One movie that’s stuck with me since I was a kid was Johnny Dangerously. It’s so silly it’s still funny—especially the “C’mon shelf paper!” car chase scene…but that’s fodder for another email.
If you’ve seen the movie, you might remember that a critical point was when Vermin, the aptly named villain of the story, discovers that the new D.A. is the brother of his arch-rival, Johnny, who Vermin had framed for murder and is now in prison, awaiting execution.
Johnny’s girl Lil is the “inside ears” of Vermin’s gang, and overhears the plot to kill Johnny’s brother, so she sends word through the prison grape vine. The message is delivered, and after it passes through a few people in the line, the message that finally gets to Johnny is the subject of this email:
“Johnny and the Mothers are playin’ Stompin’ at the Savoy in Vermont tonight.”
Johnny sits bolt upright and says, “Vermin’s going to kill my brother at the Savoy theatre tonight.”
The guy delivering the message says, with a rather surprised look, “I didn’t say that…”
To which, Johnny replies, “No, but I know this grapevine.”
All this begs a rather pertinent question…
…do you “know your grapevine” when it comes to your security requirements?
Now, I’m not just talking about getting them from the ultimate customers, like we talked about in last month’s Security Sanity™ newsletter. I’m talking about the WHOLE grapevine from the ultimate customer of security down to the engineering and operations team who build, select, test, commission, operate and monitor the controls intended to keep the organization safe.
If your organization is like most of them, there’s a good chance that there are some mixed messages getting inserted along the way that aren’t properly descrambled at each step of the way. In fact, according to a research paper I read when I was planning the upcoming October issue on Requirements Engineering (RE), it’s one of the more common problems in RE—whether you’re doing traditional SDLC or Agile development.
There’s a number of reasons for this, including too many people between the security and dev teams and the real customers or the fact that either too little or too much precision is required at various points of the chain that aren’t realistic to the environment or the project being delivered.
So what we’re going to talk about in the October issue of the print newsletter is how you can do a better job of making sure your real customer requirements – which you know how to get from the September issue – actually get massaged, defined, validated and translated into an effective control environment for your organization and all your Agile/DevOps/Waterfall/Off-the-wall projects you’re expected to support.
Of course, we’ll be talking about some of the things you might already know about SABSA’s approach to doing this, but we’ll be talking about it in the context of The Agile Security System’s principles, practices and perspectives that give you an autobahn and an Austin Martin so you get there faster, easier and more stylishly than you might otherwise if you had to figure it out yourself.
Or maybe you already know everything I’m going to say, and you’re not going to get any value out of it. Them’s the joys of continual learning. Sometimes you know it, and that just confirms you’re on the right track, and sometimes it sparks a train of thought you’d never even considered.
Either way, the goal of every issue is to make sure you can take what you read and integrate it into your own practice immediately so you can do a better job delivering the mission and purpose of security: to enable the organization to do its bidness as quickly and safely as possible.
If you want in before the deadline, here’s the link:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And no, to some people who’ve asked about this. These emails are different than the print newsletter. It takes what I talk about here and makes it much more concrete so you don’t have to guess about how it really fits together. Sure, you can figure out out on your own – and lots of people just like you do that – but if you want the true inside scoop, then you’ll need to subscribe and visit your physical mailbox every month.
