Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / Finding leverage as a small security team

May 31, 2020

Finding leverage as a small security team

Image by PublicDomainPictures from Pixabay

While being a bit buried up to my eyeballs in going through some industry statistics and reports today (which is why this is significantly later than “usual”), I came across some indicators as to why you and your team might be struggling to keep up with everything that shows up in your inbox for a “security review.”

How many projects do you touch in a given year?

One of the statistics I saw – mostly relating to larger business projects – was that an organization like the ones we work with typically does an average of 100 projects a year. However, from speaking to many of you, I know that the number of projects the security team touches can be double or even 10x that many.

Now, I’d like you to think a minute about those projects and what you do with them. In many cases, you might be “behind the curve” and the projects come to you for a security approval as part of some bureaucratic, linear SDLC process that has security positioned as a stage gate.

If that’s the case, what do you do? What kinds of information do you have about the project?

Is it a spreadsheet or document that’s a questionnaire the project team needs to complete filled with questions relating to our world, but not really having much to do with the worlds of the customer?

Sometimes we do this to try and get that leverage I mentioned earlier, because, well, there’s so many projects we touch. We’re often rather busy dealing with all the delinquent project remediations we’ve found, and, let’s face it, stakeholder engagement typically isn’t the strong suit of most security professionals.

So we put together these “security questionnaires” – and hey, we can even cite “best practice” recommendations for integrating security into our projects – but what do those questionnaires really tell us?

Do they give us the ability to truly identify and classify our projects as to where they sit in our world as security and what protection they require?

Are we able to focus on specific security policies, standards and controls they require so that we can highlight these to the relevant project teams as specific security requirements, so they can’t say, “We didn’t know about that,” or, “We didn’t think that applied to this project” when it comes time for that security review?

Because if you can, then that’s the leverage I’m talking about. And it’s the kind of thing every security team needs to find—not just for survival, but to actually be able to do the jobs we’ve been hired to do.

Putting this into a bit of perspective, a few other stats I found are relevant. In one study, it indicated that about 25% of projects were going to either be delayed or have their scope reduced due to cybersecurity concerns. If this is even close to true, that’s about 25 business initiatives that’ve been delayed or stopped by security—and some of the outliers indicated it was much higher.

However, what the actual value of the statistic is – or what it is in your organization – it’s the sentiment that matters. This is really where the root of security as being the Business Prevention Department comes from, because if you’re one of those business or IT project managers…

…and you’ve been conditioned that 1 out of every 4 projects you run are going to be delayed, over budget and you’re going to have to explain on a weekly basis to the business project owner that yet another week has gone by when they can’t have their new toy…

…human psychology tells us that when the run the other 3, they’re going to consider themselves lucky.

Because, we always remember and focus on the negative a whole lot more than we do the positive. It’s a human thing to do.

So as much as we might complain about the situation, point fingers and start justifying why it’s all their fault…

…we can’t let ourselves slip into that kind of adversarial “us” vs. “them” mindset. I know it happens, and this too is psychology. But we need to be stronger than that.

We need to be better than that.

Because at the end of the day, stopping or delaying projects doesn’t give us gold stars in the eyes of the organization for doing a good job.

It just gives us a black eye.

Now maybe the above doesn’t apply to you, and your organization is a well-oiled, agile and DevOps-ing delivery machine with fully integrated security, demonstrated alignment with the business strategy…

…and people stopping you in the hallways – or pulling you into a Zoom/Teams/Hangout – just to say thank you for keeping the organization safe…

…because the see the value you deliver every day.

And that’s fantastic.

Or…maybe at least some of what I mentioned above is stuff you’ve seen—or it’s stuff you live every day. And maybe…just maybe, you’re tired enough of working that way…with all the stress, the hassles and the waning excitement of the job you thought you wanted to do…

…that you’re ready to do something about it.

If you are, then maybe I can help. So, let’s talk about it. And if I can, we can start working on it as quickly as we can get things organized. But if I can’t, we’ll be able to figure it out pretty quickly on a brief call.

But we’ll never know if you don’t set it up. And you can do that simply by clicking this link, scrolling to the bottom of the page, and clicking the big yellow button.

https://securityleadershipcoaching.com

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive 

Article by Andrew Townley / Archistry Daily / Agile Security, Leverage, Statistics

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.