Today, we have back-to-back school birthday parties for both of the youngsters. First it was for my daughter in the morning, and next, we’re going to one for our son. I guess some of the musical genes did pass through after all, because both of them love to sing when they’re in the car…and sometimes, they even manage to sing the same song.
The last couple of weeks, my son seems to have learned Little Bunny Foo Foo, and now his younger sister pretty-much has all the words too. So after about 15 minutes of listening to the adventures of Bunny Foo Foo, its dawned on me that it’s probably not that far away from what I mentioned a couple of weeks ago in the “don’t click links” email:
(To the tune of…well, Bunny Foo Foo, of course!)
Silly business use-er,
Goin’ through your inbox,
Opening up your emails
and clickin’ all the links.
Down came the Security Fairy, and she said:
“Silly business use-er,
I don’t want to see you
Opening up your emails
and clickin’ all the links!
I’ll give you three chances,
And if you don’t behave,
I’ll take away your YouTube!
But, the next day…
I spent a good few pages talking about the problems resulting from a lack of business alignment between what the organization does and what security spends the most of its time doing, and I know, this is not a new problem.
It cuts into our credibility, it means we have to work harder, and not being aligned means we’re doing multiple things in multiple security silos, not to mention in multiple areas of the organization, over-loaded on “best practice” advice and frameworks that claim to keep you safe without defining what the details of doing that really are…
…or giving you adequate imperatives or the guidance to figure it out.
If you want to do security right, you have to have some unifying way to build a bridge between what the business is trying to do and what we’re doing as security. Now, you, as a reader of this list, probably know that the solution is an enterprise security architecture that drives tactical and operational security decisions—from DevOps delivery to operational options.
But the kicker is, we just don’t have very much luck getting it done, and if we get the mandate, we get lost either hacking our way through the hundreds of security controls and policy paragraphs or we try and bite off more than we chew and try to create “the vision” of the WHOLE world, rather than the vision of the world from the perspective that’s most useful for the next days and weeks.
You see…we just don’t know how to create that architecture consistently, and we certainly struggle to “sell the value” of that architecture to the people who either control our budgets of time and money.
If we don’t have the time, and we don’t have the money, we can’t get the energy to try and do it anyway—because it takes time, energy and…most importantly…experience to figure out how to do it right the first time…
…rather than making a lot of false starts and getting lost down a bunch of blind alleys.
This is exactly why it’s time for me to write The Definitive Guide to The Agile Security System™, a massive tome for security architects and for their functional heads, so that you not only understand what the end-game of architecture is supposed to deliver in a way you can justify to get it done…
…but you can also avoid your own 13 years of wandering in the Security Architecture wilderness trying to figure out how to do it quickly, effectively and consistently.
This book may never see the light of day, but that doesn’t mean it’s not the right time to write it.
And you, dear reader, can help decide whether it gets done or not.
It’s big, printed and expensive, and it’s going to take some work if you want to actually apply it. But it’s the easiest, simplest and most concise way to explain how to build SABSA-based security architectures that truly enable the business that I’ve been able to create after all this time doing, teaching and implementing it with customers around the world.
If you want one, here’s the link: https://archistry.com/go/dgpo.
If you don’t, then that’s cool. If you change your mind after the 31st, and the project does go ahead, between then and when it’s released, the pre-order price of $247 will increase by at least $100, and then after that, when it ships sometime in January, the price will be $497.
Let’s stop building policies that keep us the Evil Security Fairy and boppin’ our business users on the head because they’re doing something “wrong” because we’re unable – or unwilling – to figure out how to keep them safe actually doing what they need to do.
Whaddya say?
Are you up for the challenge?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
