One of the things I saw recently was a clip from the 2017 Royal Ascot race where a horse called Growl somehow unseated his jockey in the starting gate, yet he ended up running the whole race solo. It’s kind of an amusing story, and one that shows the power of constant training, repetition and building habits in helping us do what we need to do, no matter what might happen.
But what struck me about this was somewhat related to a conversation I had yesterday with someone about the discipline of security architecture. It was a good chat, but the conversation clearly confirmed that a lot of what I’ve been saying in these emails over the last year or so has been echoed far and wide by people other than the few hundred folks I’ve managed to speak with about it in that time.
The gist is: there’s not a whole lot of people who understand much about the real purpose of architecture and how to go about it successfully anyway, and, as an ofter under-represented subset of the “architecture” discipline, that means that there’s an awful lot of “security architects” that aren’t really sure about what they should be doing either.
And, unfortunately, a lot of the certification programs out there just reinforce all that’s bad about “architecture” because they focus on the details of the things being produced – or they get overloaded in the pompous pretentiousness of their “architecture development process” and forget that…
…just like training a racehorse to run a race…
…you can train anyone to execute the steps of the process.
But it’s a lot harder to train them how to think about what the process is supposed to accomplish.
The reality is that whether you’re paying attention to it or not, everything has an architecture—even your security program. And, as the leader of the cybersecurity function, the information security function, the IT security function or whatever it is your own organization chooses to put on the name badges you wear…
…you have a choice about architecture.
You can let it grow, wild and unfettered – kinda like the way kudzu has invaded, smothered and otherwise hogged out the sunlight, driving the other, more native species of plants in the state of Mississippi to near total disappearance…
…or, you can chose to focus on it, nurture it and care for it – like a Bonsai – in a way that ends up making something both beautiful, and, in this case, highly functional, in delivering the overall mission and purpose of security: to enable the organization to deliver its mission as quickly and safely as possible.
A nurtured and planned architecture is the most fundamental indicator of the overall success of your security program. It isn’t your cyber “health and hygiene”…it’s not playing cybersecurity bingo with maturity models and control libraries…and it’s not drinking the DevSecOps Kool-Aid so that you can kick arse, move fast and take names with your iteration after iteration of Misuse Scenarios, Threat Modeling card games and embedding security deeply into your infrastructure as code.
Do you need those things?
Probably. At least some of them.
But if you don’t have them organized into a coherent system designed to ultimately enable the business instead of endlessly looking over your shoulder trying to stay one step of the bad guys, then, I hate to tell you…
…but you’re playing the wrong game.
Today’s email was originally intended to talk about something else, but yesterday’s conversation has stuck in my mind.
We need more “real” security architects.
And by “real”, I don’t necessarily mean “certified,” although there are things out there like SABSA that try to help you become “real” architects—and get the piece of paper to prove it.
The thing is, *knowing* how to do architecture and not actually doing it is actually worse than being ignorant of it in the first place. In the case of ignorance, by definition, you don’t know any better.
However, in the case of abstinence, which is really what you’re doing if you “know” how to do real security architecture…
…and yet, for whatever reason that seems justifiable enough…
You’re not only selling yourself short. You’re actually being disingenuous to the rest of your security team. Because having the right architecture is one of the biggest ways you can help them do their jobs—from strategy to risk to operations.
Maybe you don’t know how, or maybe you don’t know how to get started. And if that’s the case…
…maybe I can help.
So, you can consider these 700+ words as a bit of both a warning and a PSA, because if you didn’t already manage to get your ducks in a row for the next round of the Building Effective Security Architectures program because of budget issues, management issues, procurement issues…
…or even procrastination issues…
…then I wanted to remind you that registration for the next cohort starting on the 6th of July is still open, and you can still save $1,000 off the normal registration fee.
That is, IF…which, I realize might be a pretty big “if”…
…if, you get those aforementioned approval and procurement ducks in a row before the 23rd of May. Because, there aren’t any invoices, there aren’t any POs, there aren’t any refunds, and, if you’re not paid in full prior to the program, those seats are going to go to someone else who can actually get their act together before a well-published deadline.
Or, they’re gonna be empty. And that’s totally fine with me too.
You either want to be a better security architect – or your boss wants you to be a better security architect – or you don’t. I’m not going to convince you of that. Nor would I even try.
My job is to help you decide whether you think that I’m the right person to help you—assuming you’ve already made the decision to get better.
Maybe I am, and maybe I’m not. To butcher the classic quote from Henry Ford, whatever answer you decide is going to be the right one for you.
If you want my help to get you there, there’s still space in the cohort. And you now have 23 days more before any hint, whiff or tangible and detectible trace of a discount for the 2020 BESA program disappears forever.
But you have to decide, and this here link isn’t going to click itself:
But, what I will say is that this is the last time I’m going to mention it for about 2 weeks, so I don’t want to have anyone coming to me at the last minute trying to “sneak in” past the deadline because they didn’t know the Pre-Registration period ended on the 23rd of May. If you need the next 2 weeks to organize the payment machine, then consider this your big, giant, glowing…
Do with it what you will.
Andrew S. Townley
Archistry Chief Executive