…that needs to be taken behind the shed and shot D-E-D. Dead! And then cut up into 100 pieces and buried deep in the ground, much like the the Blood Queen Nimue in the latest Hellboy—lest it comes back to lay waste to the entire planet…
…or at least to the organization you’re trying to protect.
Let me rewind a bit.
The other day, I was doing a bit of additional research for the upcoming book I’m officially launching in January next year, The Definitive Guide to The Agile Security System™. And one of the things I came across initially looked like one of those typical vendor-released, shock-inducing statistics:
“74% of CISOs don’t have a fully integrated security architecture.”
I always find statistics interesting, and especially ones about security architecture—for obvious reasons. Because in my experience talking to security leaders and CISOs, there’s just such a dramatic breadth of definitions as to security architecture out there, so when I’m asking about how confident they are in their security architecture, I never really know what kind of response I’m going to get.
But this myth – propagated by a security control vendor I’m not going to name – is probably one of the most deadly ones there possibly is. And it’s deadly because it allows the uninformed – or just really busy – CISO to get the impression that they’re actually OK when it comes to security architecture.
Old Socrates really did have it right when he said, “The beginning of wisdom is the definition of terms.”
So let’s go in search of the definition of the “security architecture” of whence they spake.
What we eventually find, digging through all their references to “architecture”, is that they actually mean “the architecture of the tooling that automates and manages your security control implementations within your infrastructure.”
Ok. Tech-nick-lee…they’re correct. They are talking about architecture, which is the carefully-designed structure of something.
However…
The “something” that they’re talking about, is the tooling that automates and directs your security control implementations. Meaning, it’s the architecture of a security tool…which, arguably, is just another control implementation itself…
…within what a SABSA-trained Enterprise Security Architect would call the real security architecture of the organization.
So the headline-inducing myth about security architecture that it’s the architecture of A security control—or, at best, some or all of your security control implementations and they way they are deployed, interconnect and work together.
And why is this bad?
Because that focuses on the bottom two architecture layers—the ones that are the furthest removed from the value our organizations actually create. At best, you’re talking about both Component and Physical, so that means that you can play some statistical games all your own (which I can’t say won’t feature in future publications or marketing):
If 74% of CISOs don’t have a fully integrated security architecture, then 26% of them must have.
And if we’re giving them the benefit of the doubt, that means that only 26% of CISOs have only 40% of the security architecture they’re supposed to have—and they’re the “mature” ones, at least according to this survey.
That means even the most confident CISOs about their security architecture are missing 60% of what security architecture is all about.
Come to think of it…when you put it that way, it’s no wonder why so many security leaders struggle to justify the value of their security programs and the money they spend each year.
Sooooo…..
If you’re an enlightened – or at least have an “I can see it from here” level of security architecture awareness – and would like to get some firsthand experience of delivering that 60% of missing security architecture you know your organization should really have…
…then get the immediately over to this statistic-enabling link:
Using it, you can register to be one of the 20 available members of the February cohort of our flagship online training program, Building Effective Security Architectures. In it, you’ll learn exactly what you need to know – and be able to practice the skills to deliver – a complete security architecture for any scope you require—as quickly, reliably and repeatably as I’ve ever been able to do in 14 years of SABSA practice.
Now, you might be forgiven to think this is a SABSA course—but it isn’t. Well, not really. Sure, you’ll learn how to build SABSA security architectures, but this isn’t for a certificate you can frame and put on your wall. This is for building real, in-the-trenches security architectures that can drive the security decisions in your organization.
If you register before the bewitching date of Friday the 13th of December, you’ll save a cool $2,500 OFF the full registration price, and you can use the money you save to go buy all the pens, tape and laminating you might want to use to actually build your version of The Architecture Wall™ (once we’ve covered that in Module 3, and you know how to do it).
But don’t dilly-dally. If you know what real security architecture is, and you’re still struggling to create it, this is the smallest investment you can make to be able to practice the skills you need in a safe environment under my watchful and learn-ed eye.
The price goes up on Friday.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
