Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / A dangerous myth about security architecture

December 16, 2019

A dangerous myth about security architecture

…that needs to be taken behind the shed and shot D-E-D. Dead! And then cut up into 100 pieces and buried deep in the ground, much like the the Blood Queen Nimue in the latest Hellboy—lest it comes back to lay waste to the entire planet…

…or at least to the organization you’re trying to protect.

Let me rewind a bit.

The other day, I was doing a bit of additional research for the upcoming book I’m officially launching in January next year, The Definitive Guide to The Agile Security System™. And one of the things I came across initially looked like one of those typical vendor-released, shock-inducing statistics:

“74% of CISOs don’t have a fully integrated security architecture.”

I always find statistics interesting, and especially ones about security architecture—for obvious reasons. Because in my experience talking to security leaders and CISOs, there’s just such a dramatic breadth of definitions as to security architecture out there, so when I’m asking about how confident they are in their security architecture, I never really know what kind of response I’m going to get.

But this myth – propagated by a security control vendor I’m not going to name – is probably one of the most deadly ones there possibly is. And it’s deadly because it allows the uninformed – or just really busy – CISO to get the impression that they’re actually OK when it comes to security architecture.

Old Socrates really did have it right when he said, “The beginning of wisdom is the definition of terms.”

So let’s go in search of the definition of the “security architecture” of whence they spake.

What we eventually find, digging through all their references to “architecture”, is that they actually mean “the architecture of the tooling that automates and manages your security control implementations within your infrastructure.”

Ok. Tech-nick-lee…they’re correct. They are talking about architecture, which is the carefully-designed structure of something.

However…

The “something” that they’re talking about, is the tooling that automates and directs your security control implementations. Meaning, it’s the architecture of a security tool…which, arguably, is just another control implementation itself…

…within what a SABSA-trained Enterprise Security Architect would call the real security architecture of the organization.

So the headline-inducing myth about security architecture that it’s the architecture of A security control—or, at best, some or all of your security control implementations and they way they are deployed, interconnect and work together.

And why is this bad?

Because that focuses on the bottom two architecture layers—the ones that are the furthest removed from the value our organizations actually create. At best, you’re talking about both Component and Physical, so that means that you can play some statistical games all your own (which I can’t say won’t feature in future publications or marketing):

If 74% of CISOs don’t have a fully integrated security architecture, then 26% of them must have.

And if we’re giving them the benefit of the doubt, that means that only 26% of CISOs have only 40% of the security architecture they’re supposed to have—and they’re the “mature” ones, at least according to this survey.

That means even the most confident CISOs about their security architecture are missing 60% of what security architecture is all about.

Come to think of it…when you put it that way, it’s no wonder why so many security leaders struggle to justify the value of their security programs and the money they spend each year.

Sooooo…..

If you’re an enlightened – or at least have an “I can see it from here” level of security architecture awareness – and would like to get some firsthand experience of delivering that 60% of missing security architecture you know your organization should really have…

…then get the immediately over to this statistic-enabling link:

https://archistry.com/besa

Using it, you can register to be one of the 20 available members of the February cohort of our flagship online training program, Building Effective Security Architectures. In it, you’ll learn exactly what you need to know – and be able to practice the skills to deliver – a complete security architecture for any scope you require—as quickly, reliably and repeatably as I’ve ever been able to do in 14 years of SABSA practice.

Now, you might be forgiven to think this is a SABSA course—but it isn’t. Well, not really. Sure, you’ll learn how to build SABSA security architectures, but this isn’t for a certificate you can frame and put on your wall. This is for building real, in-the-trenches security architectures that can drive the security decisions in your organization.

If you register before the bewitching date of Friday the 13th of December, you’ll save a cool $2,500 OFF the full registration price, and you can use the money you save to go buy all the pens, tape and laminating you might want to use to actually build your version of The Architecture Wall™ (once we’ve covered that in Module 3, and you know how to do it).

But don’t dilly-dally. If you know what real security architecture is, and you’re still struggling to create it, this is the smallest investment you can make to be able to practice the skills you need in a safe environment under my watchful and learn-ed eye.

The price goes up on Friday.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, ESA, SABSA, Security Architecture

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.