Whether we actually realize it or not, it’s the security requests we get where we groan, roll our eyes and mentally say to ourselves, “here we go again…” that are some of the most soul destroying things we’re asked do. We get annoyed. We get short with our responses, and we might even be tempted to take a spin down Luser Lane, calling the people making the request all kinds of things that’re going to put us in the exact wrong frame of mind to enjoy doing the jobs we’ve chosen to do.
The reality is that we get asked the same questions all the time—at least I know I do. A common one if you have kids is: “What is there to eat?” Or, in a relationship, there’s the dreaded “when did you stop beating your wife type” of questions like: “Does my butt look too big in this?” Or maybe even something along the lines of, “Do we *really* have to spend Thanksgiving with your parents again this year?”
In many cases with questions like this, the person asking them already knows the answer. They’re just hoping to get a different one than they’re expecting—or maybe one they haven’t thought of.
From a cybersecurity perspective, there’s also the classic: “Are we safe?”
Far too often the exchanges between security and the business are almost like some of the conversations between parents and young children:
“Can I do _____?”
“Oh. Well can I do this?”
“Well, why not?”
…and here’s where, depending on your patience and the person you’re talking to, the answer can actually make or break the interaction—regardless if you’re speaking to a customer or one of your children.
If you go with the parental, “Because I said so,” or it’s security equivalent, “Because the policy says so,” then you’re setting yourself up for a bunch of resentment and unpredictability that you probably really don’t want to have to deal with.
In our world, that’s when the little “Shadow IT” devil pops out, sits on their shoulder and says, “Well, you could just do it anyway if you did _______.”
What we don’t often realize is that many of these questions – especially in an enterprise security context – are really variations on a theme. When we don’t recognize the commonality, what we’re asked to do is go out and “prove” why or why not a given, individual and specific project request does or doesn’t comply with policy (at worst) or to estimate the risk exposure and recommend potential controls and remediations the project needs to do (the more likely scenario).
And despite what many security vendors who make lots of money chasing vulnerabilities and threat reports would like you to believe, there really aren’t that many unique things that can happen from a security perspective—again, in an enterprise security context…and ESPECIALLY if you have standardized platforms, tools and technologies.
The solution to maintaining your sanity and affinity with your job is back to one of the mantras of The Agile Security System™: the only things we can really control are our activity (how we choose to spend our time) and our behavior (how we choose to respond to events in the outside world).
In this case, the choice we make every time we get one of these “busywork” requests for basically answering the same question over and over again is whether we’re actually willing to start from a blank sheet of paper every time—with the risk of potentially coming up with a different answer than we had last time…or not.
And the only “…or not” enabler is really to be able to reach into your kit bag and pull out the work you did last time and use it again so that at least you’re not feeling like you’re wasting your time or living on a hamster wheel.
The structure you choose to guide the way you work is directly related to how easily you can reuse it next time.
Of course, I’m talking about REAL security architecture in all 6 layers of glory and not infrastructure or controls architecture that tend to live only in maybe 1/3 of that—if you’re lucky.
Now, the question today is: are you confident you can build your own escape pod from the hamster wheel of boring, repetitive and error-prone security “busywork”?
If you are, then that’s great. In fact, I’d be interested in hearing more about how you’ve solved it, so please, feel free to reply to this email and tell me more if you’d like.
However…if you DON’T have a high degree of confidence you can really do work once…
…that not only allows YOU to pick it up and use it again when asked the same question for effectively the same solution architecture at someone’s favorite designated stage gate…
…but it also allows ANYONE ON YOUR TEAM to use it too—including the people building the solution architectures in the first place…
Then I do know something that will help, and you can join the cohort of fellow security architects and security leaders interested in learning how to build business-driven, reusable, and reliable security architectures starting on the 24th of February.
But only if you sign up here: https://archistry.com/besa
Andrew S. Townley
Archistry Chief Executive