With apologies to Bobby McFerrin, who’s, after all, a pretty amazing musician with a 5-octive vocal range, but it’s what we need to do.
We worry too much…and it gets in our way.
There’s a great quote by Guy Kawasaki from his book “The Art of the Start” that could be applied to improving your security architecture practice just as easily as anything else:
“The hardest thing about getting started, is getting started.”
Note I didn’t say “improving your security architecture knowledge”…
…I said “practice”…as in da skillz you use every day doing your part to deliver the mission and purpose of security: to enable your organization to deliver its mission, as quickly and safely as possible.
And, I’ll admit it straight up: getting started changing the way you do security architecture is pretty hard. There’s all kinds of people out there who seem determined to get in your way:
There’s “the boss” who somehow doesn’t manage to hire the additional people you need so you don’t have to clock 60 hour weeks…
There’s “the customer” who keeps on changing their mind about what they want, but, whatever it is, you can be it’s going to be something that goes against at least half the existing security policies in the organization…
There’s “the developers” who just can’t seem to understand or read a security policy to save their life…or use any kind of software scanning tool…or figure out why writing SQL queries via string concatenation of unchecked user input is a bad thing to do…in 2019, no less…
There’s “the IT architects” who don’t know, and don’t care about security. They just want to deploy everything in the cloud, use containers and generally sit around dreaming about what it must be like to work at Netflix…or Twitter…or Facebook…
And, lest we forget…the “whomever they are” that decided that security should be just a stage gate, box-ticking function prior to releasing the product into the hands of the customers…
Yeah. There’s always “those guys” who make it seem like there’s nothing you can possibly do to change the organization, because, after all, you work for the man…
…who works for the woman…
…who works for the man…
…who works for the CIO…
…who doesn’t really understand that there’s more to security than the CIS Top 20 and buying that SIEM upgrade from the vendor who took him out to dinner last week.
I mean, wow. It’s a bitch, right?
There’s not a lot that you can do about them, and that’s a fact. You might be able to influence them, but you certainly can’t control them. You can’t make them do things, and you can’t make them change their “evil security ways” one little bit.
So what can you do?
What can you really control?
What do we even mean by control, anyway?
To control something is to be able to start and stop it at will. That’s it. And that gives us some pretty limited options in the situation we often find ourselves.
Because we’re actually in the thick of it, and we know what’s working and what isn’t. Many of us have had training…a LOT of training in some cases…but we somehow haven’t been able to put it into action.
Now, here’s where the scrappy part comes in, because I think the real problem faced by many of the people I speak with each week who want to be part of a more effective security program…
…who want to build real, business-driven security architectures that deliver value to the organization…
…are just stuck. They’re stuck, because they’re waiting for someone to give them permission to change things.
They’re stuck because they’re trying to figure out how to swallow a task the size of an elephant all in one go.
Are you really channeling your in a Boa Constrictor that much?
I hope not, because if you are, then there’s really not that much I can do to help you.
So, what I mean by being scrappy is to be…
…determined. No matter what anyone says, you’re committed to taking action to make your life easier, more comfortable and have less stress as you do your day-to-day job…
…argumentative. Despite what anyone says you can or can’t do, you’re going to take action to improve your own work product in a way that sets, not follows, the standard…
…pugnacious. You’re going to be ready and able to defend the changes you’re making to the way YOU work as being better—not just for you, but for the whole team, and ultimately, for the organization you’re striving to protect.
The only things you can really control are your activity, how you choose to spend your time, and your behavior, how you respond to events.
So that means that if you really want to do something different regarding how you do security architecture, it has to ultimately start with you, not some mandate from on high.
You need to develop a new set of practices, and you need to make those practices become habits.
But you need to know that you’re going to have the RIGHT habits, and not something that’s actually going to work against you, or that won’t give you the results you expect.
That’s where The Agile Security System™ comes in. It’s a set of 7 Principles, 14 Practices and 3 Baseline Perspectives of your organization that are proven by 14 years of working with customers to enhance their security architecture practice.
And, right now, you can be one of the first people to get it all spelled out for you. How to start. What it looks like. Worked examples of enterprise security architecture built from the top-down, from the middle out and from the bottom up…
…as part of my new book: The Definitive Guide to The Agile Security System.
It takes what I wrote about originally in the August issue of the Security Sanity™ newsletter, and it combines it with some of the topics from the rest of the newsletters along with key elements from our flagship, 7-week Building Effective Security Architectures with The Agile Security System training program…
…and it adds a bunch of new stuff, like how to get started using the system in “commando mode” so that you get the confidence and have the proof to build a wider business case for change…
…and it also provides 3 sets of in-depth, worked examples that I mentioned below that I’ve never given to anyone before.
And all for a lot less than the nearly $5,000 it takes for a seat in the training course or what it takes to work with me as part of our 1:1 coaching and leadership program.
But it’s still expensive…
…and it doesn’t exist yet. You’re going to have to wait until at least the middle of January to get your hands on it.
Between now and the end of the month, you can pre-order this book for about a 50% discount for what it will cost in January, and if you do, you can help make sure that it’s going to see the light of day. Because I need to get at least 10 orders of the book at the deeply discounted price of $247 to prove it’s worth doing.
If you’ve ever struggled to up your security architecture practice, or if you’ve tried to get started with SABSA and gotten stuck in the past, I can tell you that this book will give you the best, fastest and most effective way I’ve ever seen in 14 years of doing it to build effective security architectures.
But it’s up to you. It’s not for everyone. It’s expensive. It’ll be big…and it might not ever even be written.
However, if it’s for you, then here’s the link directly to the checkout, because there’s not even a proper sales page for it yet:
BTW, if you do order, and we don’t hit the target, I’ll make sure you get your money back in November. Otherwise, there’s no guarantees.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
