Today I was having a good chat with a friend of mine and fellow Enterprise Security Architect about what’s been going on in his world since we last spoke. Now my friend has been around the block more than a few times, has been a “real” architect for many years, and has 2 levels of SABSA certification that he’s now trying to apply to wrangle some formalization and structure to the security program of an organization that’s grown over the years by lots of major acquisitions and having well-entrenched technology cultures of what’s “right” and “how things are done here.”
No easy task to be sure.
Since it’s me, you might not be surprised to discover that domain modeling played large in the conversation. However, if you’re new around here, when I talk about “domains” and “domain modeling,” I’m talking about collecting things that share a common set of properties (that, not coincidentally will ultimately share a common set of risks based on the nature of those properties). That’s a more tempered version of the standard SABSA definition, but it’s the one I use.
What I’m NOT talking about is the way “domains” are typically used in other contexts, like the CISSP body of knowledge, where stuff like “Identity and Access Management” is a domain. Nor is it precisely the same as the way TOGAF uses the concept—even though there are certainly domains for Technology, Applications and Data included in the 23 standard domains defined in the Baseline Perspectives™ of The Agile Security System™.
Anyway…let’s just say for now that I dig domains, and park that for a moment.
So we were talking about some of the issues he’s had in trying to introduce some of the SABSA concepts and terminology into the brains of some of the security and technology folks in his shop, and…basically, it’s not gone well.
To use a Townley family expression, it’s been like trying to pour sand down a rat hole, it seems.
And a key problem seems to be that there are a number of experienced technology people across the development and security teams who have acquired the “architect” title due to tenure rather than training. In fact, I saw this myself back in my Informix days. It was often their answer to, “What the hell do we do with this senior developer dude that’s been here for 11 years that doesn’t want to be a manager?”
“I know. Let’s make him an architect! That’ll mean we can stick him in a different pay bracket without screwing up the mean salaries for all the other ‘junior’ people who’ve been here for 5 years or less.”
Eventually, we were talking about some philosophical differences between the way we see things and the way the rest of the “architects” approached the task of building architecture models.
Now, when I was a young kid going to school in the ‘70s in East-Central Illinois, the world was a bit different. And there happened to be a children’s book quite popular at the time that since has gone out of fashion in some circles because of the OTT PC approach to inclusion that’s evolved between now and then. So, if this offends you, I’m not going to apologize. I’m going to just ask you to take this at face value because it’s the message that’s important, not any imagined racial stereotypes.
The book was called The Five Chinese Brothers, and originally, it was published in 1938 as a retelling of a Chinese folk tale. Now, I probably don’t have to tell you any more for you to understand why some people have their knickers in a twist about it and think it should be “retired” from the canon of popular children’s literature…but I digress…
Without getting into the nitty-gritty of the story itself, each of the 5 brothers were identical, and each had a magical talent. The brother’s talent that’s relevant for today is the one who had the unique ability to swallow the ocean.
This chap had decided to put his talent to good use and became a fisherman. However, there was a problem. Unsurprisingly, if you’re swallowing the whole sea, and you’re otherwise an average human, there’s a limit to how long you’ll be able to do that before you have to get things back to normal.
I’d like for you to think for a minute about the world from a fisherman’s perspective. What matters?
Well, obviously, your goal is to catch the fish and sell them to someone so they give you money. And there are potentially a bunch of different kinds of fish with potentially different market values…
…and said fish are normally happily kicking back, living their lives, raising their kids and keeping up with the Kardashians…in the sea.
So basically, 3 core concepts. Fisherman. Fish. Sea.
That’s all that matters to the core business model of turning fish into rice, a happy family and a double-wide trailer.
Back to the story…
So one day, the brother who can swallow the sea enlists the help of a young boy so he can collect more fish. It’s a simple plan, really.
Step 1: Boy and man go to the beach.
Step 2: Man swallows sea.
Step 3: Boy collects fish.
But then…of course, you knew there’d be a “but theeeeennnnnn….” didn’t you?
The boy gets distracted from the plan, because once the man has swallowed the ocean, the boy sees…
ALL THIS OTHER, SUPER-COOL STUFF!!
Like shells…and shipwrecks…and coral…and empty beer cans…
…and basically whatever else you might imagine you’d find at the bottom of the sea if suddenly all the water were to be magically sucked up into some guy’s gullet.
So the boy sees all this other stuff, and he forgets what he’s really there to do. He’s running around picking up gold coins, shells, and all this other stuff he’s excited to tell his friends about…
…and he totally forgets Step 3 of the plan and the fish.
And he also happens to forget the part that the time clock starts ticking the moment the man swallows the sea, and when the countdown gets to zero, you’d better be ready.
He wasn’t.
He was off playing on the poop deck of a sunken pirate ship…waaaaaaaaayyyyyyyy out there, and far, far, far…FAR from the shore.
The man tries to signal the boy that he’s reaching the limit, but, well…you might imagine how well you’d be able to shout, “Hey Kid! Get your arse back here, will ya!!??!!”
…if you had the whole sea in your mouth.
So…eventually, he can’t hold it any longer, and he’s forced to let all of the water go back to where it belongs, and, tragically, the boy dies.
The story goes on, but we’re done from our part here, because the tale’s done told you what I wanted you to hear.
As soon as the water went away, those 3 simple concepts that were easy to understand got lost in a million other shiny-shinies you could now see (ha ha). It was, quite literally, a “kid in a candy store” kind of scenario.
And, while the very first practice of The Agile Security System tells you to “be curious,” as detail-loving, obsessive-compulsive as architects can be, it’s easy for us to get lost down the rabbit hole exploring Wonderland…
…when it’s critical we stay focused on the essentials so we don’t spook the horses (our security customers) by overwhelming them with all the details we know and want to use for justification that what we’re telling them has been highly researched, considered in detail and is the best recommendation we can make.
Those models by the “architects” in my friend’s company tend to look more like the bottom of the ocean after all the water’s been taken away…
…than what would actually be more useful to focus and structure the conversions you need to have with key stakeholders to make sure you create a shared understanding and vision of a way forward.
One of the key things you’ll learn if you’re part of the next run of Building Effective Security Architectures is how to apply SABSA domains, the 3 Baseline Perspectives, the 7 principles and the 14 practices of the Agile Security System to make sure that you – or your security customers – aren’t the little boy who drowned in the story.
You’ll learn how to make sure your message is focused, relevant, and doesn’t delay getting a definitive answer about what the right security solution should be to enable the business project to be delivered on time, and with the right amount of security required to keep both the organization and your ultimate customers as safe as you can.
However…you’ll only learn this…and be able to integrate it into a habit you don’t even have to worry about…
…if you’re part of the cohort kicking off on the 24th of February. Now that means that if your’e trying to go through some convoluted set of approval hoops to get authorization to attend the course from an education provider that’s not on the “approved” list of your procurement department, you’re potentially running out of time.
So I suggest you stay focused on how a simple, straightforward approach to wielding all of the promised power of SABSA will help make you a more effective security architect, and scoot on over to this link to register ASAP:
There’s a limited number of slots, and the closer we get to the deadline, the less of them there’s likely to be available. I’d really hate for you to have waited too long and miss it, but…
…if you do, you do. I’m not here to judge. I’m here to make you a better security architect. Whether you take advantage of that opportunity or not is a decision only you can make.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
