One thing that often happens when people finally discover that security architecture is a whole more than the way their security infrastructure is connected is that they’re all “hot to trot” and want to stand up an enterprise security architecture program from scratch. This is excellent, and one should never underestimate the power of enthusiasm.
However, the problem with enthusiasm alone is that it will eventually run out of steam. And, you’re going to have plenty of people who want to suck the wind out of your sails.
First off, you’re talking about changing something. For all the overt and vocal virtue-signaling about embracing change because of “being agile” or just because it’s the reality of modern business…
…that’s about change that doesn’t apply to “them” (whomever them happens to be you’re trying to convince to change).
When their world is going to be impacted, it’s a whole other ballgame, thanks very much. Of course, we shouldn’t be surprised with this. Routines and the familiar helps us get through our daily lives mostly on auto-pilot. If someone kept moving the car from where you parked it last…or the physical location of your house…or even the brand of toilet paper you use every day, it’s going to set off all these little disruptions in your brain that wants to find some way to get back to daydreaming about whatever will potentially be in the next episode of The Mandalorian…
You know, important stuff like that which takes some serious frontal-focus processing.
Secondly, at the moment at least, you know more about something than they do. And many people have a hard time with this—especially if they’re supposed to be “the boss”. I’m not saying that your organization’s like this, but what I am saying is that I’ve seen this play out before my very eyes, and it can get pretty ugly, pretty quickly.
If you’ve had the architectural epiphany and you’re the first one to do it, it means that you can probably see a number of different areas where your security program – and, in particular, whatever you’re doing that steers the design of your ultimate security solutions – is probably falling a bit short. So, not only are you:
- asking people to potentially change the status quo, and
- you’re more informed than they are…
…you’re probably pointing out areas for improvement they’re already aware of, but they don’t know how to change…making them feel bad that it’s not already addressed, and, depending on how you go about it, potentially making them look bad as well.
It’s kinda the 3-strikes-and-you’re-out rule before you’ve even gotten 2 steps in the door. And another budding architecture effort, flush with the potential to dramatically transform the way the organization thinks about and executes security…
…slumps quickly in a heap, dead. Right next to the ones attempted by the last 3-12 people standing right where you might well be standing today.
Very few organizations are going to change their view of security – and security architecture – just because it seems like a good idea, or because someone says they should.
Well, I take that back. Maybe if your name starts with a “G” or an “F”, they will. But otherwise, you’ve gotta try a different approach if you really want to get the job done.
Step 1: find a quick win that provides exponentially more value to someone besides you than the effort it takes to pull it off.
Here again, however, there might be a problem. Because figuring out just which value proposition is the right one that will get you the support you need to pull an architecture program outta your hat can be a bit tricky. You’re going to need to know a lot about your team, the kinds of things it’s doing, and you’re going to have to understand what’s really going to make a difference…
…not to mention how you can enable that difference with the existing skills you have with security architecture—real, business-driven security architecture, that is.
Sometimes, even knowing this is what you need to do, it’s still harder to execute than you might think. Fortunately, you don’t always have to answer these questions alone. You can, of course. But if you’re already stuck, standing over you, shouting “Try harder, damn it!” probably isn’t really the motivation you really need to get moving again.
If you do manage to get through Step 1, then the rest isn’t going to be smooth sailing either—because there’s always resistance for the time it takes to make the value obvious and to reach a critical mass that’s likely to be self-sustaining.
I’m not quite sure what I’d do in your situation either. But what I do know that you might not is the kinds of questions to ask to figure out what that “next right thing” should actually be so that the next time you try and “do architecture”, the results move the needle.
And, assuming that you’re ready, it’s something that I can help you figure out. But you might not be ready—for any one of your own 800 million-thousand reasons, which is totally fine.
If you’re stuck and you want to talk about the state of your security architecture program and positioning it as the enabler of your security strategy, then let’s make it happen. If I can’t help, or you’re not ready, then we’ll know, and we’ll both be able to go about our business.
However, if I can help, then we just might be able to solve the problem together. To find out, you’ll need to use the button at the bottom of this link:
There’s no point adding any more bones to the pile if you don’t have to.
Andrew S. Townley
Archistry Chief Executive.