Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / Confessions of a process virgin

February 24, 2020

Confessions of a process virgin

I’ll never forget a question that stopped me dead in my tracks early on in my days teaching the official SABSA Foundation course:

“But, how are we supposed to figure out what the organization does?” a budding enterprise security architect piped up when we were going through the details of the How column.

And it was a great question. But it stopped me in my tracks because I’d never really had to explain to people precisely how to solve the problem behind the question before.

Right then and there, I had to improvise, because it was clear that he was taking a bit of a risk with his pride to ask the question in front of the rest of the class, and there was no way a dismissive, incomplete or pat answer would do the job.

It was one of those moments I knew I could potentially witness a massive epiphany…

…or I could screw the whole thing up, and miss the opportunity completely.

Now, in the world of SABSA, the default answer to that kind of question is invariably,

“You ask the business.”

This is totally and undeniably correct—especially if you want to build business-driven security architectures. The utmost authority on what matters most comes straight from the horse’s mouth, so to speak.

But there’s also a problem with this approach. Because, in fact, you have to earn the right to ask the business anything as security. That’s just the way it is.

The problem faced by this gentleman was a problem that’s faced by nearly everyone that’s never really had to understand the enterprise as a whole. This is actually the domain of true enterprise architecture, not the glorified, IT-centric view you generally find as applied in TOGAF-land, mind you. Which means…

…most people who find themselves trying to understand the business and how it actually operates are effectively…

Process virgins.

It’s sort of the natural way of things, actually. I mean, after all, up to that point, anything anyone in IT knows about processes has been already carved off, chewed up and then poked down our throat like feeding hungry baby birds.

We see only one small glimpse of the wider world that is directly relevant to the solution we’re supporting, and that’s it.

Oh, sure…we might know the nature of the business we’re in, and, broadly speaking, that there’s a Finance, Sales, Marketing, R&D and whatever business functions. We get those from the org chart at the very least.

But…what the hell are they actually doing all day, every day?

With the acknowledgement that it is indeed sometimes hard to unequivocally answer that question…

…if we’re going to get in the ring with the “big boys and girls” that run the organization, we’re going to have to figure out enough about what we do…

…that we can at least start the conversation we’d like to have with a tiny grain of credibility.

Now the point that the process virgin was really making (and he was one of many over the years I taught the course), was that he honestly – hand on heart – had no idea how the business operated other than the drop-dead obvious stuff.

Stuff like the Finance department deals with the money and all the financial information…

And the Sales department has all these guys out running around in fancy cars trying to separate suckers from their money…

And the Marketing department just sits around all day making cardboard cut-outs of potential products they come up with in a drug-induced haze of inspiration.

You know…all those “facts” like that.

But if you want to turn the initial skeptical acceptance to an interview into a solid business relationship, you can’t play Sigmund Freud and ask them to lie back with a reassuring, “Now, tell me about your childhood…” kind of intro.

You need to start with that spark of credibility. And then you need to keep feeding it…through the whole interview…until it becomes a warm glow of confidence and trust.

And you do this by – and I’m purposefully sounding like a broken record here – you do that by following the first few practices of The Agile Security System™—BEFORE you even set a single finger to a keyboard asking for a meeting.

One of the resources you’ll use in particular when you’re trying to understand the nature of the WAY the organization does its business is something we’re going to talk about specifically in Lesson 11 of Module 2 of our Building Effective Security Architectures program, scheduled to take place the week of the 23rd of March.

That particular lesson is titled Methods of Execution, and it presents a guaranteed approach to enhance your credibility about the way the business actually operates and prepare you to expand your own understanding and knowledge…

…not only of HOW the organization operates day-to-day…

…but to also make some educated guesses (assumptions) about the information and data that might be pretty important for us to make sure we protect.

Now, unless you were at my COSAC talk several years ago – or you’ve confirmed your registration and participation in the next cohort of the program starting exactly 7 days from now, you’re not going to know what I’m talking about…

…or how to use it seamlessly with the rest of the core SABSA concepts we’ll be covering and in your own practical application of what you’ll learn in the program.

Maybe this matters, and maybe it doesn’t. Because, after all…maybe you’re no longer a process virgin yourself.

But if you want to know what I consider the best, single tool to help you solve this particular riddle, you need to scoot on over to this link and make sure you’ll be joining us:

https://archistry.com/besa

Do you know – right now, today – exactly how you would solve this problem and prioritize your own security architecture efforts?

If you do, then cool. If you don’t, then maybe it’s a good idea to find a solution—even if you decide joining the cohort isn’t for you.

Tick tock. There’s only 5 days left to register and claim your spot.

But whatever you decide to do…

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, BESA, Business Processes, SABSA, Security Architecture

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.