There’s one thing you can count on, and that’s wherever security doesn’t consistently do a good job, we’re going to get as close to the problem as we can, and we’re going to spend a lot of time and energy developing some new “industry best practice” in that area, and then we’re going to release it as a framework…
…because that’ll give us a good 12-24 months go roadmap items to put in our plan to make it look like we’re doing what we’re supposed to do.
Don’t get me wrong. I think frameworks are great—and, in principle, you can’t have too many of them.
If…and it’s a big IF…if there’s a clear way to make sure they’re normalized, connected and complementary rather than being what we typically see:
Repetitive, independent and overlapping.
My biggest current beef is with all the current grandstanding about Data Security Governance Frameworks. Oh, and I forgot one of the steps: “Give it a catchy acronym like DSGF.”
And, as usual, the leader in framework envy creation is the big G themselves, with the DSG Framework.
In the DSGF, there are…wait for it…5 layers of steps you need to do. And, with a few wiggles and niggles, they’re almost exactly aligned to the 5 core architecture layers of SABSA, with “the business” on the top and the infrastructure on the bottom.
So here’s the question: Would you rather wait for G, Big Blue, Captain Purple Pants or some other outfit – including government organizations – to tell you what to do…
…or would you rather learn to do the right thing so that you can take a couple of hours every time “the next BIG, task-specific framework” comes along and be able to prove to both your boss and “the business” (where required), that you were already there 6-18 months BEFORE the hype hit the hypermedia?
This is a life question, so there’s no right or wrong answers to it. It’s simply one of many security decisions that you need to make in your role about how you’d like to do your job.
One thing I can say is that – to the best of my recollection – I have yet to see one of these kinds of framework-du-jour that wasn’t redundant if you already had a truly business-driven approach to your security program—not just architecture, but your whole program from strategy to operations, and all connected together.
From now until Friday the 13th of December, you have the chance to get in on the early-bird pricing for Building Effective Security Architectures that will show you how to create effective security architectures for your organization that will form the skeleton of your security program…
…and I’ll show you how to do it faster, more reliably and more repeatably…and dare I say it…almost automatically…based on the type of the problem you’re tasked to solve over 7 weeks of interactive learning starting on the 24th of February.
This program may not be for you for a variety of reasons. It’s expensive. It’s a lot of work. And you’re going to have to dove-tail it into your normal workload—including a couple of hours each weekend.
But in those 7 weeks, you’ll be able to learn everything I’ve had to learn the hard way about building robust, business-driven security architectures – with or without SABSA – packaged in the easiest way I know: The Agile Security System™ and it’s 7 Principles, 14 Practices and 3 Baseline Perspectives™.
And if you act before the 13th (Friday), then you can save over $2,500 off the normal price to join the cohort. Maybe this will help you if you’re funding your own cybersecurity architecture education, or maybe it won’t because you don’t need the discount or your organization doesn’t invest in online training.
All I do know is that here’s the link to a 60% discount:
The next decision is yours.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
