I have to admit I have a lot of respect for Teddy Roosevelt and many of the things he did and said. In fact, I have his “arena” quote printed out and stuck to the wall above my desk.
One of his other famous quotes is this one:
“In any moment of decision, the best thing you can do is the right thing, the next thing is the wrong thing, and the worst thing you can do is nothing.”
And we’ve all lived this to one degree or another in our own lives. We get “analysis paralysis” and basically, the decision we didn’t make ends up 50 times bigger, angrier and bites us right in the arse, generally messing up our world.
Of course, had we followed Theodore’s advice, we would’ve done SOMETHING…even if it was wrong, and it would’ve meant that we didn’t ignore the problem.
So, we have ample evidence that shouting “Bully!” and charging off into the unknown is a better practice than sitting around on our backside waiting for the world to make our decisions for us.
There are certain times where there’s 100% overlap between “the right thing” and “doing nothing.” That means that the right thing IS doing nothing.
I’m sure you’re wondering how this can possibly be in something as complex, dynamic and uncertain as our lives as security professionals. I mean, there’s always new vulnerabilities…
…there’s always new projects
…there’s always new complaints from the business customers about not being able to access their favorite “entertainment”
So how do you get in to the “Been there, done that, have a drawer full of t-shirts” club?
Well…I’m sure it’ll be a huge…huge…like, really HUGE surprise to you when I say this, but the answer isn’t blowing in the wind.
The answer is architecture. And in particular, the answer is SABSA security architectures where you have your organization carved up into a useful domain framework, and that domain framework contains the specific mappings of all your attributes in your attribute profile to those domains and the way they enable the interdomain relationships to take place as expected.
If you have this…which isn’t exactly the same as falling out of bed after a heavy night in the pub…you get your very own Winning Architecture Club t-shirt that lets you very quickly use those same attributes and domains to classify the work that comes across your desk (or through your inbox) to separate the ones that are new and different…
…from the ones you did yesterday…or last week…or even last month
And you’ll also have the indicators you need to determine if anything significant has changed between then and now, so you can rightly give Teddy the two fingered salute, save yourself some time, and give instant gratification to the project managers and business customers who expected you to be the typical Security Crossing Guard with the big STOP sign.
Not today, mate. Not today.
If all this sounds good in theory, but you’re not really sure how to do it yourself, then what you need sitting on your desk is the towering tome of The Definitive Guide to The Agile Security System™ print edition. In it, you’ll find the essential steps to ensuring your entry into the Winning Architecture Club and allowing you to build SABSA security architectures focused on the essentials instead of getting tied in knots or feeling overwhelmed and unsure where to start.
To help, you’ll be given some essential tools to help you make decisions, some habits to make SABSA as automatic as drinking hot coffee without burning the piss out of our mouth or getting it down your front, and a set of reference domain models that allow you to position any problem or any problem somewhere in the world of your customer so you automatically understand the key relationships and interactions you need to ensure go as planned.
The thing is, that über reference and tutorial for security architecture success might still not see the top of your desk, because it might not actually be written. It may only exist in the unavailable back-issue of the August Security Sanity™ print newsletter that originally cost $97 and the 270 pages of the transcripts for the 7-week, fully interactive Building Effective Security Architectures with The Agile Security System online course which sells for about $5,000.
This book won’t be the same as the course or the newsletters to date, but it will include the core ideas, concepts and themes along with practical, hands-on, annotated worked examples of applying the system to build enterprise security architectures from an annual report, your existing security policies or a project charter.
And it’ll also tell you exactly how to integrate security architecture into your existing SDLC or Agile/DevOps delivery methods so that you can draw a straight line between the security configurations in your infrastructure as code to the business objectives they support.
If you want to make sure you get your copy, then you can pre-order it right now for $247 using this link:
After tomorrow at 11:59pm US/Eastern, if we’ve gotten the last few orders required to hit our target of 10 votes that the book is of value, then the price will go up by over $100 between November and mid-January when it’s expected to go to the printers. In January, it’ll sell for $497.
So… if you’re considering that it might help you work better, faster and more effectively in your current role, then now’s the best time to reserve your copy.
However, if you don’t think it’s of interest or will help you be a better architect or increase the overall performance of your security program, then that’s totally cool too. It’s not for everyone, and it does require you to actually read and apply what’s in it—including probably breaking some bad habits you might also have.
But the clock is ticking, and if you think it would help, it’s totally up to you whether you want to pay more later…or whether you want it at all.
Andrew S. Townley
Archistry Chief Executive
P.S. In case you’re new here, and you missed the list of what’s in it, here’s the highlights. If we go ahead, there will be a proper order page that has the full details, but until then, this is what you’ll get if you order by the 31st:
- How to get started with The Agile Security System from an annual report, a project charter or your organization’s existing security policies
- Exactly how to integrate architecture-driven security into Agile and DevOps delivery pipelines
- Detailed descriptions of the Principles, Practices and the Baseline Perspectives
- Building the right team to deliver Agile Security
- The essentials of Requirements Engineering
- The Agile Security Activity Triggers that will run your security program and architecture iterations
- How to use the system to ensure effective information and cyber risk governance
- The right way to conduct an architecture-based risk assessment
- Basic security modeling with the Archistry Security Modeling Language™ (ASML)
- And pages and pages of annotated and worked examples (by me) for each of the security architecture starting points mentioned above: the annual report, the project charter or the existing security policies
And there’s also 3 bonuses that you get which are over and above the content that’s in the book:
Bonus #1 is a fully-engineered set of SABSA attributes and domains extracted from the latest version of the CIS20 control library. You’ll get the coverage map of these controls in terms of the Baseline Perspectives, you’ll get a list of services, you’ll get a list of mechanisms, and you’ll see how this control set really aligns with the SABSA policy architecture layers and the architecture framework itself. It’s ready to pick up and integrate into your own efforts for those of you relying on this set of controls.
Bonus #2 is an additional set of 55 SABSA attributes that are part of the Archistry Execution Framework’s Reference Architecture. You get the definitions, their candidate mappings to the Baseline Perspectives and the attribute aggregation graph you can use as the starting point or as a comparison reference for your own organization’s set of unique attributes.
Bonus #3 is a set of ASML stencils for Visio, OmniGraffle and draw.io that you can use to standardize your security architecture models, including instances that correspond to the Baseline Perspectives, the 55 attributes of the AEF Reference Architecture, and the inter domain and security association relationships, risk events and attack vectors I’ve found useful in my own work.
P.P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com