Back in the day when I was a wet-behind-the-ears CS student with a 14.4K modem and a NeXTcube on my desk (yes, I was very lucky, and it was a helluva upgrade from my previous Zenith Z-183 laptop), I discovered the pbmplus library. I actually don’t remember why I needed it, but it was the first thing that made the whole 2^n vs. 2n algorithmic complexity thing click in my head, and that’s why I still remember it every time I think about this type of problem.
Let’s say your organization is heavily invested in ISO certification, so you need 27001, but then the regulations change, and you now need to figure out how to demonstrate you’re “compliant with” NIST CSF (or any other framewrok-de-jour). There are a few different ways to handle the problem:
- You could go through your individual security policies and active control environment and line-by-line try and figure out how those related to the new framework or latest legislative lawyer’s brain-fart
- You could wait for someone to go through and do a mapping of the controls in your old framework to the new one (and trust they’re going to do it right)
- Take a different approach
The value of pbmplus to the image-conversion world was that it defined an intermediate format, so if you wanted to convert any input image to any output image, you only needed to write 2 converters. And if the conversion to the intermediate format was lossless, then Bob’s your uncle.
From a security architecture perspective, SABSA’s attributes and domains are the ultimate risk/cyber/information/security/execution strategy interchange format. Using a standardized set of domains and attributes, you can demonstrate compliance, support, alignment and value with any new requirement that comes along simply by using 2 of the practices of The Agile Security System™, read critically (Practice 7) and use the Baseline Perspectives (Practice 8).
Once you’ve done that, making predictions about any necessary changes required to survive external audits “in the new world” is nothing short of being “Elementary, dear Watson.”
That means you’re more responsive, more “agile” in every sense of the word, and you’re drinking pints in the pub/sipping cocktails by the pool faster than your fellow security architects who are still slogging away trying to figure out whether they’ve missed anything or lost in a mountain of documentation, policies and architectural models—assuming they exist.
Can you perform this magical feat without The Agile Security System?
Of course you can. All you need to do is have a suitable set of SABSA attributes and domains in place for your organization that helps you identify, organize and communicate your risk management approach, policy framework and how those are delivered by your operational security controls.
A lot of organizations have done it, that’s true.
But a lot more haven’t, because they get stuck trying to make it happen, and if they build something, they’re not quite sure if they’ve done it right.
The upcoming Definitive Guide to The Agile Security System set to ship in mid-January provides a complete system for building SABSA architectures quickly and consistently, and a set of comprehensive, annotated examples that you can use to cross-check your own work and validate you’re doing it right.
Why would that be of value?
Because with a SABSA security architecture, you can prove your security program is aligned with the business, you can better manage your security control investments and you can respond to “requests for security” faster and with more confidence.
All of these means you build your creditability and trust with the rest of the organization, they like you better, and you get more money to do what you need to do.
If you want to get a complete system – a blueprint if you like – for delivering this seeming Utopian dream – for real, and based on 14 years of real-world security architecture and program changes. If you want to get it for 50% less than it’ll cost in January, here’s the link:
This is the exact steps you need to take so you can do the right work in the right order, and you don’t have to waste time figuring that out yourself.
If I don’t get the 10 pre-orders I need, then everyone who has ordered so far gets their money back in November. If I do get the orders, on the 1st of November, the price goes up by $100, and after that, it’ll be $497 in January.
Get it if you want. Don’t if you don’t.
But if you don’t, and you’re still not happy with the way you do security architecture in your organization, there really won’t be any excuses left. It’s all there, in full color, but you will still need to do the work to get the results.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
