Do you really want to become a world-class security leader or security architect, or do you want to set a different target? Because remember…“great” is often the enemy of “good enough.”
We’ve all heard the magic 10,000 hour figure before. Malcom Gladwell popularized it in the book Outliers, and then you hear it in songs, you read about it on blog posts…
…it’s everywhere. And you’d be forgiven to think that that’s how long it takes to be able to do something.
But it isn’t. That was the amount of time the (somewhat) limited and selective research said it takes someone to be world-class.
Being world-class in something means being among the best or foremost IN THE WORLD. Like Olympic athletes…like the top professional athletes in any sport…like Bruce Lee…like Jeff Bezos, Bill Gates and Warren Buffett.
And yet, that’s the targets we set when we’re trying to make improvements in what we’re doing. We think we need to be able to make the jump between where we are today and the best of the world based on all kinds of nonsense like the notion of the overnight success.
The reality is, that just doesn’t happen.
None of those people achieved what they achieved without a lot of work, and there’s just no shortcuts to doing that work.
The difference comes from what work you do in what order and deciding what’s enough of a stretch to make sure that you don’t break Peter Senge’s “rubber band” metaphor for describing the concept of creative tension:
“Imagine a rubber band stretched between your vision and current reality. When stretched, the rubber band creates tension, representing the tension between vision and current reality. What does tension seek? Resolution or release. There are only two possible ways for the tension to resolve itself: pull reality toward the vision or pull the vision toward reality. Which occurs will depend on whether we hold steady to the vision.”
Now, as security leaders and security architects, we all have a vision of where we’d like to be. We have several clear things we’d like to accomplish, and we see several obstacles in our way in order to get from where we are to where we want to be.
And I know that because you’re on this list, you might have some interest in security architecture as a way of improving the effectiveness of your security program.
But there’s a gap…that tension between where you are right now and where you want to be. And I also know, because out of the conversations with talking to you and your peers directly, that many times…
…many more times than we’d like or care to admit…
…we end up pulling the vision closer to our current reality than we do moving our reality towards our vision.
Hell, I know I do. And I know how frustrating and annoying it feels.
The question I’d like you to consider today is where on the spectrum of skill and competency is your vision for your ability to create security architectures and build an effective security program?
Is it trying to be “world class”, one of the best in the world, or do you have some kind of target that’s a stretch, but which doesn’t seem impossible?
Do you really need to get there all in one go?
What are the milestones of value you can define that will change your life on a day-to-day basis in terms of how easy it is to do your job…to build and deliver security artifacts…to influence the security practices of your organization?
How can you break it down?
These aren’t easy questions to answer. And, specifically in terms of applying SABSA to the problem of building security architectures, I went through my own rather lengthy process of trial and error and “hit and miss” success to try and figure out the answers to:
What was actionable and practical vs. what was aspirational and theoretical?
14 years is how long it took me to figure that out, and I had the benefit of first-hand mentoring from John, David and many other bright people, and I also had the opportunity to practice in a bunch of different environments, like different types of organizations in different countries in different industries.
Most people don’t have that opportunity, and, as we know, most people don’t have that time.
And one of the things you’ll notice when you look into “learning hacks” or stuff like “learning how to speak a language in 7 days” or even Josh Kaufman’s TEDx talk on the first 20 hours, what you see is that one of the cornerstones of success to doing something new – or even doing something better – is the following:
You have to set appropriate targets that motivate you, but don’t crush your resolve,
And you have to deconstruct the skill you want to learn so you don’t get overwhelmed and you are more efficient in your practice.
In other words, you have to cut the elephant into pieces, as my old customer Carlos from Lisbon would say.
And that’s exactly what’s behind the approach I’m finally writing down in detail in the Definitive Guide to The Agile Security System. It’s distilling the complexity of building business-driven security architecture down into 7 principles that guide your activity and behavior and 14 key practices that you need to learn to the point where they become habits.
Once you have these, and you have consistent views of your organization provided by the 3 Baseline Perspectives, a set of SABSA domains and their relationships that describe every organization I’ve ever seen…
You have all of the essentials of building effective security architectures already distilled for you. You don’t have to go through the hit and miss pain yourself. You just need to figure out where and how you’re going to practice them in your day-to-day work.
I don’t care if it’s doing a security architecture review…
…or building or updating a cybersecurity policy
…or documenting the organization risk ownership for information and cybersecurity
…or setting the strategy for your cybersecurity program
…or communicating the effectiveness of your controls to the Executive Leadership team and the Board
…or performing information and cybersecurity risk assessments at various levels of detail
…or translating security policy guidance into infrastructure as code for your DevOps CI/CD pipeline
…or building the right security metrics to monitor and report
…or defining the right way to prove your security program enables the business
…or trying to “sell” an enterprise security architecture program to the business
…or simply building an initial enterprise security architecture without getting lost and overwhelmed
All these things require you to start from the same 7 principles, 14 practices and 3 views of your organization—you just might not realize it yet.
That’s where the book comes in, and if you want to understand how you can avoid the “big bang” temptation and ultimate failure – including the resulting dent in your credibility with the organization – it will give you the right tools to build your architecture practice and your security program.
Until now, the closest you could get to what’s in the book was paying almost $5,000 for a seat in our flagship online training program, Building Effective Security Architectures with The Agile Security System™, but with the book, you get even more, because you get a set of annotated examples that I’ve never shared anywhere before.
You can pre-order this book today for $247, which I know is expensive—especially depending on where you live. However, because it’s not written yet, it’s the cheapest way you’re ever going to get the hands-on, practical guidance AND detailed, worked examples of applying it, with all the models and the diagrams, and the catalogs and the worksheets.
Because after the 31st, the price will go up, and when the book does ship in January, it’ll cost about 2x more than it does right now.
And, assuming that I hit my target of 10 pre-orders by the end of the month, the price is going to go up by at least $100 for the preorders between November 1st and January.
But it might not get written if there’s not enough interest in it.
I mean, maybe this isn’t something you want to know. Maybe you’re happy with your success rate in applying SABSA and building security architectures that connect business strategy to security strategy and enable security operational decisions during incident and threat response.
Oh…and it’s only going to be available as a printed book, delivered to your door.
Maybe you don’t want to change what you’re doing or how you’re doing it today. And that’s fine by me.
Only you can make that call.
If you want to help make sure the book gets written and get one of the first ones off the press, go here today and make it happen:
You’re running out of time for the 50% discount and to have the option of deciding whether the book’s even worth writing at all.
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com