May 18, 2020
Let’s get straight to the point: if you approach security with a “domain” mindset, then you’re never actually going to be successful in protecting your organization—nor will you ever, not in a million-billion years, be able to demonstrate you’re actually helping them get things done they want to do.
And, those quotes around “domain” were intentional, because there’s the dictionary definition of the world that applies for 99% of the people, and that’s this one:
“A specified sphere of activity or knowledge.”
Which sounds great, and it’s what (ISC)2 means when they talk about the 8 “domains” of the content of the CISSP certification…it’s what TOGAF means when it talks about “domain” architects…
…but it MUST NOT be what a practicing security architect talks about when they use the word domain. Because you know what else that definition describes?
The kind with walls built of “Oh, but I don’t need to understand how that works. It’s not part of my domain.”
The kind that make it easy to isolate ourselves and engage in narcissistic navel-gazing about how many exploits can dance on the header of a wayward TCP packet.
The kind that virtually GUARANTEES security will forever be consigned to the chains of the Policy Police, the Department of No, and the Institute of Business Prevention.
Because, if it ain’t in our “domain”, then why should we give a rat-faced phuck about it? Business people? Lusers. Business Models. Don’t care. Customer experience? Serves them right if they want to post pictures of their passwords and keycodes, geotagged to the exact location of where they’re supposed to be used “just so they don’t forget them.”
Maybe. However, scratch – even just the thinest molecule – of the surface of some hard-core security people, and they wear the “domain” boundary of Us vs. Them as a badge of honor.
It just doesn’t help. Because if we want to be successful in security, it doesn’t mean stopping every possible attack and applying every control on some “blessed” list of what Dr. InfoSec says is the right approach to ensure our servers are flossed and our networks are brushed every night before we go to bed.
Being successful in security is about keeping people safe…WHILE they’re trying to accomplish something that matters to THEM.
It doesn’t matter if we think it’s stupid, fluffy, irrelevant or even downright dangerous. We don’t get paid for our perspectives on the validity of our customers’ objectives.
What we get paid to do is keep them safe while they’re doing it—whatever IT happens to be.
And after 25 years of a varied and rather interesting professional career, I’ve seen hard evidence over and over again that proves the only hope we really have of keeping our security customers safe AND enabling them to be successful at the same time…
…is by creating a security program around a robust security architecture that is built to enable the business based on a rational, prioritized view of managing the risks that are most likely to keep them from getting it done.
But, unfortunately, that’s not what we tend to do. If we even use the words “security architecture” at all, we’re generally talking about only the slimmest sliver of what it really is—thinking that it’s the end-all, be-all definition that really doesn’t do much except collect a bunch of boxes and lines that nobody ever really uses other than to ensure payment milestones are promptly processed.
There’s more to it. There has to be, because, it’s clear from just trying to do our day-to-day jobs that what we’re doing just isn’t really good enough.
It’s not for lack of trying. It’s just we don’t see the real problems we need to solve that can potentially change everything about the overall effectiveness and the workload of our entire security team.
If you’re not happy doing what you’re doing, then I have something you might want to consider: joining the next cohort of Archistry’s flagship Building Effective Security Architectures hybrid online and live learning experience. Because what you’ll learn is the real perspective you should have on security architecture…
…how to deliver it in small, easy to communicate and value-laden chunks…
…all while using the widely-recognized, industry-leading SABSA methodology…
…by focusing on what’s really important…
…so you don’t get overwhelmed, lost, frustrated and end up effectively with a set of security blue balls because you just don’t know how to put it all into action so it actually delivers what it says on the tin.
If that’s you, the pre-registration period is now open until this Saturday, May 23rd at 11:59pm US/Eastern, giving you about 5 and a half days to get things in order so you can save $1,000 before the price goes up. To get in – and get the discount – get on over to this link, and get on the bus, Gus:
Because real security architecture doesn’t build itself. It needs a real security architect to step up, take charge and make it happen.
Maybe that security architect should be you.
Andrew S. Townley
Archistry Chief Executive