How long would it take you to create an actionable enterprise security architecture from scratch for a project charter for an organization you’ve never seen and have no real industry knowledge about?
One of the detailed examples I mentioned before that’s included in the book I’m letting you decide whether I should write is the result of a time-boxed experiment I did when I updated the initial level-setting exercise for the Building Effective Security Programs with The Agile Security System™ (BESA) online course. It’s the exercise you do at the end of the first week to put a stake in the ground to determine how much progress you’ve made at the end of the 7th week.
I’d originally done it to see what was possible to do when applying The Agile Security System according to the 7 principles, 14 practices and the 3 Baseline Perspectives, because I wanted to see if I was setting an unrealistic expectation. It also gave me a good idea what using all the new documentation techniques and approaches would look like in practice, so it was a test and validation in both cases.
The project charter document is real, and I borrowed it from the Internet. It’s 20 pages and describes a typical legacy system replacement for a government agency.
Could I do something that I would think was usable architecture based on applying the system in the 2 hour time limit that I set for the exercise? That was the challenge.
And, the answer was, yes. Yes, it is possible to create a baseline ESA using the principles, practices and domain models in 2 hours. Of course, I have 14 years of doing it under my belt, and I invented the system, so I wouldn’t expect yours to look exactly like mine…
…but if that’s what you think the expectation should be, you’re missing the point. The point is whether or not it helps you do your work better, faster and more consistently.
So you get an idea of what I mean by this kind of security architecture, here’s some stats:
Documented domains: 22
Business goals and objectives: 57
Risk factors: 45
Mitigations (Business Drivers and Security Drivers): 24
Attributes (unique): 49
Domain-Attribute mappings (DOMA): 120
Candidate subdomains: 75
Is it final? No.
Is it perfect? No.
Does it have all the layers completely documented? No.
Is it usable by the team to start making the next set of security and implementation decisions?
Yes. Absolutely.
Those stats are what I discovered when I analyzed the information from the 22 Domain Worksheets you’d create by hand and place on The Architecture Wall™ as the primary representation, documentation and communication mechanism for your architecture. In doing that analysis, I transferred the bulk of that information to the basic templates we have for the Cybersecurity Edition™ of the Archistry Execution Framework™, and I have to say, that just copying the information from the worksheets and into the templates –
which are also included with the book, BTW –
took longer than it did to create and document the architecture in the first place using the system.
And, by following the system and working under a tight deadline, it also meant that I only focused on the essentials of what I would’ve otherwise captured or engineered if I’d been using the templates in the first place—like I did for basically the first 13 years of building SABSA security architectures.
What does this mean to you?
I’m not really sure.
But I know what it meant to me at the time. To me, it was the most visceral validation that applying The Agile Security System to a real project not only created value quickly, but that it also produced the correct essential documentation and description of what security meant to the scope of what you were doing.
And all I did was apply the principles, practices and the Baseline Perspectives.
If you want to save over $4,700 of the price of sitting the 7-week training course and get the full details of the system and how to apply it in practice, with a step-by-step guide to adopting the techniques within 30 days, you can pre-order your very own printed copy of The Definitive Guide to The Agile Security System right now for only $247.
Yes, I know. The book doesn’t exist yet, and there’s no guarantee that I’ll write it, or that I’ll honor my promise I made before about giving you your money back in November if I don’t get the 10 pre-orders required to justify writing it.
And the book won’t ship until mid-January at the earliest.
It’s also going to be quite heavy given all the content and the examples that’ll be packed into it.
…and it’s going to include some of the content from the BESA course, the previous issues of the print Security Sanity™ newsletter and possibly even some of what I’ve written in these emails, so you may have seen some of it before.
But if you’d like to be able to build SABSA security architectures in a systematic, repeatable way that builds on and borrows the 14 years I’ve been doing it, you’d better get moving if you want the early adopter discount.
Here’s the link: https://archistry.com/go/dgpo
After the 31st, if I get the 10 orders, the price will go up by at least $100, and in January, it’ll cost $497.
Whether you want it, and, if you do, how much you want to pay for it, is entirely up to you.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Are you stuck on some kind of security architecture, risk assessment or other issue that’s been driving you crazy? Do you want to get some quick advice that might help get things moving again? If you do, then I’d be happy to try and help. Book a one-off, problem solving session using this link: https://archistry.com/go/1pss.
P.P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
