basic
psychology and there's hugeamount of overlaps between
(39:01):
behavioral science, behavioralpsychology and and cyber
security, interestingly enough.
So there's also numerous bookson that, even cultural, cultural
, how to build a team, and allthat stuff, um.
But when you get into thatdeeper understanding that you
all of a sudden will eventuallyhave to get into the task of
(39:24):
today and that could be, youknow, tracking what is happening
every single day.
And there's many tools whichyou can set up, such as some of
them even free, such as usingfeedly to translate those
questions or intelligencerequirements into something
where you can scrape it from.
Even going a step further, youcan just set up your own ai, a
(39:46):
genetic aspects that justcollect everything you need and
based on their automaticprompting, as there's many
things.
But you have to do the thinking, um, and there's a host of
people you should follow, butgen generally, when you
basically know what you'relooking for and you understand
(40:09):
it, you will find these people.
You will google them, you willfind perhaps me, you will find
perhaps most of the other peopleon this podcast or even more.
And uh, yeah, that that isusually how I do it.
And then the next question iswhere do you find them?
Well, I find them in twoconferences actually many
conferences, uh, but most of theconferences I always try to
attend to is is first, cti andsans cti.
(40:32):
Um, these are more biggercompany conferences, but they
are very focused on the ctidomain.
That is where I basically grew,grew up in um, but actually
there are many, many more.
I even uh for, with a shout outto john doyle, um, we, I think
(40:52):
on your podcast.
Oh yeah, we once, with somebeers, we made a square, the
Gardner Quadrant type of ideafor CTI conferences.
It's still a work in progress.
I've put it on my GitHub butit's just so stupid.
(41:13):
But it's so funny to actuallyhave that conversation and think
like, so which are the ones weshould attempt?
And then you kind of see somepretty interesting stuff around
very specific conferencesfocusing on very specific tasks
again, how the industry evolves,and from very big, you know,
all over the place items tosomething like pivotcon,
(41:36):
specifically focusing on thetechnical aspects Absolutely
brilliant and or even in the US,some of the more crime focused
events, and I can name a bunchmore.
But I absolutely love that.
I actually love that we now gotin the space in the last decade
where we are able to structuremore of the information we have.
(41:59):
We have an unprecedented amountof data, an unprecedented
amount of structure, and now thequestion I think for the next
couple of years, going into 2030, is like how do we deal with
that?
And, to be honest, if I woulddo another education piece, it
would not be a master's degreein engineering, it would be a
master in philosophy, becausewhere we're going, we're going
(42:21):
to need philosophy.
Pedro Kertzman (42:23):
Yeah, that's a good one.
You touched on a very goodpoint as well.
If we look at the whole CTI,the CTI industry is evolving.
For the past few years we neverhad CTI CTI industry is
evolving for the past few years.
We never had CTI.
Uh, focused conferences right,it was like a part of that
conference.
They had like a CTI track orsomething like that.
(42:44):
You know, still, I think blackhat has a CTI track and other
big conferences.
But now we do have, like youmentioned, pivotcon is like I
think it's a TLP Red, if I'm notmistaken.
So you cannot simply I want togo there.
So it's really for, you know,professionals that understand
(43:05):
already some of the aspectswithin the industry.
I want to share their knowledgeand it's important to, from you
know, tlp clear or not to havethose conferences creating more,
maybe creating more buzz aroundCTI just to make people think
about it.
It goes back to my point, andyou mentioned that as well we
(43:29):
have to think about CTI more.
Right, it's not something thatyou plug oh, now I have CTI,
right, so imagine that would beperfect.
Right, you plug something inthe you know, ethernet cable
boom, now I have CTI.
That's awesome, I would lovethat, but that's not,
unfortunately, the reality.
(43:51):
Yeah, that's amazing.
And any final thoughts,reflections, philosophy, things
you think it's worth to sharewith the audience.
Gert-Jan Bruggink (44:04):
Yeah, so I think I'll step off my soapbox
and not go into some of theother stuff I mentioned.
I think think you know I've, uh, I'm pretty consistent in what,
what I think and what I shareabout.
Um, my, my, I think that a lotof people have a voice and I
(44:27):
personally try to actually showpeople that there is some
something else possible outsideof the normal.
You know, uh, it is either atool or it is a consulting.
You know, it is actually alsopossible to do something in
between.
It is good to actually changethe state or attack the status
(44:48):
quo.
That is also fine.
And I think the next iterationof what we will see in
cybersecurity will notnecessarily be a, you know, an
AI, a genetic approach orwhatever, but maybe it will be a
hybrid approach on how peopleare thinking and supporting that
and integrating everythingaltogether.
(45:09):
And, yeah, what you can expectfrom me is that I'll keep
pushing on certain solutions totalk about actual problems and
understand that, bring solutionsto market for that and also
bring that knowledge back to thecommunity through frameworks
like CTI, cmm or even radicallyopen sourcing, some content that
(45:32):
people can use.
And that is also to end it off.
You know, that is also aninvitation to everyone listening
.
If, if you, if you want tocontribute on that particular
framework, go to the website CTI, cmm, cti, hyphen, cmmorg, if
I'm not mistaken, and thereality is is that you can just
(45:53):
sign up there for the latestversion, for feedback, for
participating, and we actuallyneed all the help we can get and
we are very appreciative ofthat, and that will also get you
a slot in the document itself,you know.
So that is also a win and youcan put that on your resume, so
that is a huge win and, um, yeah, that's awesome that is uh,
(46:16):
that's what I have for you, myfriend that's awesome, man, I
appreciate it and uh, you knowmy my little take about the cti
cmm.
Pedro Kertzman (46:24):
One of the things, or one of the highlights
for me, is that you guys wentdeep into here are the questions
that you need to ask yourpossible probable stakeholders.
So you kind of go from like ahigh level understanding of this
is how you structure, this isall the important pieces, the
(46:44):
important components.
But here is, this is how you doit go ask those questions, kind
of thing.
So it's a goes on, uh, fromsuper, you know more management,
uh, leadership type of aspects,but also hands-on, here you go,
go ask those questions.
So it's that's uh, absolutely.
(47:05):
I'll put the link, just in case, in the description as well, so
people can access the.
Please do it the framework.
Uh, absolutely important to getto know in details.
Gertrude, thank you so much forcoming to the show.
Really appreciate all theinsights and I hope I'll see you
around Sounds good mate.
Gert-Jan Bruggink (47:24):
Thanks so much for being here.
I appreciate it.
Thank you.
Rachael Tyrell (47:29):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(47:52):
We'll be right back.
That is all, paradoxically, part of the
problem.
These efforts overlook, like,the human element.
Rachael Tyrell (00:06):
Hello and welcome to episode 16, season
one of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
(00:36):
chat with Gertie and BruginkThanks for having me where he
pioneers the field ofscenario-based cyber threat
intelligence deliverables.
Previously, he co-foundedinnovative startups, fulfilled a
cyber threat intelligenceleadership role at a big four
accounting firm and heldsecurity engineering roles at a
security integrator.
Over to you, pedro.
Pedro Kertzman (00:57):
Gertjan, thank you so much for joining the show
.
I'm really happy to have youhere.
Excited to be here, pedro.
Awesome.
When I usually start asking theguests about their journey into
CTI, would you mind walking usthrough that please?
Gert-Jan Bruggink (01:11):
Sure Journey was pretty straightforward
Started in security engineeringafter having a long time
interest in doing the technicalstuff we do in cyber, and then
slowly moving into moreconsulting based effort, helping
organizations out why they docertain things, why they want to
(01:34):
implement a certain solution,why why is that?
That got me into consulting andat a certain point in time, I
was constantly curious,constantly constantly searching,
constantly learning, and a bigpart of that was the reason why
people implement certainsolutions is because there's
stuff happening all around theworld, so I tried to understand
(01:55):
that as well.
That led me on a journey ofleading a CTI team at a big four
company, just being overlycurious, interested in all that.
Um, yeah, and in a nutshell,I'm fast forwarding a lot of
years, but that is how I gotinto the journey and the journey
went on from there that'sawesome and uh.
Pedro Kertzman (02:18):
So you mentioned you kind of, uh, you knew
already, right, you wentstraight up to detection
engineering, but what was thelike spark, let's say to drive
you to that particular area ofthe cyber security space?
Gert-Jan Bruggink (02:33):
yeah, to be honest, um, when I, when I was
still in college, I did not havethe desire to go into cyber
security, um, that it was greatat that time.
It was definitely something.
You got all the the youngtalent being pulled out of
college with a big, fancy leasecar and all that stuff,
(02:54):
relatively high salaries, rightand I was like, oh man, I'm not
gonna do that, I'm just gonnakeep on studying and all that.
And then a mate of mine, uh,one of my best friends, he
basically went into.
He's like you gotta have take alook at this.
This is like cyber security, uh,bachelor's program, to go into
that, and I'm like it's gonna bebig.
I'm like, oh, that that indeedsounds very interesting.
(03:17):
So, um, yeah, that's uh, that'show, that's how the story began
.
But I realized over the yearsthat this is a very fundamental
thing, fundamental problem set,if you will.
And fast forward to now, like20 years later, this problem set
still is and will be.
(03:38):
And you know, looking backwards, since the dawn of mankind, you
had these kind of problems, notin the format of cyber, just to
clear, yeah, but like there'salways these kind of problems
because it's all about humans,and that actually sparks me and
keeps me doing what I do everyday yeah, no, that's.
Pedro Kertzman (03:56):
That's a good point, good analogy.
We always go for the uh,innovation advancements first,
since the you, the old empires,and only then we think of all
the consequences.
So one of the things that Ikind of got to know you and saw
your online posts and thingslike that was related to the CTI
(04:20):
maturity model.
How did you first came acrossthe team building that?
What's the, the story kind ofbehind that one?
Gert-Jan Bruggink (04:31):
yeah, so one of the things I learned in the
consulting world is that we tryto measure everything right.
And then it's just the basicnature of human behavior.
We try to measure everythingbecause that makes sense, that
is just a rational thing to do.
And how you transpose that intowider concepts in cyber, you
(04:56):
will get to a framework, youwill get to some kind of common
sense which you can measureeverything against, because that
it all makes sense right.
Because then we have logicalbuckets where we can put
everything in and classifyeverything and say how mature we
are right you know,well, in reality, it's not
always that black and white,it's usually always gray and
people are often you know, just,you know that there's, there's
(05:20):
a reason why not everyone uses acompliance framework.
But still, people love clarityand people love the fact that
you can have some kind ofmeasure to say, okay, so this is
some kind of ladder.
And this is where I am Now.
A couple of years ago, well,many years ago, I've contributed
(05:44):
to numerous frameworks,including that of my employer at
the time.
We basically built our ownmaturity framework, because you
kind of learn, specifically forCTI, a lot on.
You know, this is how it works.
This is what makes a matureteam.
Now, two years ago, I had aconversation with a couple of
very small people.
Some of them are friends, someof them are our friends, most of
(06:07):
them are also competitors, justbeing honest.
But we kind of realized we wereall facing the same problem and
that every single year there'sa new framework coming out and
that is just absolutely dumb.
Why can't we just make onething and curate that and
actually do?
What the cti industry should dois learn and improve consistent
(06:30):
.
That that was the premise.
Uh, for me to say, all right,let's go this.
I love it, I like the idea, Ilove what's going on, um and
what so the parameters on cti.
Cmm is also based on thecapability maturity model model
from a us government entity, ifI'm not mistaken and we
(06:53):
basically transpose that intothe cti realm.
It is absolutely not perfectand it is designed to not be
perfect.
It is designed to continuouslyimprove and I think that these
two elements that is what, uh,you know, practitioner lad, um
and and actually consistsconstantly improving that.
(07:14):
Actually, uh, I think that thatis a big part what drew me into
this and also that's also whatI, what I, what I at least, hope
to to contribute to these, uh,this sort of stuff man, yeah,
that's awesome.
Pedro Kertzman (07:26):
If I understand correctly, one of the
motivations to do the capabilitymaturity model for CTI was
collaboration.
Right, it's thought that everysingle different point of view
will generate a single model andstart collaborating.
So we have a more I don't know,centralized, if you will, or
(07:49):
agreed upon type of frameworkwhich makes absolutely sense.
I, I agree with you there.
Um, would you mind if we deepdive a little bit into the cti?
cmm sure that's good, okay, anylike parts of the framework that
you think like stand out, orperhaps any other parts that you
(08:11):
think, uh, you see someimprovements in the following
interactions.
Gert-Jan Bruggink (08:16):
Anything around that, yeah, that yeah yes
, there are many, many things tobe honest.
Um, yes, there are many, manythings to be honest, and I have
to say that for me it's nevergood enough.
And that is just for me, Ithink for most of us sometimes
what we put in CTI 0 or CTI 1 isalready a huge step.
(08:36):
So one of the key lessons I'velearned and I've learned that
already for many years but isthat even the first level, going
from zero to one, is already alot for a lot of people.
And this is sometimesconsidered a controversial topic
, because when you do CTI, youknow it all right, but the CTI
(09:01):
industry has to understand thatonly a small percentage of the
actual industry uses CTI the wayit should, and sometimes that
is also, you know, that dictatesthe maturity.
Even going from zero to one isa huge step for most, going from
(09:27):
no person than having you knowdifferent roles that do
everything from securityengineering to detection
engineering, to instant responseto cyber threat intelligence,
so having dedicated roles forthat and then having a team that
does all of that Right.
So that was, that was a bigthing of how you know working on
CTI with.
All these people havetremendous experience in that
you know, working on CTI withall these people who have
tremendous experience in thatyou know how they, what they
(09:48):
share back.
Another thing that we also goback from the initial versions
is again going back to themeasurement aspects is how do
you measure stuff?
How do you measure success andI have to make a little detour
to clarify that, because I'mvery interested in the
(10:13):
measurement aspects anddashboarding and all that stuff
just because I find itinteresting and I start curating
some stuff, like a little Excelfile, and all of a sudden,
after curating some things for acouple of years, all of a
sudden you're an expert.
Yeah well, I don't.
I don't consider myself anexpert in that extent one bit,
(10:34):
but I do consider myself very,uh, having a lot of experience
in this field.
Um, so one of the ideas thatcame up like can can we not
combine you know, some of theseactivities from different
practitioners also who have beenon your show, you know, can we
just throw it all on a pile andsee what sticks?
And that's what we did,actually last year as well.
(10:56):
So we created a huge metricsaddendum which is not
prescriptive, but more.
This is something you can useand have some ideas with.
It's not perfect by design, butyou can get some ideas in that.
Yeah, that was also very, verywell received now yeah well,
(11:24):
yeah, it's so stupid, but peoplejust want to show, you know
they sometimes, you know, whatI've also learned is like people
sometimes just they can saywhat they don't like, but they
cannot usually say what theylike.
And what I mean by that is, ifthere's something, you can
formulate an opinion on whatthat is, instead of coming up
(11:46):
with an idea which you neverthought about.
And, um, I think that is whatwe're trying to do, is we're
trying to open people's mind andsay, well, you, you can use
this or you can't, whatever.
Just do it whatever you wantwith it yeah and, by the way,
there's's another thing andthat's maybe going into the
future.
So one of the questions youwill also get as feedback, so
(12:10):
this active feedback loop, ishow to then operationalize it.
So you have a framework, youhave measurements, you have tips
and tricks and all that, butit's like what is the little
template we use here?
And, yeah, that is somethingwe're working on, because
obviously there is a hugecomponent of commercial
(12:31):
enablement that we keep in themiddle and full disclosure.
I run a company that basicallyworks on publishing, you know,
templated content and how to'sand threat scenarios and all
that stuff.
But I've been very clear to theteam and to everyone like I
think we need to, you know, putall our best, all our different
(12:53):
things in one basket and justsay you know, these are some of
the basics we need as anindustry and just to set set to
get people from zero to one moreeffectively.
I think that that is, uh, thatis something we're still working
on and that is something it weall have the content.
It's not the problem, it's justmore like how do we, how do we
make sure that every little stepworks?
(13:14):
And uh, yeah, that I thinkthese are three key areas where
you know CTI, cmm actually willwork and stand out.
Pedro Kertzman (13:25):
That's awesome.
Thanks for sharing that.
You got me thinking.
You mentioned about thedifferent, let's say, material
levels within most of theindividual CTI aspects that
people think they do you know alot of CTI when they actually
(13:45):
only do a little part of it.
Do you think that would berelated, or have you seen any
conversations around that thatthat could be related to those
more quote-unquote, maturepieces of the equation would be
the ones that have more ctivendors associated to that
(14:09):
particular part.
And then, I don't know, maybemust more, more buzz is created
around that particular topic andpeople keep pushing, pushing,
pushing that one withoutactually connecting to the rest
of the necessary frame to have amore complete picture of the
whole cti framework.
Gert-Jan Bruggink (14:28):
Do you think it could be anything like like
that, just maybe brainstorming abit so I have a um, another
unique take on this, but I havea bit of a contrarian take on
this.
I think that you know, at thismoment there's a lot of tool
pushing and that has been thesame since ever I started and
(14:53):
you could.
So there's an extensive push onnext generation tooling.
You know an extensive push onnext generation tooling.
You know automation, first,build up the perimeter, that
that all the craze when I wasstarting out.
Well, I think you know that isall paradoxically.
You know part of the problemand you know these efforts
(15:14):
overlook, like the human element, the systems thinking, the
narrative that connects oneproblem to the other across
different organizational silos,right, and that is actually
crucial for integration andadoption.
And I think for me this is socrucial that any decision maker,
you know, listens to this.
He or she had always thoughtabout that.
(15:37):
It's like why are thingsdisconnected?
Why can't we get that value outof that?
And it mostly has to do withthese elements being not
connected to each other.
And you know, for me, I'vespent a significant amount of
time to get these new ones intoindustry frameworks like CTI,
CMM, and I'm being very honest,like there's a clear disconnect
(16:00):
between operational intelligence, like really technical
intelligence and other, perhapsstrategic applications.
I think that is definitely aproblem and I would even go as
far as saying if the CTIindustry does not resolve the
situation before 2030, thecurrent commoditized form will
(16:23):
become obsolete, Interesting,and I'm dead serious about that.
A change needs to happen inthis industry and if it doesn't,
it will become obsolete.
And I can tell you this we arealready behind.
We are already seeing peoplesaying what is the value of cti?
Should we put it in a role?
(16:45):
Should we put it in?
It is part of a, of a tool,right?
So I think you know there'smany reasons why, why, and and
there's there's also answers towhy the situation is as is, but
there's definitely a bunch ofmisconceptions and all that that
(17:05):
I think you know.
That lead to this and to yourfirst point.
I also strongly believe thatmost mature security teams you
know, quite literally, if youjust take a, if you would
picture like a hundred percentof the entire world as all the
companies in the world, then wetend to focus, the emphasis is
(17:25):
mostly on like the well, themore wealthy, uh amount of
companies, the biggerenterprises, but the reality is
is that that is only a verysmall percentage of all the
companies in the world.
So we need to do better in youknow, addressing that and
educating people that you know,even though that you're a big
(17:47):
company, it doesn't matter howmany feeds you have.
That is not an indicator ofquality, that is a an indicator
of something else.
But, um, I'm not getting intothat, but my point is people
have to tell that storycorrectly.
If you can explain why you'reingesting all that stuff and
then what you're doing with it,what kind of decisions you're
actually driving, what kind ofimpact you're making, then the
(18:10):
story basically writes itself.
Success writes itself.
Yeah, and maybe one final thingto add on that I also think that
there is a bit of a nuance,that teams need to be very big
to be successful, and so when Idid the presentation of CTI, CMM
version 1.2 at first, it wasearlier this year.
(18:34):
The interesting bit is thatsome of the maturity is not the
bar of the ladder, right, it isactually.
You know, either this is thator is it how happy you can make
your stakeholders or how muchimpact you make, but actually it
(18:54):
is the values in the eye of thebeholder, right, and I think
these are some of the.
Also, you know some of thespecific things that we try to
tackle with this initiative, butthere's actually some, you know
, fundamental things happeningin the industry which we cannot
tackle alone and we needeveryone to do so.
Pedro Kertzman (19:14):
That's a great point and I'm kind of glad to
know I might not be alone onthis.
You touched on a veryinteresting point.
People think that, oh, to haveproper CTI in-house you've got
to have X amount of analystsfrom people doing reverse
engineering, malware analysis topeople doing this and that you
(19:36):
touched on a very good point.
That's only for know.
Big enterprises uh can affordhaving those super specialized
teams uh, but on the other hand,I think the small companies or
wanting to be mature companiesregard, regardless of the size,
cti can be more like a mindsetif they start looking at things
(20:00):
through the cti lenses, I thinkthey would just have a better
understanding of the things froma security standpoint, of
course, that I think that thatare happening uh to them or
things how they could preventcertain things just by having
that CTI mindset, and that mightbe part of the maturity within
(20:25):
the industry.
Cti mindset to connect back tomy previous point might not be
the most profitable thing tosell, so maybe not too many
vendors are kind of trying tostimulate that type of uh
thinking so so, pedro, sorry tointerject that, I think you you
(20:49):
highlight exactly the situation.
Gert-Jan Bruggink (20:51):
Now, if we're being honest, the the, the core
situation at hand is, is ashareholder driven value making
machine.
And don't get me as a socialistor anything, because I run a
commercial company as well.
But I think we have to be honest, that we all have to make a
living and doesn't matter big orsmall.
(21:13):
But there is this, thisincentive structure, which isn't
correct and I think for me, abig part of what I do as a
philosophy in business, aphilosophy in life, how I treat
my own team, how I think othersshould organize their own cti
capabilities is set up peoplefor success, and that starts
(21:36):
with the proper incentivestructure, and that is that.
That also is as part of why Ilike the metric stuff, not not
because of cool numbers and shit, but like I just find that
interesting and it's like, yeah,if we can measure how jump, how
high you can jump, then we'llknow how high you can jump.
But I asked the question likewhat if there is no height, how
(21:58):
far can you actually jump?
And the reality is that peoplecan do much more stuff if
they're enabled and all thatgood stuff.
So, yeah, there is many deeperreasons again why this happens
and what you are alluding to.
But I genuinely think that theone thing we need to fix and
(22:19):
that is not just for CTI, it isfor cybersecurity in general is
the incentive structures.
Pedro Kertzman (22:24):
I love that.
No, that's a really good way toput it.
And let's say you see thejourney that we need to go
through in the next few years,as soon as possible, I would.
I would say but uh, when youlook in the, uh, when you look
to the past, how do you see the,the, the shifts and changes
(22:47):
when we first started adoptingcti?
Maybe danish?
Gert-Jan Bruggink (22:53):
yeah back.
Pedro Kertzman (22:55):
Uh, how do you see that shift the pace, pace of
those changes since we started?
Gert-Jan Bruggink (23:03):
Yeah.
So let me just say I find thisis my bread and butter Scenario
planning and thinking backwards,thinking forwards, this is
absolutely what I love Awesome.
More specifically and I doSorry, man I do want to plug
some of the stuff I do in threatlandscaping and build your own
threat landscape type of deal.
Go for it, call me for that ifyou need help.
(23:23):
But, like, that is exactly thetype of questions we get often,
and even today I was looking atsome messaging on social media,
specifically LinkedIn, wheresomebody was asking, like, hey,
I've been informing people aboutransomware for the last 10
years and I'm like, yeah, butthis has been, this has been a
(23:45):
problem for that long.
What changed?
And I know what changed, justto be clear.
But like, it's prettyinteresting to hear people's
perspectives on that and and,for example, for ransomware, the
feedback you I received waslike it's gotten much more
sophisticated over the lastdecade, from you know little
scrabblings and dumbassencrypting to like multi-billion
(24:10):
dollar companies being crippledand completely business shut
down.
Yeah, so the role cyber isplaying in everything and the
digital connected nature of itall.
That has fundamentally changedand it will continue to change
In the next decade.
We will see even moreintegration.
(24:31):
Even with AI, agent aspects andall that good stuff, it will go
even further.
Now one of the cool thingsobviously I don't consider
myself a scenario planningexpert for all the futures for
developing a company.
I understand the way how thatis done.
(24:52):
I merely apply it to theconcept of risk management,
threat management and CTI inparticular.
Right, so how I then look atthese things is like so, back in
2014, when apt1 report got hit,uh, got released, you know, a
bit crazed about all that, butwhat the interesting bit was is,
(25:13):
through those years afterwards,there is a couple of things
happening that were veryinteresting and I'm tracking
them still.
One of them, for example, isabout the focus of certain
adversarial states on types ofinfrastructure.
So and again, I'm bringing upthis example because it
(25:33):
illustrates what the value is oftracking these kind of trends
long term.
At the time, obviously, there isjust teams you know doing
advanced, persistent, you knowtargeting, and it is every
country is doing that.
You know some have moresophisticated capability.
I'm from Netherlands.
We have a pretty sophisticatedcapability, but there's also
(25:56):
many other countries who do that.
But what I find interesting isif you just take a step back and
then look at you know, hey, sothere's teams looking at the
external footprint, certainteams from China, for example,
and they used to be the topplayers in the point to own
games, and then all of a suddenand, uh, if I'm not mistaken,
(26:18):
215 or or 16, and all of asudden you see them dropping out
for reasons of that competition.
And what is interesting is ifyou track these trends over time
and expert look look at themnow to today again I'm nerding
now, just to be clear but youkind of see that the focus of
(26:43):
these kind of Chineseadversaries on technical
infrastructure, it started inthat little thing.
Right there, you know, just astrategic effort focusing on one
particular tool set thing.
Right there, you know, just astrategic effort focusing on one
particular tool set.
And they now have dozens ofpeople.
You know reverse engineering,uh, you know 40 gates and all
that and and that, that stuff.
I find so super interesting.
(27:05):
It's like picking up theselittle threads across and
sometimes you can only see themafter a period, and sometimes
you can only see them after aperiod and sometimes you can
actually see them right now.
And that is pretty interestingbecause obviously this is the
work I do.
There is a couple of threadsI'm now pulling and I'm thinking
(27:26):
like, oh, this is not going inthe right direction.
So, yeah, so there's manythings what people can do,
should do, and how they shoulduse CTI and some very cool stuff
.
But yeah, I hope that answereda bit your question with a wider
(27:49):
turn.
Pedro Kertzman (27:50):
Yeah, no, absolutely, and to your uh, uh,
I think you were going on thatdirection.
If there was, let's say, onething you could suggest to
organizations implementing cti,any particular you know, one
single aspect to focus on, anymagic pill if will kind of thing
(28:12):
that they should focus on.
Gert-Jan Bruggink (28:17):
Yeah, I think I alluded to it before.
So for me, the one thing thatthe industry is lacking is not
showing enough value.
That is a symptom of somethingdeeper, and to me, there's
multiple reasons why that is thecase, and what I always
recommend people to do is toexplore the concept of systems
thinking, and what that is isthat you look at an organization
(28:39):
holistically, that you look atan industry holistically, and,
and and that is difficult in anindustry where everyone's a
scientist and is focused on thehere and now, where the amount
of indicators and the incidentsyou're managing now is more
important than anything else.
So, looking forward, you haveto be able to show value and
(29:12):
everything is there to dosomething different and there to
open your eyes and have adiscussion on.
Well, if we take a wider lens,we're protecting this business
process and we aren't talkingwith these people associated
with that business process.
You know the lapsus kids.
They will call everybody ineach process, right?
They will call the parents ofthese people.
(29:34):
They don't have any ethicalboundaries.
By the way, this is also one ofthese threads I mentioned when,
when I was very concerned aboutcertain things.
This is one of them.
Um, but like, that is exactlywhat how you need to think right
.
You need to to let go of thatsiloed thinking and and systems
thinking is one way to do that.
I, literally on my desk next tome, I have a ton of books on
(29:54):
scenario planning, systemsthinking is one way to do that.
I, literally on my desk next tome, I have a ton of books on
scenario planning, systemsthinking exactly.
I'm going through them, uh,regularly, and you know, I I
deeply recommend people to do sobecause just sometimes, these
ideas just help absolutely.
Pedro Kertzman (30:09):
And you mentioned something that, for me
, honestly, whenever we'retalking about any type of
intelligence in our case, cti,but could be any type of
intelligence and talking tobooks, right, probably one of
the most ancient books I evercame across is Sun Tzu the Art
(30:32):
of War, right came across, isSun Tzu the art of war, right,
if you don't know your enemyyou're mentioning they have no
boundaries if you don't knowthat, you're never gonna be able
to properly prepare to whateverthey're trying or they will try
to to do against you.
So that's, that's thefundamental piece.
Again, could be cti, but couldbe any type of preparedness, if
(30:58):
you will.
Uh, when you're tackling either, sometimes even competition,
right, not only enemies oradversaries, but even, even even
competition, right, man, that's, that's great, that's great,
thank you.
And and um, let's say, on theconsulting, you're talking about
the big four.
What would be like thedifference or the different
(31:20):
approaches you're seeing on thatparticular sector when tackling
CTI and the value from othersectors?
For example, what's the maindifference between the big four
when they approach cti and theother non-consulting sectors?
Gert-Jan Bruggink (31:38):
yeah, I think one of the changes I also saw
in the last decade is thatthere's more, much more
experience and and openness to,to, to to have people who have
any background or any experienceand translate that to today.
So the consulting model ingeneral is real and it's good.
(31:59):
People sometimes just need helpand that is just a fact of life
.
So what I've seen change overthe years is that people just
got more specific in theirrequirements and the reason why
you would hire a big four teamis it's not because of sometimes
it is because of a badge rightthat you can say that this team
(32:19):
did that, but there's all sortsof other other defense
contractors and all that whohave that same vibe.
Now the difference is is thatthey that, where are they coming
from?
And what you often see is thatthe more um, the big four
consultancy teams, they comefrom a consulting background, so
they bring that level ofexperience with them and there
(32:43):
is a plus and pros and cons tothat right.
The upside is that you get alot of content quite quickly
because they're very smallpeople and but they're expensive
.
Um, the downside is you'retrying to push their whole
consulting stack into yourorganization.
That's.
People don't like that, butthat is the reality and but you
kind of see that there's there'sdefinitely consulting expertise
(33:04):
in that, but it will alwayscome from the angle of the
product that you're selling.
And, and, just to be clear, Ihave many, many friends in all
industries and all sectors, so Itotally understand completely
how it works.
But that is what you need tothink about, you know, when you
there's also many oh, there'salso interesting there's also
(33:25):
many people who startedself-employment even me, in a
sense, in 2020.
Just building a company with acouple of uh, friends at the
time, and then we startedgrowing and then you know that
is something that everyonebasically does.
Um, there, right now, thefounder, the founder-led brands,
(33:47):
is definitely a thing.
Uh, especially in this, in thisfield, I consider myself
somebody who saw it all and thendecided there has to be a
different way.
So, you know, also beingtransparent, my way of working
is like I absolutely enjoyedevery single moment I had with
the big four consulting thing,but I realized that the
(34:09):
consulting model is deeplyflawed.
So my fundamental approach islike can we stack the incentives
in the correct way and that isnot necessarily product-driven,
but that, for example, peopleget the tools and means to do
everything themselves, and theyonly call me or my team when
(34:30):
they actually have a really,really interesting question.
And that is how I, for example,try to to to do so, to do it a
bit different.
Um, does that work all the time?
No, it is a hard journey, uh,and and I think that is also
something that people uh oftennot talk about is we understand
(34:51):
consulting and we understandproduct and I'm digressing a bit
from your question.
I know that, but that issometimes we only think in black
and white, but there's actuallysomething that can happen in
between, and that is definitelysomething.
I've seen change.
I've seen small companies.
Funny anecdote when I startedin the security engineering
(35:13):
space, there was one littlebrand that just released their
new firewall.
It was called the NextGeneration Firewall a little
company called Palo AltoNetworks.
They're now one of the biggestsecurity platforms on the planet
fast forward many years, and Ithink that is also what this
does right, no, that's awesome.
Pedro Kertzman (35:34):
And that nuance, uh, you know, not having only
black and white is so important,because those overlooked
aspects is often the ones thatare gonna come back to us in one
way or the other, because wedidn't have the ability to be
flexible and adapt to different,so many different scenarios
(35:55):
that we have in front of us.
And, uh, so you're mentioningbooks.
Any, uh, how you, you know,learn about the industry in
general?
It's a.
It's a.
It's a tricky questionsometimes when you're talking
about cti, because, yeah, Ilearned from the feeds because
we received so many informationthrough the feeds.
(36:15):
But, generally speaking aboutthe industry, the feeds will be
on the operational right at thatmoment kind of side.
But what about the broadlearning from how the industry
is reshaping maturity models aswell?
Who's coming out with a newmaturity model?
If that happens, you know how,generically speaking, how you
(36:36):
learn about how the cti industryis like, moving in and and all
that, any like you're mentioningyour books.
Gert-Jan Bruggink (36:43):
If you want to mention the names, I can
definitely put on thedescription of the podcast, but
any other you know blogs, eventsyou mentioned uh, first as well
that you like to, to be to useto kind of sharp your knowledge
yeah, so so I have a bit of anunconventional answer, because
there is no right answer to allof this yep, um, a book, a feed,
(37:08):
a podcast, I can, I can namesome of the stuff I listen to,
but in the end, well, and thisgoes back to, like a previous
question, you know, one of someof the common misconceptions is
what I see is people notthinking, and I want to
encourage people to be curiousand, um, ask to get to to a
(37:30):
certain set of books.
You know, you have to askyourself the question what do I
think is important?
What?
do I want to understand and thebiggest, the best kept secret of
our industry is that there isno one.
There is no quick win, there isno quick escape, there is no.
(37:51):
All right, let me just roll upthis AI summary and then boom,
I'm now an expert.
No, that is not how this works.
So it is absolutely in thetrenches it is boring as tease
where you will get punched inthe face and you have to keep
going.
That is this work.
So the question is how do youdeal with that?
And how we deal with that is byasking the right questions and
(38:14):
then understanding that there'ssomething fundamental going on
around certain threats andcampaigns around the
organization.
So how do I protect myorganization?
Am I looking at theorganization with the right
perspective?
And if you dive deeper in that,you should explore systems
thinking, for example, me.
For example, I'm next to CTIscenario planning, risk
(38:36):
management.
I'm also very interested inscenario planning and that's
more of a content thing, butalso I'm an entrepreneur, so I'm
also deeply curious about newentrepreneurial things,
specifically building brands andhow does that work?
And and very interesting thatthat journey leads me to basic
psychology and there's hugeamount of overlaps between
(39:01):
behavioral science, behavioralpsychology and and cyber
security, interestingly enough.
So there's also numerous bookson that, even cultural, cultural
, how to build a team, and allthat stuff, um.
But when you get into thatdeeper understanding that you
all of a sudden will eventuallyhave to get into the task of
(39:24):
today and that could be, youknow, tracking what is happening
every single day.
And there's many tools whichyou can set up, such as some of
them even free, such as usingfeedly to translate those
questions or intelligencerequirements into something
where you can scrape it from.
Even going a step further, youcan just set up your own ai, a
(39:46):
genetic aspects that justcollect everything you need and
based on their automaticprompting, as there's many
things.
But you have to do the thinking, um, and there's a host of
people you should follow, butgen generally, when you
basically know what you'relooking for and you understand
(40:09):
it, you will find these people.
You will google them, you willfind perhaps me, you will find
perhaps most of the other peopleon this podcast or even more.
And uh, yeah, that that isusually how I do it.
And then the next question iswhere do you find them?
Well, I find them in twoconferences actually many
conferences, uh, but most of theconferences I always try to
attend to is is first, cti andsans cti.
(40:32):
Um, these are more biggercompany conferences, but they
are very focused on the ctidomain.
That is where I basically grew,grew up in um, but actually
there are many, many more.
I even uh for, with a shout outto john doyle, um, we, I think
(40:52):
on your podcast.
Oh yeah, we once, with somebeers, we made a square, the
Gardner Quadrant type of ideafor CTI conferences.
It's still a work in progress.
I've put it on my GitHub butit's just so stupid.
(41:13):
But it's so funny to actuallyhave that conversation and think
like, so which are the ones weshould attempt?
And then you kind of see somepretty interesting stuff around
very specific conferencesfocusing on very specific tasks
again, how the industry evolves,and from very big, you know,
all over the place items tosomething like pivotcon,
(41:36):
specifically focusing on thetechnical aspects Absolutely
brilliant and or even in the US,some of the more crime focused
events, and I can name a bunchmore.
But I absolutely love that.
I actually love that we now gotin the space in the last decade
where we are able to structuremore of the information we have.
(41:59):
We have an unprecedented amountof data, an unprecedented
amount of structure, and now thequestion I think for the next
couple of years, going into 2030, is like how do we deal with
that?
And, to be honest, if I woulddo another education piece, it
would not be a master's degreein engineering, it would be a
master in philosophy, becausewhere we're going, we're going
(42:21):
to need philosophy.
Pedro Kertzman (42:23):
Yeah, that's a good one.
You touched on a very goodpoint as well.
If we look at the whole CTI,the CTI industry is evolving.
For the past few years we neverhad CTI CTI industry is
evolving for the past few years.
We never had CTI.
Uh, focused conferences right,it was like a part of that
conference.
They had like a CTI track orsomething like that.
(42:44):
You know, still, I think blackhat has a CTI track and other
big conferences.
But now we do have, like youmentioned, pivotcon is like I
think it's a TLP Red, if I'm notmistaken.
So you cannot simply I want togo there.
So it's really for, you know,professionals that understand
(43:05):
already some of the aspectswithin the industry.
I want to share their knowledgeand it's important to, from you
know, tlp clear or not to havethose conferences creating more,
maybe creating more buzz aroundCTI just to make people think
about it.
It goes back to my point, andyou mentioned that as well we
(43:29):
have to think about CTI more.
Right, it's not something thatyou plug oh, now I have CTI,
right, so imagine that would beperfect.
Right, you plug something inthe you know, ethernet cable
boom, now I have CTI.
That's awesome, I would lovethat, but that's not,
unfortunately, the reality.
(43:51):
Yeah, that's amazing.
And any final thoughts,reflections, philosophy, things
you think it's worth to sharewith the audience.
Gert-Jan Bruggink (44:04):
Yeah, so I think I'll step off my soapbox
and not go into some of theother stuff I mentioned.
I think think you know I've, uh, I'm pretty consistent in what,
what I think and what I shareabout.
Um, my, my, I think that a lotof people have a voice and I
(44:27):
personally try to actually showpeople that there is some
something else possible outsideof the normal.
You know, uh, it is either atool or it is a consulting.
You know, it is actually alsopossible to do something in
between.
It is good to actually changethe state or attack the status
(44:48):
quo.
That is also fine.
And I think the next iterationof what we will see in
cybersecurity will notnecessarily be a, you know, an
AI, a genetic approach orwhatever, but maybe it will be a
hybrid approach on how peopleare thinking and supporting that
and integrating everythingaltogether.
(45:09):
And, yeah, what you can expectfrom me is that I'll keep
pushing on certain solutions totalk about actual problems and
understand that, bring solutionsto market for that and also
bring that knowledge back to thecommunity through frameworks
like CTI, cmm or even radicallyopen sourcing, some content that
(45:32):
people can use.
And that is also to end it off.
You know, that is also aninvitation to everyone listening
.
If, if you, if you want tocontribute on that particular
framework, go to the website CTI, cmm, cti, hyphen, cmmorg, if
I'm not mistaken, and thereality is is that you can just
(45:53):
sign up there for the latestversion, for feedback, for
participating, and we actuallyneed all the help we can get and
we are very appreciative ofthat, and that will also get you
a slot in the document itself,you know.
So that is also a win and youcan put that on your resume, so
that is a huge win and, um, yeah, that's awesome that is uh,
(46:16):
that's what I have for you, myfriend that's awesome, man, I
appreciate it and uh, you knowmy my little take about the cti
cmm.
Pedro Kertzman (46:24):
One of the things, or one of the highlights
for me, is that you guys wentdeep into here are the questions
that you need to ask yourpossible probable stakeholders.
So you kind of go from like ahigh level understanding of this
is how you structure, this isall the important pieces, the
(46:44):
important components.
But here is, this is how you doit go ask those questions, kind
of thing.
So it's a goes on, uh, fromsuper, you know more management,
uh, leadership type of aspects,but also hands-on, here you go,
go ask those questions.
So it's that's uh, absolutely.
(47:05):
I'll put the link, just in case, in the description as well, so
people can access the.
Please do it the framework.
Uh, absolutely important to getto know in details.
Gertrude, thank you so much forcoming to the show.
Really appreciate all theinsights and I hope I'll see you
around Sounds good mate.
Gert-Jan Bruggink (47:24):
Thanks so much for being here.
I appreciate it.
Thank you.
Rachael Tyrell (47:29):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(47:52):
We'll be right back.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.