How To BREAK FREE Of Compliance-Driven Firefighting And Finally Make A Difference As A Security Architect

Dear Frustrated Security Architect,

I don’t need to tell you that you have a critical role in protecting your organization from security issues and failures. The stakes have never been higher than they are today. The year-on-year growth of critical CVEs increased 38% last year, and the attacks are getting much more sophisticated and pervasive than ever before.

You know as well as anyone: if security fails, the business fails.

Even though you’re a security architect, you often find yourself on the front lines, because you’re the one with the most knowledge, the most experience…

…and ultimately, you're the one everyone expects can “make security work.”

And if you can’t?

You’re the one under pressure. You know what happens when security issues arise.

Projects grind to a halt.

Systems fall over or become locked in a death spiral.

And in the worst-case scenario: you get breached.

Sure, it’s actually happening to your organization, not you personally. But that’s not how it feels. It feels personal. It feels like they’re targeting you.

It feels like you’re the one that failed.

But what if I told you that it wasn’t you—that it wasn’t actually your fault.

My name is Andrew Townley, and I’m the Founder and Chief Executive of Archistry. I work with large, global organizations to help them build better security programs.

What do I mean by “better”?

That’s a really good question. Because there’s a lot of disagreement in the industry about what that actually means. I’ll get to that shortly, but what I do is help security become more effective by being more aligned with the organization’s strategy and operations.

And in doing these things…

…I make it much easier to see the actual value that security provides—value beyond a reactive, emergency response function who only gets measured in terms of response times, vulnerability counts and movement along an arbitrary scale of compliance-based maturity.

I know that it doesn’t seem like this could be possible, but there’s an insight I’ve had recently about why security is so much harder today than it was in the past. This insight is simply that…

…even though “security” is often the one being held accountable for all the incidents, breaches and issues related to our oft-cited “ever-increasing threat environment,” the reality is simply this:

The world changed, but the way we think about security has not.

I realize that this is a pretty bold claim, and you might not initially believe me, so let’s walk through them together. First up, let’s start with the existing security frameworks getting the most attention in the industry today.

NIST is the go-to source of security guidance in the Americas, and ISO is its equivalent in the rest of the world. Both of these provide pages and pages of guidance on what building a “secure” computing environment is supposed to entail. You have seemingly everything you could possibly need. You have governance, you have risk management frameworks, and you have pages and pages of potential control requirements—sometimes overlapping, and conflicting, but hey…at least you’ll be covered.

But it’s not just NIST and ISO that are in play right now. You also have the CIS controls for those organizations “just getting started” (after 75 years?) and, since many people in the industry still think “security” is all about the network, you also have Zero Trust and the official Zero Trust Architecture (ZTA) guidance provided by both government and private sources.

But there’s a problem with these frameworks: they’re incomplete by design.

They tell you what to do, but they can’t possibly tell you what you should do in your environment…

…because there’s no way for them to know.

Sure, we can establish “best practice” or “due care” control baselines, but just because we have the controls in place, it doesn’t mean they’re designed to work together to actually enable and protect the delivery of specific business objectives.

In fact, if you do it wrong, and just blindly “tick the boxes” on any of these frameworks…

…there’s a good chance you’ll end up actually getting in the way of the business doing business, just proving all the established, negative stereotypes of security are justified and true.

Then, of course, we have all our fancy security tools. Over the last 75 years, we’ve created a $220 billion industry for security with an incredible number of new vendors and startups appearing nearly every week. We’ve created more tools, more solutions – and more acronyms – than any human being should ever be required to remember…

…and yet, are we really more secure?

It’s not the tools are inherently bad. Many of them are essential.

But if they’re used the wrong way, in the wrong place and at the wrong time?

There’s no way they can really help us. This part is obvious, but what isn’t obvious…

…is that the reason for these tools not delivering the value we expect…

…is that they haven’t been deployed as part of an integrated design that defines a true system of security focused on delivering a common objective: enabling and protecting value delivery.

In short: there’s no architecture except one that emerges from sprinkling today’s “best of breed” tools all over our organizational infrastructures.

Then, of course, we have the multitude of certifications. Sure, some of them demonstrate tactical, hands-on skills for operating specific security equipment, but the rest?

Most of them don’t teach you about anything other than security in isolation…

…they only teach you what you should be doing – like integrating and aligning with the business – and they mostly prove you can cram for a multiple-choice exam that tests what you know, not what you can do in practice.

Finally, there’s the industry books, articles and courses on how to do security. If you do enough of them, you can get the full range of things from hands-on, ethical hacking to developing security strategy as a CISO, but again, it’s just knowledge.

What matters isn’t knowledge.

What matters is knowledge that’s applied and put in practice in a way that delivers value. And the only way you have to be able to do that across all the existing solutions and advice…

…is to spend a whole lot of time and energy trying to synthesize it all into a coherent, non-overlapping or contradictory set of ideas, relationships, skills and strategies that will somehow seamlessly work together…

…to give you a better approach to protecting your infrastructure from threats and vulnerabilities to deliver confidentiality, integrity and availability for your systems and data.

Systems and data.

Assets.

Things you can kick.

Not things people really care about.

And so, after all this time, energy and effort – sometimes spanning years, because I know it took me about 10 to really see what was happening myself – you still don’t know hardly anything…

…about enabling and protecting the things that matter most to your organization.

And you haven’t a clue how to either deliver or demonstrate that intangible thing the people in your organization actually crave:

Confidence.

Because, at the end of the day, whether it’s being able to get into our cars to nip down to the shops for a pint of milk…

…or it’s being able to deliver $100 billion in annual revenue…

…the only thing that lets us sleep at night without being worried…

…is the degree of confidence we have that we’re going to get what we want.

The good news is that…

We already have a way to talk about what security should really be doing.

That's right. Even though we won’t be able to get much help in demonstrating or delivering confidence to our security stakeholders – people I call our security customers – by using the existing guidance and solutions for security alone, we already have something that will work.

And if we use this idea and approach, we will finally have everything we need to not just build better security architectures.

We’ll be able to build security architectures as integrated systems that are robust and reliable in delivering business objectives, not just at the level of individual infrastructure components.

The thing we need that already exists yet we’re not currently using to its full potential, despite it being in front of us all the time…

…is operational risk.

Because operational risk is about understanding the things that will keep us from achieving our objectives…

…and then defining the mitigations necessary to ensure we have the appropriate level of confidence, nothing will disrupt us when we try to deliver them.

Focusing on operational risk means we’re focusing on the right things that enable us to adapt and change with the organization instead of fight against it.

Focusing on operational risk means we’ll spend less time stressed and fighting fires and trying to prevent changes or lock down things we don’t even own…

…so we’ll spend a lot more time doing exactly what our organization needs us to be doing for them…

…because what they really want is a way to know that they’re going to achieve their objectives.

Focusing on operational risk shifts our focus from trying to control the entire world at once…

…to only trying to control those things we can directly influence.

We don’t have to fight so much or work so hard because the shift to operational risk means that we’re far less concerned about threats and vulnerabilities that we can’t predict or control…

…so we can focus on managing the impact of what might happen instead.

That’s the power of operational risk: it's not about how something happens, it’s about being prepared for when it does so we still have the best possible chance to deliver the objectives the organization cares about.

It doesn’t mean we forget everything we know. It simply means we can focus our efforts on the things that truly matter most…

…instead of spending all our time sucked into the whirlwind of the “ever-increasing” threat environment that keeps us frazzled and endlessly chasing our tails.

And the best part?

We can use the concept of operational risk to define and design true security architectures that are completely independent of any particular technology, infrastructure component or even implementation approach.

This is what true architecture is about, because true architecture is about the design of a system that is robust and reliable in delivering a specific function to the larger systems of which it is a part.

That might sound a little strange, but if you understand systems, you begin to see that there’s never really any “top” or “bottom” to a system, because you can always “draw another box” around whoever you have to make it a part of some other system, or you can subdivide whatever you have into smaller and smaller pieces.

Your security function is a system within the larger system of your organization, just like your organization is a system in the larger system of the national economy.

Architecture is the design of system, so when w’re talking about security architecture, what we’re really talking about is designing the approach to ensuring your organization delivers its objectives that isn’t possible simply by selecting controls from a list and plopping them down in the middle of your infrastructure.

Security can only deliver value to your organization…

…if it’s actually architected in a way that ensures this is happening.

That’s why security without the right kind of security architecture isn’t working for us today. It’s not about just the controls.

It’s about how all those controls work together to ensure the organization works as intended. And this can’t happen if security keeps getting in the way.

But it can happen if security is designed in a way that is truly integrated and aligned with the organization. That’s the ultimate outcome and benefit of starting with my revised definition of security, because you can’t have an outcome without some level of confidence someone has that they’re going to get it.

And if you want more confidence?

Well…then you’re going to need to define better, more integrated and more effective security.

That means compliance is secondary, because compliance is how well we’re doing delivering value for the business.

But it doesn’t mean we can ignore laws and regulations. Of course not.

They’re built-in to the requirements for what is and isn’t possible to do when you’re defining how you go after the objective.

They’re known up front.

They’re not an afterthought.

And when you do all these things, it means you end up with a system of integrated controls that truly delivers value to the organization. You have a security function that is a clear strategic enabler, and you have finally created…

A Value-Driven Security Program.

 

A Value-Driven Security Program is similar, yet slightly different, to what you might hear other people talk about. Other people talk about being “business driven,” where that means a security program that’s defined as a set of solutions to business problems. A Value-Driven Security Program takes this concept one step further, because it doesn’t simply start with business problems and requirements. It starts from the definition of value that someone – anyone – should be able to experience, and then it ensures that security is an integral part of how that value is delivered to a customer.

Being value-driven means that there are clear links not just to the business itself and what it’s doing. It means that it addresses the problem of demonstrating the value of your security program head-on and unflinchingly by tying the definition of security to the delivery of a business objective.

A New Definition of Security

In the Value-Driven Security Program, the definition of security isn’t based on confidentiality, integrity or availability, although those characteristics will still be delivered to the degree they are required by the technical infrastructure and business process. Neither is it based on attempting to ensure that the technology infrastructure is somehow free from threats or vulnerabilities, as none of these things are fully under the control of the organization. It also isn’t based on achieving an arbitrary level of “compliance” with internal or external standards, although any laws, regulations or legitimate mandatory controls will certainly be accounted for.

In the Value-Driven Security Program, the definition of security is the degree of confidence someone has that they’re going to get what they want. It doesn’t specify what that degree should be, because only the owner of the objective can establish how important achieving it truly is to them.

Security Based in the Real World of Today—not the Past

The Value-Driven Security Program is based on the reality of the world around us, being able to represent that reality as systems of systems, the fundamentals of human psychology and behavior and the foundations of basic economics as the study of human behavior under scarcity. These fundamentals are important, and they are one of the primary reasons that security can finally be integrated seamlessly as a critical part of delivering a business objective and no longer thought of as simply a necessary cost, inconvenience or mandatory consideration.

Security Delivered as the Result of a System

There are 3 essential parts to realizing a Value-Driven Security Program, and, like any system, these essential parts work together in very specific ways to ensure that everything I’ve described above can be delivered within your organization. These 3 parts and what they deliver to the Value-Driven Security Program are:

• The Security Value Delivery System™ – gives you a reliable way to describe your security program as a system of essential elements that must be present to demonstrate business alignment and prove value is being delivered
• The Agile Security System™ – gives you a simple, reliable and effective approach to create security architectures at any scope that are focused on business outcomes
• SABSA® – gives you the fundamental abstractions to talk about the essential parts of your organization, what matters most and how to structure your approach to security in a way that evolves and adapts to your needs over time

Security that Enables and Protects Value Delivery

One of the defining characteristics of the Value-Driven Security Program is its ability to identify and surface the fundamental value-delivery networks inside your organization. While every organization is indeed unique, the variations relate more to how these value delivery networks are prioritized and operated, not in the way they are defined.

Security Architecture at the Organizational Level, not just the Infrastructure Blueprints

As a result, the ultimate foundation of the Value-Driven Security Program is a robust, straightforward and easy to understand definition of what your organization is and how it works. This definition and description is what I call your true security architecture, because having the right level of confidence that each of these relationships will deliver what you want is a fundamental prerequisite of your organization delivering it’s mission and purpose by executing its own unique strategy.

Unfortunately, most organizations view security architecture as the low-level blueprint for technology control deployments. This makes it extremely difficult to connect anything security does to anything the organization cares about—regardless of whether it’s a commercial enterprise, non-profit or government agency.

Leveraging the Best of SABSA®

Leveraging the layered architecture approach described by SABSA, you can easily describe and extend the existing security architecture you have today and understand how it should be connected to what the organization cares about. In most cases, there will be many gaps and “dangling links” between what you’re doing in security and what the organization sees as important. Closing those gaps in the fastest, most reliable way is done by applying The Agile Security System to help you define the missing pieces of your security architecture and the Security Value Delivery System to establish, maintain and demonstrate the alignment and value of your entire security program to the entire organization—from the Board of Directors down to individual project owners and sponsors.

Why It Works

Many organizations have already attempted to address some of the issues I’ve highlighted—sometimes, more than once. And yet those changes either didn’t “stick” or they failed to deliver the promised results.

A Flexible and Adaptable Approach That Meets You Where You Are Today

Building a Value-Driven Security Program using the Security Value Delivery System is different because, while it describes all the essential things you must be doing to deliver an effective, aligned security program that delivers tangible value to your organization, it doesn’t mandate any particular mechanisms by which you do it.

This gives you not only the maximum amount of flexibility and opportunity to integrate and adopt whatever industry frameworks, mandatory standards or “best practice” tools, techniques and methodologies are available today, it also gives you the opportunity to address the areas with the biggest potential benefit at the pace your organization can absorb. There’s no “big bang” mandates, adoptions or sweeping organizational changes required.

Of course, I’ve found that there are certain techniques, practices and approaches that have proven beneficial to both myself and my clients in the past. All of these are available as options you can select for implementing or addressing specific areas that you wish to change.

Clarity on the What and Why of an Effective Security Program

Further, many times organizational politics or the day-to-day realities of “the way things work” can derail or disrupt attempts to change the way security is either done or practiced. One of the benefits of the Security Value Delivery System is that it’s aligned to the fundamentals of what organizations need to be doing as per industry experts and leaders in organizational design and process efficiency recommend.

It doesn’t presuppose any organizational structures or management approach. It can easily help you understand the organization as it is right now more fully than you have before so that you have the best chance to find the leverage required to make lasting change. Further, as your organization grows and matures, you can determine exactly which areas to enhance at what rate to ensure continued alignment and support.

Actionable Practices Based on Proven Theory

Another reason it works is that it provides the right balance between theory and practice. While the fundamentals of both The Agile Security System and the Security Value Delivery System are based on established theory, this theory has been completely integrated into the mechanisms and practices of the system so that you know exactly what to do in exactly the right place to fully take advantage of the fundamental theory without feeling lost or overwhelmed.

In fact, depending on the individual roles involved in delivering the Value-Driven Security Program, most of the theory sits quietly and invisibly in the background once you’ve learned how to use the core concepts and models it provides.

Start with the Way Things Actually Work in Your Organization

However, the real reason that it works is that everything security does is anchored within the conceptual model of the way things actually work in your organization today. Therefore, building out the basis of your true enterprise security architecture is one of the first critical enablers on which everything else depends.

A Fast, Lightweight and Practical Approach to Security Architecture with SABSA®

Unfortunately, I’ve seen many organizations struggle to do this themselves in the past because they’ve felt overwhelmed and buried by the requirements – or their perception of the requirements – of various methodologies and frameworks—including SABSA.

The good news is that, over the last 2 decades, thanks to my extensive experience across multiple disciplines of architecture beyond just security architecture, I’ve distilled and packaged everything required to build out value-driven security architectures that are truly aligned with your organization and that tangibly support the delivery of business projects.

The best news of all is that you don’t have to figure it out on your own, nor is it overly difficult or complex to implement. I’ve recently distilled everything I know about building the foundation of an effective, value-driven security program down into something I call…

The Security Architecture Accelerator™ Program.

The Security Architecture Accelerator is a focused and practical introduction to building SABSA security architectures using The Agile Security System. It helps experienced security architects and engineers used to focusing on the details of the infrastructure make the transition to thinking conceptually about security and security architecture. Far too often security architects and engineers become experts in using, configuring and planning specific types of architectures, but they aren’t really spending time creating or understanding the architecture of the organization itself so they can see what they really need to be enabling and protecting.

Express Security Requirements in Clear Business Terms

Being a security architect and building effective security architectures is about much more than just modeling the threats and vulnerabilities of a system or network. It’s about being able to understand what the real security requirements are based on identifying, evaluating and understanding the operational risks that will prevent the organization from getting what it wants. This moves the focus of security from managing threats and vulnerabilities to delivering resilience and demonstrating confidence to our security customers that they’ll achieve the outcomes that they ultimately want to achieve.

What You Will Learn

The Security Architecture Accelerator is a self-paced program consisting of video lessons to help build the critical skills required to transition from infrastructure architect to being able to build a true enterprise security architecture. This program doesn’t try to complete this journey all at once, however. It simply lays the groundwork with practical examples and instruction to start you on the journey.

At the end of this program, you will:

• Understand the roles of the security architect and how they fit into the overall structure of your security program beyond managing the infrastructure
• Articulate how security architecture forms the basis of the effective security program and describe how enterprise security architecture differs from the common practice of security architecture in most organizations today
• Create abstract, conceptual models of the way value is delivered in your organization to achieve specific objectives the business cares about and identify the appropriate mitigation strategies to ensure its success
• Build and maintain your enterprise security architecture using lightweight documentation created by an agile and iterative approach
• Communicate effectively with your security customers in their language to give them the level of confidence they require that they’ll get what they want
• Effectively support secure project delivery by building the right models at the right time to ensure security requirements are identified and implemented
• Measure the value of your security architecture in business terms to demonstrate to your security customers how security helps them achieve their goals and objectives

The program itself is broken down into two distinct parts so that you’re introduced to the most relevant theory and practice based on the topic being covered. Each of the parts of the program is described below.

Part 1: Understanding Security Architecture

The first part of the program begins with the work you might be already doing today as a security architect. It helps clarify the difference between the architect and the engineer in terms of the role and value each provides to your security program, and it defines 3 specific and distinct types of architects your organization should have in order to build a Value-Driven Security Program—regardless whether each role is filled by the same individuals at various times or whether dedicated resources are assigned to each role.

Why Security Architecture Matters More Than Your CISO May Think

Next, the program describes the relationship between security architecture and the rest of the security program by providing a brief introduction to systems thinking. Once the foundation of systems thinking is in place, then we cover the notions of value and the nature of the true risks to value delivery.

How to Shift from Reactive to Proactive Security

This foundation then sets the stage for talking about how security can shift from being reactive and focused on the technology infrastructure to addressing the real risks the organization faces resulting from cyber and information security impacts. This shift lets you understand how to build solutions that are not just compliant with your mandatory controls but which also deliver both resilience and confidence to your organization and its critical stakeholders.

In this part of the program, you will learn:

• The clear boundary between architecture and engineering so you can permanently end the debate about who does what in your security team
• What an Enterprise Security Architect should and should not be doing to ensure the organization has the right security capabilities for long-term success
• The specific responsibilities of the security architect when it comes to supporting both Agile and traditional project delivery efforts
• Why the majority of the work you’re doing as a security architect today isn’t the kind of work that will ultimately reduce security delays
• The reason that the traditional definitions of security and security architecture practically guarantee that security will remain a separate, unwanted and under-appreciated part of the organization
• Why all we do in security eventually comes down to the basics of economics and human behavior
• How understanding the way a pizza is delivered can show you where to focus your efforts as a security architect
• Useful definitions and distinctions between the scope of Enterprise Security, Information Security, Physical Security and Cyber Security that you likely don’t think about today
• How you can “automatically” determine what your security architecture should be for any project, problem or issue you might investigate
• Why you ultimately only need two simple models to unpack, understand and define what security means in any situation

Part 2: Building Architecture

The second part of the program builds on the concepts and techniques described in the first part and puts these into practical action to show you how to build security architecture deliverables that are not only easy to create and consume but which are also welcomed by your security customers. The specific roles and responsibilities for each type of architect are presented along with specific examples.

Creating Effective Architecture Deliverables People Want

Once the deliverables for each of the 3 architecture roles have been described, a detailed walkthrough of how to create the most important ones is provided.

In this part of the program, you will learn:

• How to create a robust, value-driven security strategy that the business can understand and support using a simple, 3-step process
• How to create an effective enterprise security architecture by capturing the smallest amount of information for the maximum impact and benefit
• How to define and deliver modular, reusable and easy to integrate security capabilities that will enable you to systematically reduce the delays due to security
• How to plan and deliver the right level of security input and oversight to both Agile and traditional projects
• How to use the ultimate risk assessment “cheat code” that combines the best parts of both qualitative and quantitative risk assessments for maximum speed, clarity and effectiveness
• How to efficiently describe risk mitigations and treatment strategies for the maximum amount of reuse and leverage while providing reliable and robust assurance they have been implemented as planned
• How to clearly demonstrate the value of your security architecture in plain, business-friendly terms using 3 different sets of metrics
• How to efficiently and effectively communicate with your security customers by leveraging the foundation of your security architecture and your knowledge of what they care about
• Specific guidance and tips for minimizing and eliminating delays due to security
• How you can start applying the techniques in the program immediately to the work you’re already doing—even if it’s only initially for your own benefit

Program Materials

Video and Audio Content

While the core content of the program is delivered in both video and audio directly from your mobile phone using the Archistry Learning app, you have options for exactly how you consume it. For example, you can download the entirety of the program to your phone for off-line use, and you can also make notes and annotations about important points of the program directly in the app as you watch or listen to the program.

If you’d prefer a “big screen” experience, it’s both simple and straightforward to stream the content from your phone to an external device, such as your computer or your living room TV. This means that you don’t have to miss any of the details on any of the program slides simply because the content is on your phone.

Complete Program Transcript

Along with the audio and video content, you also get the program materials in the form of a complete, hand-edited transcript. This transcript isn’t just an automatic export of the audio using some kind of AI tool. This transcript has been carefully formatted and edited to ensure it provides both a reliable reference and stand-alone way to consume the materials in the program. Each of the important slides has been included in the right place so you can easily go back and review, highlight or annotate it using your favorite tools.

This transcript is also fully exportable from the mobile app, and it is yours to use as you see fit within the terms of the accompanying program license agreement. You can even go ahead and print your own physical copy of all 140 pages if you so desire.

Security Value Delivery System Map

The Security Value Delivery System Map is the primary reference for the elements of an effective, value-driven security program. It is your go-to tool to both diagnose and resolve specific issues in your security program, because each aspect it must deliver to support the 3 core value streams of your organization is clearly identified and organized in terms of both the nature of what it does and the activity it supports.

You are free to export the Map and print it for your own use in understanding, diagnosing and improving your existing security program.

Generic Value Delivery Threat Model

One of the biggest objectives of the Security Value Delivery System is to reduce and eliminate delays and waste in your security program. One of the biggest causes of delays and redundant, unnecessary work is the way risk assessments are typically performed. Part 2 of the Security Architecture Accelerator program demonstrates how to use the Generic Value Delivery Threat Model™ to support fast, effective and reliable risk assessments for service delivery.

The Generic Value Delivery Threat Model is fully exportable so you can freely print and use it to support your risk assessments, threat modeling and mitigation planning efforts using what you’ve learned in the program.

BONUS 1: Security Value Delivery System™
Adoption Blueprint™

(Worth $2,499)

While the materials in the Security Architecture Accelerator will help you get started building security architecture in a way that helps you clearly and accurately communicate and support the C-suite executives, board members and the rest of the organization, it doesn’t talk about how you can create a plan to operationalize these activities in the most efficient and effective way possible.

The Security Architecture Accelerator program helps you build the core knowledge, understanding and skills to do the work, but if you want to best chance of building the business case and creating a sustainable approach to rolling it out in your organization, then you’ll need a blueprint.

That’s where the Adoption Blueprint comes in.

The Adoption Blueprint gives you over 70 pages of detailed and specific guidance, tips and insights to enable you to successfully integrate everything you’ve learned in the Security Architecture Accelerator into your current security program—regardless of what it looks like today.

This blueprint is the exact same information that I use when I plan and execute the typical 18-month adoption programs I do with my high-end, private clients. To have me do this with you personally typically can cost between $500,000 and $1,000,000 depending on the scope, schedule and specific support requirements we’ve agreed.

However, inside the Adoption Blueprint you get my exact playbook for what I look for as the right starting point, how I structure and plan the engagement and the ways I engage and communicate with the key stakeholders in the organization to ensure their ongoing participation and support. So, while it might seem impossible to put all of that in one place, the real value in the Adoption Blueprint is the distilled wisdom I’ve gained from helping organizations do these kinds of adoptions for over 20 years.

Here’s a preview of what you’ll find inside:

• Specific guidance for key members of your security team – including your CISO and security architects – on how they can use the blueprint for maximum impact
• An introduction to the design and structure of the Security Value Delivery System, including how it supports each of the core value streams of your organization
• How the activities of the SABSA lifecycle are applied to each aspect of the Security Value Delivery System to avoid questions or confusion about what needs to be done
• The role of the Security Value Delivery System in effectively operationalizing SABSA within your security program and why it’s defined the way it is today
• Why the Security Value Delivery System is truly extensible and future-proof to allow you to leverage the current and emerging industry guidance and best practice you believe is the best fit for your organization
• How to run and execute each aspect of the Security Value Delivery System within the organizational structure of your existing security team
• Exactly the steps required to create your own customized and focused improvement programs—entirely on your own
• Examples of the most common types of improvements I’ve helped clients achieve in the past and exactly how each of the relevant elements of the SVDS Map relate to implementing it
• How to use the SVDS Map to diagnose and address the most common causes of security delays in project delivery
• Why the common methods used to calculate and report organizational risk exposure don’t work and how to use your enterprise security architecture to fill this gap
• A set of representative roles and responsibilities that must somehow be present in your security program to ensure nothing gets left out
• How to create your own security metrics that matter by focusing on what matters to your organization—including examples I’ve used successfully in the past
• What “security value” really means to your organization and how to easily demonstrate it to your executives, the Board and the rest of your organization
• Exactly which metrics you should be tracking inside your security program to demonstrate improvement, alignment and sustained value delivery
• The exact steps I use with clients to enable the successful implementation and adoption of Secure by Design using the Security Value Delivery System to enable the creation of a sustainable competitive advantage for your organization
• 3 different startup approaches you can use to begin building your own Value-Driven Security Program based on your own goals and organizational culture
• Specific adoption pitfalls I’ve experienced in the past and how to avoid them on your own adoption journey
• …and much, much more because, like clients have told me about the Getting Started with The Agile Security System book: it’s small, but every time they re-read it, they get a new level of insight and understanding. I’m sure that you will experience exactly the same thing with the Adoption Blueprint.

The Adoption Blueprint is a rare look inside my head and reveals my own approach and thinking based on working with organizations since 2010, specifically to adopt and integrate SABSA as an architecture-based approach to security into their organizations.

I’m sharing it with you now so that even without working with me directly, you’ll have the best chance of successfully applying and adopting everything you’ll learn as part of the Security Architecture Accelerator program for two reasons:

1. I want to make sure you get as much value as possible from your investment in the program and nothing is going to keep you from applying what you’ve learned; and
2. because it’s simply impossible for me to work with everyone directly. There’s not enough time, and time is something we don’t have in this industry – or your organization – to shift the way we’re thinking about security and start getting better results.

It’s time we changed the way we’re doing security, and if you’re serious about doing this, then with the Adoption Blueprint you’ll have the best chance possible to make it happen—whether you end up working directly with me or not.

BONUS 2: On-Demand Community Support and Continuing Education inside the Archistry Club™

(Worth $17,719)

Included in your Security Architecture Accelerator program is 3 months of FULL MEMBERSHIP in the Archistry Club™ (the Club). The Club is really the next step in ensuring you have the ongoing support, education and community interaction you need to apply what you’ve learned in the program, both immediately and as you grow your skills and expertise with The Agile Security System.

Your Club Membership is not restricted in any way, and includes the full benefits and privileges of being a member of the Club. Here’s a summary of what you get.

Live Monthly Club Calls

Sometimes you just need to talk to someone to figure out what to do about something that has you stuck. Fortunately, as a Club member, I’ve got you covered.

Each month you can join me LIVE on the Club Call™! Club Calls are where we gather each month to make sure we keep moving forward and that any issues or dangling threads you have in your understanding of how to make progress are addressed.

Not only that, but here’s a few other aspects of the Club Calls designed to make them as valuable as possible to you every month:

All of the calls are recorded—except where something sensitive is being discussed, and you’d rather the recording be paused as we address your issue

You have FULL ACCESS to the COMPLETE ARCHIVE of Club Calls going back to the very first one on July 28th, 2022

Even if you can’t join us live, it doesn’t mean you miss out. If you submit your question to me ahead of time, I’ll make sure to either answer it on the Club Call for everyone else’s benefit and participation, or, if we run out of time, I’ll record you a special, personalized reply that will also become part of the Club Call archive

The call schedule is fixed in advance, so you always know when we’re going to have them

And if we run out of things to talk about, we’ll just have an open conversation instead about whatever’s on people’s minds that have joined us live.

Access to the Private Club Slack Community

One of the biggest challenges we face in our struggle to be true architects is that we often do it alone. Nobody really gets what we’re trying to do. People don’t understand that a true architect is more than just a technical expert in an architecture.

And we often feel isolated and lost when things get tough.

Well, the whole purpose of the Club is to bring like-minded security professionals who are truly interested in bringing a value-driven and risk-based approach to security to their organizations together so there’s no more feeling like you’re the “Lone Ranger” out there.

You aren’t.

And when you’re stuck, you can always pop in to the Private Slack Workspace exclusively for Club members and reconnect.

Because it’s exclusive to Club members, it means everyone knows the rules. And, more importantly…

…everyone knows the consequences if those rules are violated.

But sometimes it’s not about feeling alone and stuck.

Sometimes, it’s about wanting to share in your successes with people who truly “get it” on a more fundamental level than most of the people you engage with every day.

That too is what the Private Slack Workspace is for. In fact, some of the best, most engaging posts are about the wins people have, the progress they make…

…and the unexpected enthusiasm and adoption of their ideas by people outside security!

And, whether you’re stuck or you celebrating…

…the Club Workspace is there for you 24x7x365!

Access to the Club Masterclass Vault

As a security professional, we face a number of different challenges each and every day—and a good many of them ostensibly have nothing to do with “security” at all.

There’s also the fact that, no matter how good something may be written or presented…

…there’s no substitute for actually watching someone do it from “over their shoulder” so you can catch all those things that are either implicit, “understood” or just flat-out “too obvious” to mention in the Security Sanity™ newsletter, a book, or the content of other programs.

That’s where the MONTHLY MASTERCLASSES come in, because this is where I go deeper than I can on a single call or issue of the newsletter to talk about all the things you really need to know – and show you exactly how I do it – each and every month.

Now, I won’t say they’re all going to be “over the shoulder” sessions or case studies of how to tackle a particular task—because there’s a whole lot of other stuff we need to cover too to ensure you’re successful as a security architect and your organization’s security program is as effective as it can be. However, my goal is to have at least 30% of the masterclasses being more “hands on” affairs, with the rest being coverage of the topics, concepts, practices, tactics and related theories or skills I think are essential you know.

Not only that, but you have IMMEDIATE ACCESS to the complete archive of the masterclasses from the moment you join.

Here’s some of the previous masterclasses waiting for you inside the vault right now:

• How you can start building and using the Architecture Wall in a fast and practical way
• What it takes to build reusable security assessment architectures, so even if you can’t “shift left” the way you want, you can still reduce the time and effort for gate-based security
• How you can leverage the power of Gen-AI in the right way to help you build security architectures—without sharing any confidential or proprietary information
• The 3 fundamental view types found in any kind of architecture model you’ll ever work with
• A case study of applying Architecture Archaeology to the OWASP Top 10
• How to use The Agile Security System to help you tame the complexity of your organization’s business environment and technology infrastructures
• A deep-dive on the power of using SABSA domains by defining dimensions for decomposition, pivoting and abstracting your security architecture
• How to use the Business Model Canvas to understand and communicate organizational risk exposure to executives and the Board
• The right way to handle the interface between your security program’s non-operational requests and the rest of the organization
• An “over-the-shoulder” walkthrough of building an iteration’s Architecture Wall based on walking through the process of Architecture Archaeology using a typical solution architecture

BONUS 3: Getting Started with The Agile Security System™ eBook

(Worth $65)

This Getting Started eBook is short, focused and to the point. There’s no fluff, and it assumes you have the ability to fill in the blanks and start from what you already know. It will help you get MORE value out of the Security Architecture Accelerator program because it goes deeper into some of the core concepts, thinking and details of The Agile Security System than is possible in a program like this.

Ultimately, it gives you one more resource to help you get the most value you can out of the Security Architecture Accelerator program, because here’s a very small glimpse of what you’ll find inside this eBook that will be delivered to you immediately via the Archistry Learning mobile app:

• Why The Agile Security System is different than any other approach to building security architecture. See Page 27.
• The one simple “tweak” I had to make when I taught SABSA Foundation to make the power of SABSA’s standardized RACI really “click” for delegates (which worked so well, other instructors ended up stealing it too). See Page 45.
• Why we’re often forced – kicking and screaming – into doing “bottom-up” architectures (including what we’re really supposed to be doing when we do it). See Page 69.
• The only tool you’ll ever need to clearly, easily and quickly define the scope of the security architecture you’re working on. See Page 54.
• Want a more effective security program? Just do this. See Page 18.
• The only legitimate way to achieve – and maintain – true “business alignment” with a security program of any kind. See Page 17.
• Why there’s really no such thing as either “top-down” or “bottom-up” when it comes to doing security architecture. See Page 72.
• Unlock the critical relationships between domains and the systems of “systems thinking” or synthetic thinking. See Page 31.
• How you can realistically apply SABSA successfully while ignoring the rest of the 20+ frameworks it defines (illustrating that it’s no wonder you were a bit lost after the 5-day firehose of SABSA Foundation). See Page 25.
• Why it’s a really bad idea to conflate the concepts of value, price and cost when you’re talking about security architecture—or anything, for that matter. See Page 49.
• A detailed guide to building out a physical Architecture Wall™ that will beg to be updated, foster engagement across your team and help you stay focused on what’s really important about your organization’s security architecture. See Pages 83-84.
• What’s CRUD got to do with it? It’s probably not what you think, and it has nothing at all to do with databases. See Page 33.
• How The Agile Security System extends the core SABSA domain concept to make it even more powerful than it already was. See Pages 30-35.
• The drop-dead-obvious relationship between the discovery of the domains in your architecture – new or already there – that allows you to begin to start “seeing” architecture in your head. See Page 35.
• How to discover the network of attribute relationships in any architecture (just use this one simple tip, and you’ll have more connections between attributes than you’d imagined were possible). See Page 98.
• How a “handful of paper” just may well be the only kind of security architecture documentation you really need. See Page 82.
• A “hidden” truth about the nature of the “deliverables” defined by SABSA (something that both gets unsuspecting architects in hot water and nearly assures the ultimate destruction of many SABSA adoption efforts). See Page 22.
• …and much, much more, including who our 7 basic types of security customers are and how to figure out what they’re expecting from us (see Page 79)…why “standard templates” for security architecture are the Devil you actually never want hanging around your neck (see Page 81)…the single biggest mistake people make that ultimately leaves SABSA sitting on the scrap heap of your security program (see Page 22)…the 8 most important attributes you’ll ever meet as a security architect (see Page 41)…the 3 things to look for to measure your progress as a security architect, regardless if you’re using SABSA and The Agile Security System (see Page 86)…and the surprising “secret” as to why being curious is one of the most important habits a security architect can have right there on Page 19!

BONUS 4: Architecture Ignition Kit™ Starter Pack

(Worth $299)

In 2023, I created several additional templates and worksheets useful in building architectures called the Architecture Ignition Kit™. The full kit has over 40 worksheets to help you flesh out certain sets of relationships in the Baseline Perspectives and costs over $1,000.

However, the essential templates and worksheets required to get started with The Agile Security System have been pulled out and packaged together as the Architecture Ignition Kit Starter Pack.

In the Starter Pack, you’ll find downloadable, printable versions of the following:

• The Enterprise Baseline Perspective, External Baseline Perspective, Service Baseline Perspective and the Value Stream Baseline Perspective
• The Domain Impact Worksheet
• The Context Analysis Worksheet
• The Physical Domain Template Worksheet
• The Logical Domain Template Worksheet
• The Security Value Streams™ Reference Model
• The Security Governance Model™

BONUS 5: Monthly Insights and Fresh Thinking in the Security Sanity™ Print Newsletter

(Worth $291)

How would you like to get extended, in-depth and actionable information you can use immediately in your work as a security architect in your mailbox every month—absolutely FREE??

Well, along with your Security Architecture Accelerator program, that’s exactly what you’ll get.

In fact, these issues have been the source of multiple talks at the legendary COSAC security conference, and one of them was once even called the best presentation of the conference by several attendees—and they didn’t get the fully story.

But you will, because you’re going to get the complete issue every month, and you’ll be able to refer to it as often as you like as you put what’s inside to use each month. Some of the most popular issues have covered such topics as:

• How the SABSA® governance model – when properly applied – demonstrates just how little COBIT® knows about “governance”
• A practical framework for describing customer value developed by Bain&Co. mapped against what some of our highest priority security customers care about most
• Why most people completely miss the fundamental issues around what’s involved in successful Cloud Security (and how to describe it better using SABSA’s attributes, domains and governance model)
• The only 4 types of risk assessments you’ll ever need to worry about making sure you do
• How to properly understand the discipline of Enterprise Architecture—well beyond the train wreck that is TOGAF®
• Why you can always start your security architecture with the same set of “Essential 8” attributes, regardless of what you’re trying to “secure”
• A back-to-back set of issues covering a case study using SABSA to analyze the SolarWinds attack and demonstrate why the MITRE® ATT&CK® framework will keep us chasing our tails in security
• The reason security is still only ever about access control (and the amount of leverage this unlocks when you “do it right” and only “do it once!”
• Revealing the embedded architecture of the NIST CSF using the Architecture Archaeology™ approach of The Agile Security System™
• What you need to know if you really want to achieve “zero trust” (and how properly understanding SABSA means you’re more than 80% there already)

What People Are Saying About Andrew As A Thought Leader, Speaker, Educator, Coach and Mentor

Real Security Architecture

“With Andrew's help, I've learned more about real security architecture than SANS or any other course would ever provide. I could not recommend him more highly as a teacher and mentor in this space.” Simon L. – Enterprise Security Architect

---

A True Thought Leader

“Andrew is a highly skilled and experienced architect and consultant. He is innovative in his thinking and a true Thought Leader in his specialist domains of knowledge—in particular the management of risk. Andrew has also been a significant contributor to expanding the SABSA body of knowledge.” John Sherwood – SABSA® Creator and Chief Architect

---

Makes Things Work

“Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work.” Kevin Howe-Patterson – Chief Architect, Nortel - Wireless Data Services

---

Clarity, Depth and Breadth

“Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit.” Doug Reynolds – Product Manager, MobileAware

---

Fabulous Consultant

“Andrew is a fabulous consultant and presenter that you simply enjoy listening to as he manages to develop highly sophisticated subjects in a very understandable way. His experience is actually surprising!” Biljana Cerin, Director, Information Security and Compliance

---

Interesting, Useful and Full of Ideas

“Found the link to the July issue and read through this afternoon. Think you’ve done a really good job with it and especially around the objective of it being interesting, useful and full of ideas—which the newsletter easily met. Really looking forward to the September issue. If, in the unlikely event an August addition become available, I would happily purchase!” Andy Smith – Security Architect

---

Finally Getting ROI out of SABSA

"I took SABSA training, but Andrew made me understand how to really apply it to do security architecture and security by design after struggling for 8 years on my own. I wish I’d found you earlier in my career. Thanks for all you do!" Tereston Bertrand – Enterprise Security Architect

---

A Source of Sanity

“I have been working flat out the last 2-3 weeks on a very detailed program. The one thing that has kept me sane has been your daily emails about the Archistry training. Keep those great emails coming!” Shane Tully – Enterprise Security Architect

---

Compelled to Subscribe

"Reading your blogs and content I was rolling at some of the references you make. You write like the frustration of the past guides your fingers across the keys. I was compelled to subscribe to the newsletter." Vince Nalin – Enterprise Security Architect

---

Thought-Provoking, Practical Ideas

"Your thought-provoking messages about security, leadership … are welcome. I enjoy reading them. There are many ideas which can be applied to the work, even within the limits of a heavily-regulated organization like my employer." Helvi Salminen – Information Security Manager

---

An "Aha!" Moment with SABSA

“As a SABSA certified practitioner I’ve always been puzzled how to apply SABSA cohesively and consistently across the organisation. Until reading Agile Security System which was an Aha moment. Great content and very practical/solid approach with no fuss. I'm only halfway through watching the Accelerator and already blown away. Very structured and well explained. I've already incorporated a lot of learning from it in my security program.” Kevin Alavi – Enterprise Security Architect

Why TODAY Is The Day To Accelerate Your Organization’s Security Architecture Program

Every day things get more complicated, more intense, and less secure. There are so many attacks, exploits and vulnerabilities to chase, it’s impossible to keep up. Security is bombarded by more and more alerts that are harder to classify, diagnose and address…

…and even if you haven’t admitted it consciously yet…

…there’s NO WAY we can continue doing more of the same things, the same way, with the same thinking.

In fact, according to some research I did recently, I projected out the current historic growth rates of security teams and budgets as a function of the overall IT budget.

Where today we have somewhere between 40 and 150 people on the security teams inside Global 500 organizations and the budget is typically around 10% of the total budget for IT…

…if we don’t change what we’re doing and growth and complexity keeps pace with historic trends…

…by 2035, we can expect security teams of 200 and 1,500 people and the budget allocated to just security being between 60–90% of the total IT budget.

That’s the reality we’re facing if we don’t change things now, start focusing on what we can really control, and be able to work truly smarter and not harder when it comes to what we do in security and how we structure our security programs.

Now, more than ever, your organization needs an effective security program that demonstrates obvious value, and right now, it isn’t.

Current research shows that 20–40% of the delays for large technology projects are due to security…

…and the average duration of those delays is between 8–12 weeks.

And when you really look at it correctly, it’s not about budget overruns or missed deadlines the way we think about the impact of security delays today…

…it’s actually about all the things that aren’t getting done, money that’s not made, and customers who aren’t supported.

You can never get that back.

You can only decide to start doing something about it.

Every day you stay stuck firefighting, chasing threats and vulnerabilities and triaging operational issues…

…is a day that you’re not actually doing the real job of a security architect.

Once you’ve learned and begun to apply what you’ll discover inside the Security Architecture Accelerator program, you’ll actually be able to create the time to do security architecture properly…

…because you won’t need to be solving operational problems.

They simply will disappear, slowly at first and then more quickly over time.

Because you've redesigned the system of the way security is done across the organization…

…all based on what you'll get out of the program.

So, if you really want to make a difference, and if you really believe that robust, resilient security architecture isn’t an optional extra…

…then TODAY is the right day to start doing it.

The faster you can fix your approach to security architecture, the faster your team, your organization and even your career can start moving forward.

I know you can do it, because I've seen it happen.

All it takes is you making the decision to take action.

Stay safe,

—
Andrew S. Townley
Archistry Founder and Chief Executive

Before I give you the opportunity to grab your copy of the program and all the bonuses, I just described, I’d like to briefly summarize everything so it’s clear what you’re getting. There’s a lot to this offer, and I don’t want there to be any doubts or confusion as to exactly what you get as part of the full Security Architecture Accelerator program.

Alternatively, if you would not like to benefit from getting 3 months of direct support from me along with all the benefits associated with membership in the Club and your complete roadmap and blueprint for operationalizing what you’ve learned in the program that’s described inside the Adoption Blueprint for FREE as part of the full program, then you also have the option of only purchasing the basic Security Architecture Accelerator program, including only the Getting Started with The Agile Security System eBook and Architecture Ignition Kit Start Pack.

Each of the two options are shown in detail below.