• Strategy
  • Risk
  • Governance
  • Compliance
  • SABSA®
  • Login

Archistry

exceptional performance since 2006

  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact
You are here: Home / Archistry Daily / The horse called Architecture is gonna race, no matter what

May 27, 2020

The horse called Architecture is gonna race, no matter what

Photo by Jeff Griffith on Unsplash

One of the things I saw recently was a clip from the 2017 Royal Ascot race where a horse called Growl somehow unseated his jockey in the starting gate, yet he ended up running the whole race solo. It’s kind of an amusing story, and one that shows the power of constant training, repetition and building habits in helping us do what we need to do, no matter what might happen.

But what struck me about this was somewhat related to a conversation I had yesterday with someone about the discipline of security architecture. It was a good chat, but the conversation clearly confirmed that a lot of what I’ve been saying in these emails over the last year or so has been echoed far and wide by people other than the few hundred folks I’ve managed to speak with about it in that time.

The gist is: there’s not a whole lot of people who understand much about the real purpose of architecture and how to go about it successfully anyway, and, as an ofter under-represented subset of the “architecture” discipline, that means that there’s an awful lot of “security architects” that aren’t really sure about what they should be doing either.

And, unfortunately, a lot of the certification programs out there just reinforce all that’s bad about “architecture” because they focus on the details of the things being produced – or they get overloaded in the pompous pretentiousness of their “architecture development process” and forget that…

…just like training a racehorse to run a race…

…you can train anyone to execute the steps of the process.

But it’s a lot harder to train them how to think about what the process is supposed to accomplish.

The reality is that whether you’re paying attention to it or not, everything has an architecture—even your security program. And, as the leader of the cybersecurity function, the information security function, the IT security function or whatever it is your own organization chooses to put on the name badges you wear…

…you have a choice about architecture.

You can let it grow, wild and unfettered – kinda like the way kudzu has invaded, smothered and otherwise hogged out the sunlight, driving the other, more native species of plants in the state of Mississippi to near total disappearance…

…or, you can chose to focus on it, nurture it and care for it – like a Bonsai – in a way that ends up making something both beautiful, and, in this case, highly functional, in delivering the overall mission and purpose of security: to enable the organization to deliver its mission as quickly and safely as possible.

A nurtured and planned architecture is the most fundamental indicator of the overall success of your security program. It isn’t your cyber “health and hygiene”…it’s not playing cybersecurity bingo with maturity models and control libraries…and it’s not drinking the DevSecOps Kool-Aid so that you can kick arse, move fast and take names with your iteration after iteration of Misuse Scenarios, Threat Modeling card games and embedding security deeply into your infrastructure as code.

Do you need those things?

Probably. At least some of them.

But if you don’t have them organized into a coherent system designed to ultimately enable the business instead of endlessly looking over your shoulder trying to stay one step of the bad guys, then, I hate to tell you…

…but you’re playing the wrong game.

Today’s email was originally intended to talk about something else, but yesterday’s conversation has stuck in my mind.

We need more “real” security architects.

And by “real”, I don’t necessarily mean “certified,” although there are things out there like SABSA that try to help you become “real” architects—and get the piece of paper to prove it.

The thing is, *knowing* how to do architecture and not actually doing it is actually worse than being ignorant of it in the first place. In the case of ignorance, by definition, you don’t know any better.

However, in the case of abstinence, which is really what you’re doing if you “know” how to do real security architecture…

…and yet, for whatever reason that seems justifiable enough…

You don’t.

You’re not only selling yourself short. You’re actually being disingenuous to the rest of your security team. Because having the right architecture is one of the biggest ways you can help them do their jobs—from strategy to risk to operations.

Maybe you don’t know how, or maybe you don’t know how to get started. And if that’s the case…

…maybe I can help.

So, you can consider these 700+ words as a bit of both a warning and a PSA, because if you didn’t already manage to get your ducks in a row for the next round of the Building Effective Security Architectures program because of budget issues, management issues, procurement issues…

…or even procrastination issues…

…then I wanted to remind you that registration for the next cohort starting on the 6th of July is still open, and you can still save $1,000 off the normal registration fee.

That is, IF…which, I realize might be a pretty big “if”…

…if, you get those aforementioned approval and procurement ducks in a row before the 23rd of May. Because, there aren’t any invoices, there aren’t any POs, there aren’t any refunds, and, if you’re not paid in full prior to the program, those seats are going to go to someone else who can actually get their act together before a well-published deadline.

Or, they’re gonna be empty. And that’s totally fine with me too.

You either want to be a better security architect – or your boss wants you to be a better security architect – or you don’t. I’m not going to convince you of that. Nor would I even try.

My job is to help you decide whether you think that I’m the right person to help you—assuming you’ve already made the decision to get better.

Maybe I am, and maybe I’m not. To butcher the classic quote from Henry Ford, whatever answer you decide is going to be the right one for you.

If you want my help to get you there, there’s still space in the cohort. And you now have 23 days more before any hint, whiff or tangible and detectible trace of a discount for the 2020 BESA program disappears forever.

But you have to decide, and this here link isn’t going to click itself:

https://archistry.com/besa

But, what I will say is that this is the last time I’m going to mention it for about 2 weeks, so I don’t want to have anyone coming to me at the last minute trying to “sneak in” past the deadline because they didn’t know the Pre-Registration period ended on the 23rd of May. If you need the next 2 weeks to organize the payment machine, then consider this your big, giant, glowing…

RED FLARE.

Do with it what you will.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, BESA, SABSA, Security Architecture Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • The real difference between architecture and engineering
  • The myth of the isolated project
  • The boneyard of failed architecture initiatives
  • To re-architect or not to re-architect your security controls
  • Afraid up-skilling your security team will train them for their next job?

Looking for something else?

Archistry

Practice Areas

  • Strategy
  • Risk Management
  • Corporate Governance
  • Compliance
  • SABSA®
  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2023 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall" and "Archistry Execution Engine" are trademarks of Archistry Limited.