I’ll never forget a question that stopped me dead in my tracks early on in my days teaching the official SABSA Foundation course:
“But, how are we supposed to figure out what the organization does?” a budding enterprise security architect piped up when we were going through the details of the How column.
And it was a great question. But it stopped me in my tracks because I’d never really had to explain to people precisely how to solve the problem behind the question before.
Right then and there, I had to improvise, because it was clear that he was taking a bit of a risk with his pride to ask the question in front of the rest of the class, and there was no way a dismissive, incomplete or pat answer would do the job.
It was one of those moments I knew I could potentially witness a massive epiphany…
…or I could screw the whole thing up, and miss the opportunity completely.
Now, in the world of SABSA, the default answer to that kind of question is invariably,
“You ask the business.”
This is totally and undeniably correct—especially if you want to build business-driven security architectures. The utmost authority on what matters most comes straight from the horse’s mouth, so to speak.
But there’s also a problem with this approach. Because, in fact, you have to earn the right to ask the business anything as security. That’s just the way it is.
The problem faced by this gentleman was a problem that’s faced by nearly everyone that’s never really had to understand the enterprise as a whole. This is actually the domain of true enterprise architecture, not the glorified, IT-centric view you generally find as applied in TOGAF-land, mind you. Which means…
…most people who find themselves trying to understand the business and how it actually operates are effectively…
It’s sort of the natural way of things, actually. I mean, after all, up to that point, anything anyone in IT knows about processes has been already carved off, chewed up and then poked down our throat like feeding hungry baby birds.
We see only one small glimpse of the wider world that is directly relevant to the solution we’re supporting, and that’s it.
Oh, sure…we might know the nature of the business we’re in, and, broadly speaking, that there’s a Finance, Sales, Marketing, R&D and whatever business functions. We get those from the org chart at the very least.
But…what the hell are they actually doing all day, every day?
With the acknowledgement that it is indeed sometimes hard to unequivocally answer that question…
…if we’re going to get in the ring with the “big boys and girls” that run the organization, we’re going to have to figure out enough about what we do…
…that we can at least start the conversation we’d like to have with a tiny grain of credibility.
Now the point that the process virgin was really making (and he was one of many over the years I taught the course), was that he honestly – hand on heart – had no idea how the business operated other than the drop-dead obvious stuff.
Stuff like the Finance department deals with the money and all the financial information…
And the Sales department has all these guys out running around in fancy cars trying to separate suckers from their money…
And the Marketing department just sits around all day making cardboard cut-outs of potential products they come up with in a drug-induced haze of inspiration.
You know…all those “facts” like that.
But if you want to turn the initial skeptical acceptance to an interview into a solid business relationship, you can’t play Sigmund Freud and ask them to lie back with a reassuring, “Now, tell me about your childhood…” kind of intro.
You need to start with that spark of credibility. And then you need to keep feeding it…through the whole interview…until it becomes a warm glow of confidence and trust.
And you do this by – and I’m purposefully sounding like a broken record here – you do that by following the first few practices of The Agile Security System™—BEFORE you even set a single finger to a keyboard asking for a meeting.
One of the resources you’ll use in particular when you’re trying to understand the nature of the WAY the organization does its business is something we’re going to talk about specifically in Lesson 11 of Module 2 of our Building Effective Security Architectures program, scheduled to take place the week of the 23rd of March.
That particular lesson is titled Methods of Execution, and it presents a guaranteed approach to enhance your credibility about the way the business actually operates and prepare you to expand your own understanding and knowledge…
…not only of HOW the organization operates day-to-day…
…but to also make some educated guesses (assumptions) about the information and data that might be pretty important for us to make sure we protect.
Now, unless you were at my COSAC talk several years ago – or you’ve confirmed your registration and participation in the next cohort of the program starting exactly 7 days from now, you’re not going to know what I’m talking about…
…or how to use it seamlessly with the rest of the core SABSA concepts we’ll be covering and in your own practical application of what you’ll learn in the program.
Maybe this matters, and maybe it doesn’t. Because, after all…maybe you’re no longer a process virgin yourself.
But if you want to know what I consider the best, single tool to help you solve this particular riddle, you need to scoot on over to this link and make sure you’ll be joining us:
Do you know – right now, today – exactly how you would solve this problem and prioritize your own security architecture efforts?
If you do, then cool. If you don’t, then maybe it’s a good idea to find a solution—even if you decide joining the cohort isn’t for you.
Tick tock. There’s only 5 days left to register and claim your spot.
But whatever you decide to do…
Andrew S. Townley
Archistry Chief Executive