Said lots of people, possibly with a lot of certifications after their name—or at least a drawer full of “Certificates of Completion” from various courses and programs.
Back when I was talking about the 7 Deadly Sins of Security Architecture for the March issue of the Security Sanity™ print newsletter, one of the sins was greed, which, in terms of security is being a hoarder and a collector of things—whether they’re security controls for your organization or certifications for your CV. However, the thing about the “certification junkies” as I call them is that the odds of them actually doing enough with any of the material they had to learn to earn the certification…
…are somewhere between piss-poor and unbelievable.
I don’t have hard stats right now – mostly because I’m too lazy to look them up – but I’d say that there’s around 10-20% of the people I’ve spoken to who are SABSA certified that told me the only reason they got the certification because they were trying to get a job that asked for it.
And then there’s the people who aren’t certification collectors, but who, under the best of intentions, do courses and get certifications because they generally want to improve themselves, their professional work habits and to help their organizations…
…only to find that either:
- what they’ve learned isn’t that easy to apply in the practical environment of the day-to-day work they do, or
- that they don’t know how to deal with the lack of support – and sometimes, downright hostility – from their colleagues and bosses when they do take the initiative to try and make things better.
There’s a 3rd camp of people who get certifications or make the effort to put them to work, but they don’t really understand the true power of what they learned, so they pick a few easy to remember, surface elements, and then integrate those into what they already do, often forgetting that there’s a whole lot more they could be using.
And finally, there’s a 4th group. This group is the rarest ones, who, either through sheer force of will and dedication or simply because they have a perfectly-sized gap in their knowledge that what they learn just slots in and rockets them to the next level. Eventually, all of what they learn becomes embedded so deeply into the way they think, they can’t even imagine a time when they looked a problems any other way.
So, the first group is like the wealthy, playboy businessman who buys one of the two, very rare Enzo Farraris in blue-gray for a cool $3 million, and then parks it right next to their Bugatti Veyron and their Lamborghini Veneo Roadster, sitting among literally hundreds of multi-million dollar collector cars in a big warehouse, situated in the middle of nowhere, protected by 24×7 military security, and each wearing a thick, three-inch coating of dust because they’re never actually even looked at—never mind taken out and driven.
The second group is the guy who finally snags the Porsche 918, gets super excited to “see what she’s got”, and then nearly totals it by almost slamming it into a guardrail after it does 3 spins in the middle of a California freeway, only to park it, scared shiteless, and longingly imagines the “what ifs” of once again getting behind the wheel and learning how to actually drive it properly as he looks out the window at it sitting in the driveway every day—if they only knew where to start.
The third group is the guy who buys the McLaren 720s…and then just uses it to do the weekly grocery shopping, enjoying all the looks of admiration and jealousy from everyone else stuck in their Toyota Camrys with the child seats in the back and the windows full of fingerprints. Little do they realize, he never even figured out how to get it out of “valet mode.”
And the fourth group, well…they’re harder to classify. They could be the people who push themselves and their cars to the limit every weekend on the autocross circuits of the world, or they could decide they’re going to become wanna-be Stigs, setting up their own business built around getting paid to blast somebody else’s million-dollar babies around a track for the pleasure of their YouTube video audiences, or they might decide that there’s another, even more clever way that I haven’t thought of to integrate what they know into a new way of thinking about their life and what they do.
I don’t know where you might find yourself on this spectrum in relation to your security architecture skills, but I do know that – to my mind at least – it’s a crime to not get all the value out of something you’ve made the decision to invest your time, sweat and money in—even if it was someone else’s money getting you in the door in the first place.
As I said yesterday, the world needs more security architects. But what it really needs are more security architects who actually PRACTICE what they know instead of just understanding the theory and concepts of how to become a better security architect.
And this fact is the main reason that after 14 years applying SABSA in the dirty, gritty and highly-political organizational environments – probably not that different to yours – I finally sat down and figured out how to make being an effective security architect as easy as it could possibly be. Note, being an architect is the intersection of a lot of different disciplines, so getting there is never going to be easy…
…but what it doesn’t mean is that once you do get there, actually DOING THE JOB needs to be all that hard or complicated.
At the core, the 7 principles, 14 practices and 3 Baseline Perspectives™ of The Agile Security System are built for the sole purpose of allowing you to build effective security architectures from the core building blocks of SABSA: attributes, domains and the governance model. All the rest, all 20+ frameworks of the formal SABSA model are really just commentary and guidance for things you can – and should eventually do – with those core concepts.
But, because it’s potentially overwhelming, seems like a massive undertaking, and it’s easy to not be 100% sure where to start, a vast majority of people who have been formally trained – and even certified – on the single best, most complete and the only method with a sound, theoretical model that keeps the whole thing firmly stitched together – end up hardly ever getting to use it…
…if they ever manage to at all.
The 14 practices are simple things you do once you understand and have a very clear picture of where you need to go, that you can eventually turn into habits. And by making these practices into habits, you’ll then have a way to build security architectures that actually work—almost by accident…
…regardless if your organization officially adopts SABSA, has some mythical and magical level of maturity making them finally ready for security architecture, or, quite frankly…
…independently of anyone other than you giving you permission to do your job the best possible way you can.
But you won’t be able to do this if you don’t practice. That’s why I build the Building Effective Security Architectures program around the concept of a cohort. That’s a live group of people who have to complete the program together, in real time, with assignments every week. If you don’t do them, then you not only don’t get feedback on being able to develop these key architecture skills in a safe environment…
…you also let down your fellow security professionals, because then they can’t benefit from your knowledge and experience by giving them feedback on where you might’ve seen something they’re missing in their understanding of the material.
You also get access to all the worksheets and the transcripts of the program to make sure you can refer to these – and use them regularly – when you start to apply the system to your own work. However, what I’ve discovered from experience based on running the program for a couple of years now…
…sometimes even that’s not enough to give you the support and ready access to the materials you need right when and where you need them. Because, let’s face it, we’re all human. And if we have to drive 1hr each way, every day, just to go to the gym, we’re probably going to start out with the best intentions, and then after the first couple of weeks, we’ll find a bunch of legitimate reasons why we can’t do it today…
…but confidently assure ourselves that we’re certain we’ll make it up tomorrow.
As of today, I’m pleased to announce my latest attempt to make it as easy as possible to apply the principles, practices and perspectives of the system in your own work once you’re a paid member of the program:
A new mobile app that helps you find exactly the information you need – including the full course materials, should you prefer to consume them on your phone – when and where you need it. Can’t remember the important things you need to know when preparing for a stakeholder interview?
Just open the app, and a quick reference to help you focus and ask just the right questions is right there at your fingertips.
Can’t remember which elements are part of the Networks or Data domains in the Enterprise Baseline Perspective when you’re trying to decide the scope of a potential project?
Again, it’s right there, on your phone, just a few shot centimeters from your keyboard and ready to help you quick enough that you don’t lose the flow of your thinking trying to dig around to find a PDF.
Want to get a quick refresher on the 6 ways your business customers think about what they do while you’re planning out your next meeting sitting on the train – or even sitting on your own personal throne – then, hey, it’s 4 taps away—at most.
Now, maybe this doesn’t mean much to you, and maybe you don’t think this will make any difference to your own practice as a security architect. And maybe you’re not going to believe my own experience with using the pre-release version of the app for about a week now.
However, what I can say is that I built it as my own go-to quick reference so that when I’m doing my own work or when I’m working with our coaching and mentoring clients, I have the things I use the most – or the details of the things I remember, but which I don’t use quite as often – right there in the palm of my hand. And I’m finding it very useful.
But, you might not.
However, it’s just one more perk of joining the next cohort of the Building Effective Security Architectures program you’ll get—in addition to the live, weekly access to me, to the knowledge and experience of your peers, and the lifetime access to the course materials. But you won’t get it if you don’t register for the program before the next cohort kicks off the week after the July 4th weekend in the US.
To do that, you need to hop on over to this link ASAP:
And, if you register between now and midnight on the 23rd, just over 7 days from now, you’ll also get all the goodies, plus the practical skills you need to be an effective security architect, for $1,000 less than the regular registration fees.
All you need to do is decide whether you’re ready to be a better security architect than you are today…or not.
Are you ready?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
