Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / If you want better security, you’d better have a better security architecture

July 9, 2024

If you want better security, you’d better have a better security architecture

WWI Trench Warfare (Wikimedia Commons, Public Domain)
Wikimedia Commons, Public Domain

No. I’m not talking about infrastructure, vendors or kit on the ground. I’m talking about the way you *think* about security in your organization.

There’s a reason CISOs and the security professionals that work for them are overwhelmed:

They’re in the trenches, fighting the bad guys, overwhelmed with the alerts flying at them like angry bullets, and occasionally get hit by the heavy artillery of a major breach backed by some nation-state-backed APT.

History has a story to tell us about this approach:

It’s a good way to die.

And that’s the thing about history summed up by the famous quote that goes:

“Those who don’t understand history are doomed to repeat it.”

Well, now…here we are.

You see we hear things a lot like cyber warfare from a national perspective, and we certainly hear a lot of talk about security professionals “fighting the good fight” against wave after wave of attackers, so there’s no question this is an active combat zone.

But it’s not just between nation states. It’s a lot like those sci-fi thrillers where the trade guilds are fighting each other…

…there are pirates…

…and everyone’s a victim.

We all experience this every day to some degree.

But what are we trying to do about it?

Well, we have the right intention:

We try to get more visibility.

But where we’re getting it a bit wrong is not asking the question…

…visibility of what?

Most of the time, “threat discovery” and “security visibility” simply gives us more overwhelming detail. It’s not helping us…

…it’s just weighing us down even more.

Because the more we realize how many alien eggs have been planted around the place, oozing black stuff and ready to jump down our throats and explode out of our chest…

…the more overwhelmed, disheartened…and even downright panicked we become.

Even when we group them with some kind of fancy visualization tools, we’re still focusing on the details. We group by source…or type…or exploit…or whatever.

But that just gives us classes of threats and threat actors.

It’s interesting, and it’s useful for selecting your weapons and ammo for the tactical actions and hand-to-hand combat…

…but it doesn’t help you plan your strategy.

It just helps you plan how your people are going to end up dying.

Because, without a sound strategy…

…that’s exactly what they’ll keep doing.

However, unlike combat where the casualties are counted in lost lives…

…in our world, the casualties are counted in smoked servers, employee turnover due to stress and burnout and the number of compromised data records in a breach.

Which is exactly why we’re stuck doing basically the same thing over and over again.

Because since people aren’t really dying from cyber – well, at least most of the time, but that’s changing now too – we’re not as motivated to change our approach.

We think it’s working.

We just need more resources.

We need new servers (and they’re easy to get, even instant at this point).

We need new, more secure data repositories (again, thousands of vendors, thousands of upgrades and patches, and new ones every day).

And we talk about all these open vacancies that we’re trying to fill by cranking out new recruits through cyber education, degrees and certifications (and they’re going to keep coming, because the salaries look good, and who doesn’t wanna be Neo).

But it it was a draft instead of recruitment…and where 57% of those drafted were actually going to end up dead instead of just simply “burnt out” per current 2024 stats?

If customers were the citizens of your enterprise nation and they were truly dead when their data got breached, encrypted and it was disappearing off the world map instead of just “a few hours of downtime” every year?

Would we insist on using the same tactics?

Would we insist on using the same thinking?

Or would we do what we’ve always done during our darkest hours, and pull people together to invent new approaches, new ways of thinking and new ways of seeing…

…so we could do the unexpected…the unprecedented…

…and actually stand a chance of turning the tide?

We can’t see that this is EXACTLY where we are in the world of security today.

We’re well and truly stuck in outdated thinking and trying to overcome it with modern tools.

And we can’t see what we can’t see…

…because we’re looking at the wrong things.

We see what we focus on, and right now, we’re focused on stopping the threats and the bad guys first…

…and protecting our organizations second.

We think they’re the same, but they’re not.

Trying to get rid of something you don’t want gives you a 50% chance of getting something you want even less.

And we’re getting that 50% less every single day.

So, how do we stop it?

How do we turn the tide?

And how does security architecture have anything to do with it differently than you might think?

Because security architecture – when done at the right level – helps us see things we can’t see today…

…because it helps us focus on what’s important to the thing we’re trying to protect…

…so we understand how best to protect it.

As early as the US Civil War, aerial reconnaissance was used to get a better perspective on the battlefield so that commanders could make better decisions.

And who sees the most first…is the one who ends up winning.

So, does your security architecture help you better see your organization and what needs to be protected…

…or does your security architecture help you see all the weapons and defenses you’re using and the threats and bad guys you’re trying to use them on?

See the difference?

Do you see what you’re not seeing?

Once you can see your organization “from the air” you can start to understand where your real weak spots are—before someone else tells you.

It’s not just about identifying your attack surface.

It’s about understanding the implications of your attack surface and risk exposure.

And when you can do that…

…then you can finally stand a chance…

…because you can finally start thinking proactively…

…and your approach to your security strategy takes on an entirely different meaning.

So, if you’d like to turn the tables and learn to see the big picture of your organization so you can truly be proactive in your security…

…then I can help you do that.

And I can help you do it step by step, and in parallel with all the fighting in the trenches you’re currently doing…

…so that one day in the not too distant future, while the guns may not go completely silent…

…you’ll at least get to turn down the volume.

To get started, join me on the 12th of August for Secure by Design: Step-by-Step by registering using this link:

https://archistry.com/sbd

Because it’s not just about building and deploying more secure business software and customer solutions.

That’s just the beginning.

Because from the very first iteration you do…

…you’ll start to open your eyes – possibly for the first time – and understand the organization you’re trying to protect…

…in a whole new way.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Enterprise Secure by Design, SbD, Secure by Design, Security Architecture, Warfare, WWI

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.