Today, I indulged myself a little and took a break with the family since I spent almost all weekend pounding out the August newsletter. Now that it’s basically in the bag, I wanted to talk about something that I’d been beating around the bush about before, but even I wasn’t really quite aware of until I wrote about it on page 6.
We’re addicted to detail—not just in security, but in just about everything.
We just can’t get enough of it.
We’re detail junkies.
“Oh, you only have a list of 10 controls? My list has 10,000!”
“See, you have to put the *color* of the button you press to eject someone from the building in the Physical Security Policy, or we just won’t know what to do!”
“Want to know what security people do? Here’s 1,324 detailed job tasks for you to use to rate your team.”
And we eat it up.
It’s everywhere.
One of the first projects I was on when I moved to Ireland back in 2001 was for a start-up, 3G operator in Portugal. And the head guy was named Carlos. He was a big, boisterous guy, and when he had one of his staff meetings, there was no question who was in charge. He ran the show.
But the thing about Carlos was he HATED getting lost in the details.
You know why?
Because when you get lost in the details, you can’t think. You get overwhelmed. You have absolutely no idea what’s important, because you see everything – all it once – and you’re afraid that if you change something, the whole apple cart will fall apart.
So when Carlos would see anyone getting lost trying to solve the whole world at once, he would, quite literally, shout:
“Stop! You MUST cut the elephant into PIECES!”
And he’s right.
All that bitching about paper security policies in the DevSecOps literature and the “Look, Ma! Policy as code!” posturing is actually trying to address the symptom, not the problem.
That problem is complexity.
And complexity comes when you can’t figure out what’s important.
And when you can’t figure out what’s important, it’s pretty damn hard to make ANY decision, let alone good ones.
That’s why I spend quite a number of words talking about complexity and how to tame it in your security program in the pages of this month’s issue.
I dare say, in my super biased opinion, that this newsletter is the most important thing I’ve ever written in my entire career.
For me at least, it will change the way I do everything, because lots and lots of little threads I’ve been working on thinking through over the last 10+ years have finally come together into a complete picture of how to make everything I’ve been doing both building security programs and helping others do it too crystal clear.
All because I was trying to write it all down…for YOU.
But don’t just take my word for it.
Head on over and make sure you get your own copy right now so you can figure out how to tame the complexity of your security program with some highly actionable and highly practical advice.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.
