This morning I was listening to a talk by Ken McCarthy, and he said something that I knew, but that I really hadn’t thought about for a while. Now you might not know who Ken McCarthy is, because he has absolutely nothing to do with security. He’s a marketing guy. But if you’ve been playing along with the home game – or you’ve already been through the Building Effective Security Architectures program…or you subscribe to the Security Sanity™ print newsletter – you’ll understand my fascination with marketing.
If you don’t, well…that’s a topic for another day.
Today, I want to talk about what makes a good security architect. Now, I’ve talked about this a few times and from a few different angles before, but I don’t remember that I’ve talked about this part. However, this part is exactly what Ken pointed out in his talk. He said:
“Wisdom really comes from bad judgement.”
I’m not sure I even need to say this, but in case you’re not clear why wisdom is important to a security architect, wisdom is how we make good decisions. And ultimately, as I said yesterday, architecture is about the decisions we make, with the knowledge we have that we believe will have the best overall chance of striking the right balance between the conflicting demands we get across the diabolical triad of:
Cost vs. Quality vs. Time.
Some of us might be lucky, and we might be gifted with “getting it right” from day one.
But, at least for me, I can tell you for sure that this wasn’t the case. In fact, with probably the project that is really what I would consider my real “life’s work” – which isn’t The Agile Security System™, but it certainly plays a part – I got it wrong a helluva lot more than I got it right.
So good judgment…good security architecture decisions….come from wisdom. And despite what we might think about crutches like “best practices” or your favorite framework, they aren’t really a substitute for wisdom.
Now, in the world we live in – at least in the past – wise security architects were…
Because that’s how long it typically took to get wise. Architects worked on big projects…for a long time…and really only got the chance to make a few architectural decisions in that time. The rest of the time, they were just kinda hanging out, waiting to see if they were right, and tinkering, writing or holed up in their offices learning things like the grizzly old wizards many of them were.
Incidentally…that’s where the whole Ivory Tower thing came from as far as I can tell.
Today, things have changed quite a lot. Some of the security architects I talk to deal with 1000’s of projects every year. That’s separate, independent projects. Not DevOps release hype.
And unsurprisingly, they’re overwhelmed.
However, the unfortunate and kinda crazy thing is…
Many of them aren’t getting any wiser.
And if they aren’t getting any wiser, then they aren’t going to get any better at making security architecture decisions.
Because they literally can’t afford to have bad judgement. They can’t really get things wrong.
The stakes are too high, right?
I mean, if you’re an architect for a major, global organization with billions in revenue, 1000’s of projects, millions of customers and potentially heavy regulations, what are you going to do?
You’re going to play it safe.
You’re going to follow “best practice.”
And you’re going to implement whatever framework has the most market share chapter and verse, because, at least if it blows up, you can play the CYA card of doing what everyone else is doing.
I’m not dissing this—or you, if that’s your world. It’s the reality.
You have to feed yourself, and you need to feed your family if you have one. And, since you’re probably pulling in a pretty good salary, you’re expected to be an “expert.”
But there’s a problem….
If you want to get wise…if you want to become an “expert” people can trust and depend on…if you want to have the confidence you’re making the right security decisions…
You have to make mistakes.
You have to have bad judgement.
Because making mistakes and getting it wrong is actually how we learn. We don’t learn anything when we do it right, and we ESPECIALLY don’t learn anything when we get lucky and just happen to get the right answers.
But…you can’t have bad judgement if you’re afraid of making mistakes…or you can’t take risks…or you’re not given the opportunity to challenge yourself, the status quo or do that whole learning thing.
And then people forget what it takes to become an expert. And they REALLY forget that an expert only stays an expert by constantly learning, because those “experts” that don’t learn are called…
Grumpy old architects.
So if you can’t make mistakes in the “real world” of the projects you’re supporting every day, where can you have the freedom to have the bad judgment and make the mistakes it takes to truly become wise?
You need a safe place. You need an environment where if you get it wrong, it’s ok. Where if you don’t have the right answer, or you don’t really understand something…
…you have the assertiveness to ask…
…and the confidence that you’re not going to be seen as being stupid, lose the respect of anyone, and, most importantly…
…you have the faith that you’re really going to get the answers you seek.
This is precisely the reason the Building Effective Security Architectures program is structured the way its is—so you have that safe space to make mistakes…
…and you have a support environment from not only me, but the rest of the members of the cohort, because they’re in the exact same boat as you—and under the exact same pressures and constraints.
If you’d like to be able to become a wise security architect without getting old…and being able to learn based on making the ESSENTIAL mistakes required to really “get” this whole business-driven security architecture thing…
…without making all of the random, errant and just basically distracting – and near fatal – mistakes I had to make over the 25+ years of my own career…
…then being part of the next cohort of Building Effective Security Architectures kicking off in a few days is exactly the place you need to be. To register and join us, simply go to this link, scroll to the bottom and hit the big, yellow button:
But……..a word of warning:
If you’re not prepared to take a “beginners mind” approach to this, and you think you already know everything about SABSA and being a security architect—don’t bother signing up.
Or…if you’re a technology or TOGAF zealot who doesn’t really want to learn why we do the things we need to do or some surprising and essential skills that have nothing to do with “traditional” architecture—don’t waste our time.
Or, if it just isn’t the right time, you can’t get the budget approval or even if you just have to wash your hair or something urgent like that for the next 7 weeks…
…it’s all good with me.
However, if you’ve been thinking about this long and hard, and you believe that it will really help you get more enjoyment out of your work, build your credibility as an architect…or even just be kinda fun (which, who knows? It just might be)…
…then the registration doors will slam shut exactly at 11:59pm US/Eastern time on the 21st—which is exactly 8 days from now.
Andrew S. Townley
Archistry Chief Executive