It’s the holiday season, and that means it’s always a time to break out the family holiday traditions. For me, it is doing stuff like putting up the Christmas tree (which we did), but you gotta do it in a particular way, mind you. And there’s another family tradition my mother and I used to do:
The Christmas Jigsaw Puzzle.
Now, I’m not talking about Christmas-themed puzzles necessarily, although we’ve done those. It’s really just a special, new puzzle that was purchased specifically for the purpose of the holidays where you can sit around when you’re disconnected from everything else, and everyone can work together to complete it.
Over the years, the setting of the puzzle-building has certainly changed. It used to be around the living room fire, wearing sweaters and trying to keep warm against the cold and frosty wind outside. Now, whether it’s the mountains of Cape Town or the beaches of Maceió, it’s more about sipping cold drinks, wearing swimsuits and trying to stay cool.
However, until today, I’d never really thought about how much my strategy for building puzzles influenced my overall approach to building security architecture. And it’s also something that I’ve taught my kids when I showed them how to build puzzles too—which they love doing.
Now maybe you have your own approach, and you’re going to “poo poo” mine. And that’s ok. Whatever works for you. However, I’m going to explain it anyway, because it’s actually something I now realized is baked into the fundamental approach to building security architecture defined by The Agile Security System™ and presented in great detail in the upcoming book, The Definitive Guide to The Agile Security System.
Step 1: find the borders.
No matter how complicated the puzzle is – even if it’s one of the crazy ones that is just a solid color – there’s always that set of pieces which, in Sesame Street terms, “is not like the others.” And that knowledge is a powerful piece of leverage, both building puzzles and building architecture—if you can figure out which ones those pieces are.
And then, once you have them, then you figure out how they fit together…what the border of the puzzle…the outline…is supposed to be.
Now, this is potentially more important than you might think, because it gives you some boundaries, and constraints. More importantly, it gives you a reference point that you can use – and which you can communicate to others – so you can get early indicators whether you’re on the right track or not.
Step 2: separate the apples from the oranges
This is also somewhat straightforward, and how much you do is ultimately dependent on the puzzle you’re doing. If they’re all the same color, then this part is more complicated, but if the puzzle is any kind of real picture, then there’s going to be some broad themes you can identify. Maybe it’s based on the color of the pieces. Maybe it’s based on the part of the picture. But there’s gotta be some way to reduce the cognitive overload about the world so you can identify some candidate groupings of “apples” vs. “oranges” to prevent you from basically doing a linear search over the whole table each time you’re looking for the next piece of the puzzle. Fundamentally, this is Principle #5 of the system, violently encapsulate complexity, working hard on your behalf.
Step 3: make the obvious connections
Now that you have the apples separate from the oranges, you can start focusing your efforts on filling in part of the picture. You’ll see patterns. You’ll see shapes. And you’ll see that these 3 pieces are the head of the giraffe, and this is the tail of the lion.
So you start putting them together. And more and more of the picture takes shape. And then small connections – the 3 pieces of the lion’s tail – connect with another 5 pieces of the lion’s body…and suddenly, out of the chaos of 500 puzzle pieces, you start to see the things you really care about—the individual animals within the panorama of the Tanzanian savanna.
And fundamentally…that’s all there is to it.
Rinse. Repeat. Connect the pieces.
Of course, in our world, each individual puzzle piece can itself be a separate 500-5,000 security architecture jigsaw puzzle, and that’s certainly a challenge. But that’s exactly why the principles and the practices of The Agile Security System are what they are—to help you tame any problem you’ll ever face…
…by using a simple, easy to remember and internalize system…
…that’s designed to keep you safe…
…by being small enough to internalize into automatic behavior—habits for security architecture.
And that’s all it is, really. Just building puzzles. Small pieces become big pieces and then you place those bigger pieces in the right place in the border – or frame – you’ve already built.
It’s not easy. But it is simple.
If you’re on the cusp of unleashing your internal security architecture super hero, and the above was enough to enable that transformation, then there you go. It’s my holiday present for you.
If, on the other hand, it still isn’t clear, and you want more detailed, practical guidance than metaphors of puzzles and safari animals can give you about security architecture, then my holiday present to YOU is $123 off the regular price of The Definitive Guide…
…if you act now and pre-oder the book before it’s actually finished. To do that, here’s the link:
Right now, I’m madly working away to get all the content pulled from COSAC talks, our Building Effective Security Architectures course, past issues of the Security Sanity™ print newsletter and literally hundreds of worksheets, examples, templates, process references, diagrams and other sources of inspiration I’ve never shared outside our work with customers and clients together into the content of the book and the bonuses that go with it.
None of this stuff has ever been all in one place before, so it’s a pretty big deal—and the clock is ticking…both for me…and for the pre-order discount.
Because when the book is finished and ready to go to the printer on or around the 15th of January, the discount disappears and the book will only be available for $497.
If you want it, and save some extra money you can use for an extra present for the ones you love—or even yourself, then now’s the time to order.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. You might have noticed a bit of a gap over the last couple of days in my emails. And that was actually unplanned, but it was trying to address the feedback I’ve gotten regarding the lack of a “proper” sales page for the book. Like you, I’m not always 100% on top of everything I need to do either, and so the gap was trying to address this issue.
If the lack of a full description of what’s in the book is a showstopper for you, then I can understand that. There will be a “proper” sales page behind that link instead of just a checkout link at some point between now and January 15th, but I can’t promise you when.
In the meantime, here’s what I’ve said before about the book and the bonuses at a high level two tide you over and show you even more about what your hard-earned cash will get you—or, you might decide that it’s better spent on those holiday presents.
Either way, thanks for reading. I do appreciate it.
P.P.S So here’s the deal: you’ve heard me talking about the pre-order of the Definitive Guide to The Agile Security System™ print book to ship in January. As I’ve said before, it’s everything I know about how to build business-aligned, customer-focused, architecture-driven information and cybersecurity programs—
Along with a few companion pieces to make the puzzle complete in the form of a number of bonuses that I use every day when I do this stuff with our consulting customers, the students in our training programs and with our coaching clients.
In case you forgot what the bonuses were:
- A fully-engineered guide to using the CIS20 controls with SABSA architectures
- 55 Attributes directly lifted from the AEF Reference Architecture that intersect with – but are different from – the attributes you get in the Blue Book
- Visio, OmniGraffle and draw.io stencils for creating security architecture models following the Archistry Security Modeling Language™ (ASML) notation
- A fully-engineered guide to using the NIST CSF with The Agile Security System, including domain and attribute mappings for the control objectives and coverage of what you’re really doing when you apply it in your security program
- The fully-engineered guide to using the VERIS risk taxonomy in the risk assessments we’ll cover in the core of the Definitive Guide. You need something, and this one passes the “Goldilocks Test” as being “just right” for the 80% of what you’ll need to do in practice
And the core book covers the 7 Principles, the 14 Practices and the 3 Baseline Perspectives™ you’re going to use as the basis of The Architecture Wall™ that provides agile, visible architecture across the whole organization’s business and technical teams.
What I didn’t have before was the working TOC (still subject to change), so here it is:
Chapter 1: The World We Face—why all the things we think we should be worried about aren’t necessarily where our focus should really be.
Chapter 2: Defining Agile—what people may not know about “real” agile and why it’s critically important to both the business and your security program. This chapter incorporates some of the material from my COSAC 2018 talk on Agile SABSA that hasn’t yet been republished.
Chapter 3: Core SABSA Concepts—no, it’s not a book to help you get the SABSA certification exam, and we’re not going to cover any more than we absolutely need for you to put the Agile Security System to use in your organization as quickly as possible.
Chapter 4: The Principles and Practices of Agile Security—this is a combination of some of the material from the course and some of the information I presented in the August 2019 issue of the Security Sanity™ newsletter that’s no longer available. It’s updated and expanded based on some things that just wouldn’t have fit in the August issue—even as big as it was.
Chapter 5: The Baseline Perspectives™—this is where you really learn the kind of leverage possible from applying the system and the importance of both the 3 Baseline Perspectives and the Architecture Wall in giving it to you.
Chapter 6: Understanding the Business—you can’t protect what you don’t understand, and you can’t hope to get people to talk to you if you can’t relate to what they care about. This is kinda a “business 101” short course to help you better understand the worlds of our security customers (which happens to be a Principle of the system, remember?).
Chapter 7: Building Architectures—here’s where we get into the nitty-gritty of applying everything to build security architecture—in hours, not days. It also covers how you can build a security architecture for anything, and how to go about that process of architecture archaeology I was talking about before.
Chapter 8: Architecture Process Integration—having a system that works hard to keep you safe is great, but you still need to understand how it fits in with all the other systems, methods and delivery approaches you might be using already. We cover integrating the system with the core SABSA lifecycle activities defined by our own Archistry Execution Framework™ (AEF), typical waterfall/SDLC and of course, our Agile friends—including DevOps and DevSecOps
Chapter 9: Where to Go From Here—so now you can build security architectures at will…now what? What’s the next step? What do you do with it? How do you socialize and expand your use and influence enabled by your shiny new architectures? Those are all questions we’re going to talk about in this chapter.
And there’s some appendices, references, templates, worksheets and other good stuff—some of which I’ve never before made available outside Archistry—even to our customers and clients.
So there ya go. There’s a lot in it, and it’s going to be a pretty hefty block of paper hitting your doorstep if you buy before the official launch once it’s “finished.”
As always, the choice is yours. Here’s the checkout link again—just in case:
