Whether we consciously recognize it or not, the stories we grow up with tend to influence our thinking more than we might realize. And that’s a good thing, and in fact, it’s probably one of the reasons humans have lived as long as they have without all being eaten by prehistoric critters. It’s one pretty ingrained way to pass along tribal knowledge.
One such story I’m sure you’re familiar with is the story of the 3 little pigs. You know the one, there’s the big bad wolf with a taste for pork, and each of the pigs decides they’re going to build themselves a home. One chooses straw, one chooses sticks, and the 3rd one makes his of bricks. And they all live happily ever after after giving that old wolf’s backside a good scalding when he tried to climb down the chimney.
Your version might differ slightly, but I’m working from my official copy of the 1973 Walt Disney “Little Golden Book” edition of the official standard.
If you think about it, this whole “security maturity” quest on everyone’s agenda can be represented as a 3-level maturity model for the story of the 3 little pigs.
Obviously, the first little pig with the straw house gets a score of Level 1, because, at least he makes an effort, and he knows he needs to do something other than laugh, sing and play all day.
But that first little pig is basically leading a check-the-box, compliance-driven security program.
Have walls? Check.
Have a roof? Check.
Have a door? Check.
Ok. You’re good. Now, run along and play.
The story of the second little pig’s security program is much the same, but he was apparently a little better at negotiating the security budget allocation. Whether this was based on his own innate negotiation chops or he had the help of a particularly persuasive stick vendor is unfortunately left to the imagination of the reader.
Either way, the control strength of security program #2 worked out a bit higher than his brother’s, naturally at the expense of investing more time while his brother was already done and singing and playing a merry little tune as he watched the work proceed.
Now obviously, the experienced external audit team took account of the enhanced strength and resilience of the controls, so there was no argument that the maturity of program #2 was Level 2, Defined, because there was nothing at all reactive about the way he built his house…
…I mean, look at all those sticks…and the time and effort it took to turn them into a house!
Unquestionably a pre-planned and well-managed effort, little pig. Well done.
Little Security Leader Pig #3 had done his detailed threat modeling and knew that not only was there a wolf lurking in the nearby woods, he also apparently had this novel attack vector whereby he could use the brute force of his very breath to bypass the majority of the available controls. But he, being a serious and earnest pig, had read all the “best practice” guidance against high-velocity wind attacks and knew the integrated, unified, and optimized building material control standards back to front. As such, there was no possible way he wasn’t going to target the tippy-tip-top control capability he could find…
…since he didn’t really want to wind up in the belly of a big, bad wolf.
When the auditor came around, not only did little pig #3 have the required walls, roof, and door. He also had Windows and a fireplace, covered black from the carbon of burnt wood—proving without a doubt that it had been well-and-truly tested.
Clearly, you’re at Level 3, Optimizing, my fine little piggy friend. And well done to you!
How much did he spend?
Well, we truly don’t know, as the story doesn’t tell us. However, one can imagine that since his house was made of bricks, had a solid door, glass windows, a fireplace AND a baby grand piano, that his security budget was a LOT bigger than those of his brother pigs.
Oh, and it took a lot longer than the others to put in place too.
So long, in fact, that had the wolf chosen a different plan of attack than testing and breaching each of the lower maturity level security programs first, it’s highly possible that the happy ending we all know might not have been quite so happy.
So, clearly, the higher level of maturity in your security program, the better prepared you are for big bad wolves who jump out of the deep, dark forest. And maybe, just maybe, what they say about “getting the basics right” and working your way diligently up the maturity scale is the right way to go.
If you have the budget, and you can justify the investment and you can demonstrate the net value…why not?
However, the one other small…little…perhaps inconsequential thing the story also doesn’t tell us is…
…the 3 little pigs were engineers.
And as engineers, that means they’re really good at solving problems, and figuring out the best use of the materials around them to solve said problems.
But they’re not architects. And they’re certainly not security architects.
And so we’ll never know if there were better, more agile or more cost-effective ways to be able to party all night and sing and dance all day while keeping the big bad wolf at bay.
Because that’s really what we do, isn’t it?
We not only have to solve the problem at hand…
…we have to make sure we pick the right solution…based on ALL the relevant factors of our environment, what it is we really want, and with a clear understanding of the cost, effort and net value we expect that solution to provide—not just now, but in the future too.
And we have some ideas how to measure it…and monitor it…so we know when something material is going to change…
…and we have to come up with a better solution…
…or even decide that our old solution is no longer necessary.
We can do this because we see the big picture—not just the wolf, the tools and the materials.
Now maybe you can do this as well as you’d like today, and, if you can, I salute you—and, in fact, I’d love to have a conversation with you to hear more about how you did it.
However, not everyone can. And not only that, there are those people – and those security programs – who seem to think that the threat-based, engineered approach to security is just fine.
Architecture’s either a luxury for which they’re collecting pennies to spend on some other day…or there’s the belief that architecture is somehow optional altogether.
I hate to break it to you, but whether you pay attention to it or not…
…everything has an architecture.
If you’d rather know what you should build before you do it – and be able to grow, shape and mold that architecture into a shape you know will deliver the results you want – then perhaps joining our 7-week Building Effective Security Architectures program would be of value to you.
You’ll learn exactly how to quickly, clearly and reliably ensure that your security program makes the right trade-offs on speed, quality, cost and confidence.
All you need to do is click this link right here: https://archistry.com/besa
And register to join us starting from the 24th of February. That way you’ll be able to leverage everything I’ve learned, know and built over the last 14 years so you – and your security brothers and sisters – can get to laughing, singing and playing all day a helluva lot faster than I ever did.
Or, you can always take – or continue to take – the “engineering” approach to security, where your architecture grows organically, you struggle to predict what will happen, and…well, if the wolf doesn’t blow the house down, you must be ok.
So the question is really pretty simple: What are you going to do?
But your time to answer is running out, because if your registration isn’t paid and confirmed before the Friday the 21st, I can assure you, you’re on the wrong side of the door…
…and no matter how much you huff and puff, I won’t let you in—not even by the hair of my chinny-chin-chin.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. It was brought to my attention that there were some issues with the sales page recently, so if you noticed it being just a wee bit wonky, I apologize. Those problems were fixed earlier this morning.
