May 17, 2020 Email
Did you know that the top two investment drivers for cybersecurity right now are still regulatory compliance and reducing incidents and breaches? Maybe you did. And, it shouldn’t really be too surprising, I guess. I mean, far too much of the work we do as security professionals is still way too threat-based and reactive to ever reach the point where we can feel truly confident that we aren’t going to end up in the headlines of the morning papers.
Back many years ago when I thought I was going to become a full-time trad musician and was trying to get my head around contracts and licensing agreements, I read something that’s stuck with me ever since. What it said was that every contract you read tells a story. And that story lays out every single thing the organization got wrong in dealing with its suppliers and customers.
Got screwed on payment terms? That’ll never happen again. Just look at Paragraph 11.
Left at the alter with no product on the stated delivery date? Got that covered too. See those delivery penalties in Paragraph 23?
Fluffed the sign-off and acceptance criteria? Not this time, Mister! See Paragraph 6, 19 and 24.
The funny thing is that it’s also kinda how the horse-trading works for passing new legislation and regulatory requirements. If you’ve ever taken the time to read them, it’s pretty obvious that they’re 80+% focused on the specific things you MUST or MUST NOT do to be compliant with the law.
And in our world, we call those sorts of directives controls, don’t we?
So, if we’re given a passel of new paperwork every time we turn around – which is a fact we’re just going to have to live with – we have two choices. Option 1 is to focus on the controls and explicit statements to drive our activity and behavior. And option 2 is to spend some time figuring out what the right thing to do is so that we can align them a bit with what we’re already doing, and, where required, augment and expand our descriptions of where we’re already doing the right things—not because some lawyer and politician says so, but because it’s actually in the interest of our organization to be able to breathe clearly, so we can run down the field towards our objectives…
…rather than being forced to hobble along on one leg, a crutch that’s too short, and wearing two left shoes—just because that’s what someone thought was the right way to prevent Jimmy from getting his neighbor’s phone number.
Am I suggesting we don’t need to be compliant?
Of course not.
Am I suggesting that it’s possible to reason with a career politician with an agenda and a taste for keeping their current seat?
However, I do think that it’s probably a good idea to go back and take a page or two out of the legendary Sun Tzu’s classic tome, The Art of War:
“If you do not know yourself or your opponent, then you will be in mortal danger every step you take.”
Note that that’s not one of the the fluffy, flowery translations. It’s the one from D.E. Tarver focused on getting the point across in plain English. And that practical advice in plain English begs a question:
How well do we know ourselves, meaning our security team, our security capabilities and what exactly it is that we’re trying to protect?
And how well do we really know our opponents?
If we look at those security program investment drivers, I’m gonna guess that the answer to both those questions is:
Not so well, actually.
From talking to fellow professionals – especially those security architects and security program leaders in Europe following the introduction of GDPR – most of the money spent on compliance…
…was focused on figuring out what the hell they had, where the hell it was, and, what the hell the people in the organization were currently doing with it so they could find ways to triage the biggest issues to avoid the threats of those hefty fines.
And, from talking to people across the globe doing “normal” security stuff, the general approach to reducing the incidents and breaches is deploying more people and more kit to detect and squash the initial events before they can mushroom into a nuclear cloud of data breach fall-out blowing around the press rooms of the world’s newspapers.
Meaning, we’re chasing threats and deploying controls to counter those threats—faster and more furiously than Dom Toretto drives his 1970 refurbished Dodge Charger through the streets of…well, anywhere he damn well pleases.
Because we’re under constant, relentless attacks by the bad guys who shape-shift and morph at will, even the best threat intelligence is going to have gaps. But the good news is that whatever they may get up to, if we’re clever, there’s only a pretty small number of ways they can actually succeed. But we’re not going to know where that’s really likely going to happen with the most overall negative impact…
…if we don’t actually know ourself first. Because, back to Mr. Tzu:
If you “know the opponent and know yourself, you will not see defeat even in a hundred conflicts.”
So it seems to me, the biggest issue we actually face as a modern security program isn’t the bad guys. They’re basically after all the same things, and there’s only a finite way they can win. It’s only the tenacity and the tactics they use to achieve those fundamental objectives that are going to vary depending on the flag they fly or the jersey they wear. We’re just getting lost in the noise—and playing nicely into their hands at that, because they know Tzu better than we often do.
And yet we think we can “know ourselves” through red team exercises, pen testing, automated asset inventory management and internal vulnerability scans well enough to win those hundred conflicts.
At best, all we can know trying to do things that way is exactly what the bad guys might find if we give them a chance to ninja themselves in through the cracks (or walk brazenly through the front door, as the case may be). But that’s just playing the party version of the blind men and the elephant.
Oh, and by the way…bring your face shield and wear your mask and gloves, because we’ve no idea what the old boy’s been snuffling before he proves to you that the wiggly end isn’t really a snake after all.
There’s really only one way to know ourselves, and to know ourselves well enough to win one, ten, a hundred or even a hundred, million, thousand, thousand conflicts, er…a lot of conflicts. A great many conflicts. More conflicts than anyone in the history of conflicts has ever won before…
…and that way is through architecture. Security architecture. Shaken, stirred, tumbled, tousled and teased while wearing the very slick, and very blue, custom cloth of a Tom Ford suit.
Because that’s the job of security architecture. To paint the picture of the organization, the way it is, and the way it needs to be, so that it’s protected as it goes about the business of being in business.
But that’s also where we fall short, for many reasons, including time, priorities, and the general lack of understanding of what security architecture really is, why it’s important and how to actually build it.
Right now, I can’t help you with the first two. But I can help you with the last one, because that’s exactly the core problem we spend a good bit of time covering during the 7 weeks of the Building Effective Security Architectures program we’re about to run in a special “encore” cohort starting on the 6th of July.
And we don’t just sit back, sip our martini and dryly explain it to you if you’re one of those plucky members of the cohort. Not a chance. We explain it, then we show you…
…and then you practice it. And practice it again.
So you can viscerally experience the reasons and reap the benefits of a proper, business-driven security architecture in a nice, safe and cozy environment, without your job being on the line or your business customers breathing down your neck because you only managed to even see their project 6 weeks after it was supposed to go live in the first place.
The real reason we need to know ourself is so that we can actually apply those controls, in the right places, in the right way and at the right time…
…so that it doesn’t really matter when the politicians pontificate anew…
…or the latest, greatest, biggest and baddest of the digital denizens pummel our perimeters (cuz there ain’t just one no more)…
…because we’ll know ourselves well enough to prepare our response, to react accordingly, and to only need to prioritize the previously planned investments necessary to protect and enable the business.
Meaning we can stop chasing our tails, and finally have a hope of getting ahead of the game.
Now, maybe you can do all this now, and you’re already in good shape. Good on ya!
Or, maybe you could use a bit of a boost into the security architecture saddle before you’re ready to ride herd on your own organization. And, if that’s the case, then I believe the best, most practical way for you to begin building your business-driven security architecture is to join us in July. There’s no travel. There’s no PPE required, and yet you still get the experience required to build the security architecture skills you’ll be able to immediately apply to the work you’re doing right now…
…so you’ll have the knowledge and confidence to know where you and your organization really stand against the cyber onslaught.
To register and to find out more details of exactly how it’ll all happen, just visit this link:
But if you’re not immediately sure it’s right for you or that it’ll make a dramatic improvement to your own security architecture work, then that’s ok. However, if you ARE sure you’ll be joining us in July, you’ll probably want to register by Friday, May 23rd, so you’ll be able to save a cool $1,000 off the normal price of the program. In the current environment of frozen funds and careful investment, it just might make it easier to get it across the line with the PTB.
Or it might not.
Either way, the choice is up to you. This is the last time we’re going to run it this year for sure, because doing it again just doesn’t fit into my schedule. So if you missed the February cohort, and you missed the Early Bird discount…and you don’t want to bet on when it might run again, then now’s the time to act.
Andrew S. Townley
Archistry Chief Executive