How much of your security control environment has been driven by, basically, “it seemed like there was a gap” or, “it seemed like a good idea” instead of being traceably linked to real business requirements?
Now, how many of those controls are the same ones that the user community complains the most about?
Hmmm….any correlation?
One of the things I learned going to school at the University of Missouri-Rolla (now Missouri Science & Technology or whatever) was that the Show Me State isn’t just something that’s written on the license plates. It’s kinda built-in to the psyche of people who live there.
As a farm boy from East-central Illinois, this was kinda a new attitude for me, but now that I’m doing security and seeing all the issues caused by a massive disconnects between the business, IT, Risk and Security, I think maybe they were on to something.
For example:
Want to spend $5M on that fancy, AI-based SIEM that will solve all our threat and incident monitoring problems?
Show me why it’s the right place to spend $5M.
The thing is, you can improve the control environment. You can improve the processes. You can improve the documentation templates, and you can improve the individual skill levels in your team…
…but if you want to really have a chance of improving the overall effectiveness of your security program, it starts with security architecture. Because that’s the only thing that allows you to play to the “Show Me” card, and demonstrate the value of what you’re doing.
In many cases, it’s common sense, but when, as humans, have we really ever let that get in the way of doing the wrong things, over and over again and then wondering to ourselves why things aren’t quite working out just the way we want…
Want to get better, more consistent results with your risk assessments?
Want to get better, faster response to business needs?
Want to get more security budget more quickly?
It’s all about telling the story. It’s all about being prepared for the ‘Show Me’ mindset, and having the language and the skills to communicate what you’re doing in the terms your customers care about. It’s about providing compelling evidence and traceability between the lofty aspirations of the organization to the depths of the security plumbing your team wrangles every day.
How do you build those skills?
You apply the principles and practices of The Agile Security System™ over and over again until the become habits, so that your way of thinking about any problem that comes across your desk is consistent. You immediately see the implications and the solutions in terms of attributes and domains, and that gives you the leverage to be faster, better and more effective than you’ve ever been.
To pre-order the big, fat, print book that tells you how to do just that for $247, go here before the 31st of October:
You’ll get 50% off the price later, and you’ll be one of the first ones to get this tome of security architecture goodness—not to mention, ensuring it’s actually going to get written.
After the 31st (a mere 4 days from now), the pre-order price goes up by $100 until the middle of January when it’s targeted to ship.
Claim you can’t do proper architecture in the environment you have now?
Show me what’s stopping you.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Are you stuck on some kind of security architecture, risk assessment or other issue that’s been driving you crazy? Do you want to get some quick advice that might help get things moving again? If you do, then I’d be happy to try and help. Book a one-off, problem solving session using this link: https://archistry.com/go/1pss.
P.P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
