No. I’m not talking about infrastructure, vendors or kit on the ground. I’m talking about the way you *think* about security in your organization.
There’s a reason CISOs and the security professionals that work for them are overwhelmed:
They’re in the trenches, fighting the bad guys, overwhelmed with the alerts flying at them like angry bullets, and occasionally get hit by the heavy artillery of a major breach backed by some nation-state-backed APT.
History has a story to tell us about this approach:
It’s a good way to die.
And that’s the thing about history summed up by the famous quote that goes:
“Those who don’t understand history are doomed to repeat it.”
Well, now…here we are.
You see we hear things a lot like cyber warfare from a national perspective, and we certainly hear a lot of talk about security professionals “fighting the good fight” against wave after wave of attackers, so there’s no question this is an active combat zone.
But it’s not just between nation states. It’s a lot like those sci-fi thrillers where the trade guilds are fighting each other…
…there are pirates…
…and everyone’s a victim.
We all experience this every day to some degree.
But what are we trying to do about it?
Well, we have the right intention:
We try to get more visibility.
But where we’re getting it a bit wrong is not asking the question…
…visibility of what?
Most of the time, “threat discovery” and “security visibility” simply gives us more overwhelming detail. It’s not helping us…
…it’s just weighing us down even more.
Because the more we realize how many alien eggs have been planted around the place, oozing black stuff and ready to jump down our throats and explode out of our chest…
…the more overwhelmed, disheartened…and even downright panicked we become.
Even when we group them with some kind of fancy visualization tools, we’re still focusing on the details. We group by source…or type…or exploit…or whatever.
But that just gives us classes of threats and threat actors.
It’s interesting, and it’s useful for selecting your weapons and ammo for the tactical actions and hand-to-hand combat…
…but it doesn’t help you plan your strategy.
It just helps you plan how your people are going to end up dying.
Because, without a sound strategy…
…that’s exactly what they’ll keep doing.
However, unlike combat where the casualties are counted in lost lives…
…in our world, the casualties are counted in smoked servers, employee turnover due to stress and burnout and the number of compromised data records in a breach.
Which is exactly why we’re stuck doing basically the same thing over and over again.
Because since people aren’t really dying from cyber – well, at least most of the time, but that’s changing now too – we’re not as motivated to change our approach.
We think it’s working.
We just need more resources.
We need new servers (and they’re easy to get, even instant at this point).
We need new, more secure data repositories (again, thousands of vendors, thousands of upgrades and patches, and new ones every day).
And we talk about all these open vacancies that we’re trying to fill by cranking out new recruits through cyber education, degrees and certifications (and they’re going to keep coming, because the salaries look good, and who doesn’t wanna be Neo).
But it it was a draft instead of recruitment…and where 57% of those drafted were actually going to end up dead instead of just simply “burnt out” per current 2024 stats?
If customers were the citizens of your enterprise nation and they were truly dead when their data got breached, encrypted and it was disappearing off the world map instead of just “a few hours of downtime” every year?
Would we insist on using the same tactics?
Would we insist on using the same thinking?
Or would we do what we’ve always done during our darkest hours, and pull people together to invent new approaches, new ways of thinking and new ways of seeing…
…so we could do the unexpected…the unprecedented…
…and actually stand a chance of turning the tide?
We can’t see that this is EXACTLY where we are in the world of security today.
We’re well and truly stuck in outdated thinking and trying to overcome it with modern tools.
And we can’t see what we can’t see…
…because we’re looking at the wrong things.
We see what we focus on, and right now, we’re focused on stopping the threats and the bad guys first…
…and protecting our organizations second.
We think they’re the same, but they’re not.
Trying to get rid of something you don’t want gives you a 50% chance of getting something you want even less.
And we’re getting that 50% less every single day.
So, how do we stop it?
How do we turn the tide?
And how does security architecture have anything to do with it differently than you might think?
Because security architecture – when done at the right level – helps us see things we can’t see today…
…because it helps us focus on what’s important to the thing we’re trying to protect…
…so we understand how best to protect it.
As early as the US Civil War, aerial reconnaissance was used to get a better perspective on the battlefield so that commanders could make better decisions.
And who sees the most first…is the one who ends up winning.
So, does your security architecture help you better see your organization and what needs to be protected…
…or does your security architecture help you see all the weapons and defenses you’re using and the threats and bad guys you’re trying to use them on?
See the difference?
Do you see what you’re not seeing?
Once you can see your organization “from the air” you can start to understand where your real weak spots are—before someone else tells you.
It’s not just about identifying your attack surface.
It’s about understanding the implications of your attack surface and risk exposure.
And when you can do that…
…then you can finally stand a chance…
…because you can finally start thinking proactively…
…and your approach to your security strategy takes on an entirely different meaning.
So, if you’d like to turn the tables and learn to see the big picture of your organization so you can truly be proactive in your security…
…then I can help you do that.
And I can help you do it step by step, and in parallel with all the fighting in the trenches you’re currently doing…
…so that one day in the not too distant future, while the guns may not go completely silent…
…you’ll at least get to turn down the volume.
To get started, join me on the 12th of August for Secure by Design: Step-by-Step by registering using this link:
Because it’s not just about building and deploying more secure business software and customer solutions.
That’s just the beginning.
Because from the very first iteration you do…
…you’ll start to open your eyes – possibly for the first time – and understand the organization you’re trying to protect…
…in a whole new way.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive