In today’s long list of emails was a link to an interview from RSA with Jeff Reed, Cisco’s CISO talking about why complexity is a top challenge for CISOs. Those of you who remember some of my previous emails – especially those talking about the launch of The Agile Security System™ itself last July – may remember that this topic has come up more than a few times in the past.
I agree 100% with Jeff’s premise. However, when he goes to elaborate, the only kind of complexity he talks about is the complexity from having lots of security vendors and trying to manage them all. He calls this phenomenon “cyber fatigue,” and without a doubt, it’s a real thing.
However, and given that Cisco’s a component vendor after all, it’s not surprising that he gets stuck on the lowest level of security architecture. It’s interesting, but it won’t take you very far.
If you’re trying to tame it by starting with, as I called it in the August 2019 newsletter:
“that pile of legacy spaghetti made up of not only the cables, but the code and the connections that use them. That Jabberwock of the enterprise. That Wyvern of the Intraweb. The Dark Place of the enterprise’s very soul.”
You’re starting at the wrong place.
Sure, that mess is, well…a mess…once you get too many vendors in the mix selling too many different types of controls generating too many alerts…
…but that’s a type of complexity that’s a symptom rather than a root cause.
The kind of complexity that gets you in trouble starts well before you approve a single PO. It starts with the way you think about what you’re trying to do.
If we actually realize the true scope of the danger of complexity in our enterprise, then we’re far too late. To actually make a difference and do something tangible about all that complexity, we have to root it out – wherever it may be – and attempt to tame it.
Violently.
That’s why Principle #5 of The Agile Security System explicitly gives advice about going toe to to with this primordial evil. It extols you to “violently encapsulate complexity.”
Almost every single organization I’ve worked with failed to heed that advice, and the result is almost always…
…a lot more people than are actually required
…a lot more controls than are necessary
…and – far more importantly – a lot more cost across the board, in terms of time, energy and money.
It’s no wonder burn out and people leaving the industry is higher in security – especially cyber security – than it is in other similar disciplines.
But maybe that’s ok with you and your organization. Maybe you already have a plan to fight this ugly abomination on its home turf—and win.
Or maybe you don’t.
If you don’t, then this is one of the first things we do as part of the Effective Security Leadership coaching and mentoring program once we start working together. And it’s the very first thing we need to do, because until we get some kind of handle on the complexity in your world…
…there’s no way anyone can help you fix it—including even yourself.
To find out more about how the program works and request an opportunity to work with me directly to start the transformation of your security program today so that it’s more effective, more aligned with the business, and it does a much better job keeping your organization safe than it is today, just visit the link below and schedule a screening call today.
No, there’s no “buy now” button, and I’m not going to do a hard sell on you. In fact, until we have a conversation, I have no idea at all whether anything I do can even help you right now.
But there’s only one way to find out.
Book your call here: https://securityleadershipcoaching.com
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
