When it comes to security reports, we often tend to take a page out of the book of W.C. Fields:
“If you can’t dazzle them with brilliance, baffle them with bullshite.”
…at least that’s how a lot of them are received by their audience, anyway.
Of course, weeee don’t think they’re bullshite. They make perfect sense to us. They’re overflowing with facts, figures, event counts, and lots and lots…and LOTS of stats that, of course, can’t help but make blindingly obvious the brilliant contributions security makes – every day – to keep the organization safe and justify the hefty budgets we keep requesting.
Right?
Pretty-much without exception EVERY single customer and client I’ve worked with has struggled to create meaningful security reports. And the reason most cited is the classic “business/technology divide” or some variation that eventually boils down to, at some stage, someone finally flat-out saying in frustration:
“They just don’t get it.”
The problem is that, as you probably already understand, busy doesn’t mean effective. And, to our friends, business sponsors and other organizational countrymen (and countrywomen)…
…all we end up doing is just shouting, “Hey, look! We’re doing something, and we have all this data, and we have metrics, and this 2.3475 in cell B42 was 2.5473 last week. Isn’t that great?”
It’s all absolutely meaningless—at least to anyone but us.
Now SABSA gives us the whole performance management framework (PMF) and puts that together with the idea of the Attributes Taxonomy to give you the holy and much-revered Attributes Profile, or BAP if you’re into ‘60s Batman comic book sound effects.
And we tell you – in Foundation at least – that this is the solution to all your reporting woes. Because they’re attributes, they’re aligned with the business—and because they all have fully-engineered, 100%, Grade A, business-approved metrics, measurements and performance targets…
…you’ve got the whole thing sorted.
How-ev-ah…..
In the trenches of trying to make it all work, it’s hardly ever that straightforward. And I have rarely met a team that didn’t really struggle to come up with meaningful metrics and performance targets that weren’t absolute thresholds like “zero incidents” (which is a whole other book of emails as to why that’s a bad idea).
So, you have a tool. And you have a technique. And the two of them together give you some artifacts that should solve the problem.
But, alas, the practice of theory isn’t always as straightforward as the theory suggests—and, in this case, the root of the problem is a simple – but subtle – shift in the way you actually crate, capture and communicate those magical, mystical metrics to all and sundry.
And, because so many people often struggle with this, there’s a whole section on how to make this subtle shift that will have you face-palming when you discover what it really is…
…which together with a detailed understanding of how to apply the Baseline Perspectives™ of The Agile Security System™…
…will give you easy, reliable and repeatable recipes for any reports you’ll ever need to create.
It truly is that simple.
In fact, the reports will practically write themselves—if you know what you’re doing.
But…as I said, it’s a subtle thing that most people miss.
So, if you’re joining us for the next cohort of Building Effective Security Architectures next week, by the time we hit Lesson 3 in Module 3 in the next-to-the last of the 7 weeks we’ll spend together…
…you’ll have one more tool in the credibility-building toolbox that will lead to a whole lot more dazzling brilliance…
…and a veritable boatload LESS of bullshite to bury your baffled business colleagues.
Like the lottery, you can’t win if you don’t play—and, while it’s not impossible for you to figure this out on your own, it’ll be handed to you on a plate if you’re part of the cohort—along with a whole load of stuff that only people who’ve worked with me directly or previously taken the program know how to do.
So whether you choose to join us or not is a decision only you can make. But it’s one you need to make pretty quickly, because in just 36 hours from the time I send this email, it’ll be too late.
Here’s the link:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
