In response to a previous email, a reader raised the challenges of actually practicing proper security architecture in organizations where the title says “Enterprise Security Architect” and yet they expect you to “roll up your sleeves” and do everything from incident RCA to security strategy to organizing the company piss up.
And he’s right: it is a challenge.
It is possible, however.
You just need to understand what it takes.
Imagine you’re at a security conference (or any other place where security architects might be found), and eventually, you’ll see a huddle of people standing around lamenting about the state of security where they work.
They all have a story about how everyone – from the CEO to the janitor – “just doesn’t get it” and how they’re tired of beating their heads against the wall trying to change that.
And sometimes…but unfortunately not every time…there’s a lone voice that talks about how things work in their company.
They have things like “stakeholder engagement” and “risk appetite”…
And they talk about “business alignment” like it’s a real thing rather than just a pipe-dream invented by some analyst firm so they can milk their customers for money.
After a while, “the rest” eventually decide that lone voice is either delusional or “just lucky”, because, either way, it’s just too far away from their own reality to be possible.
That getting that “lucky” would be like winning the lottery—a one-in-a-million chance.
And for them, they’re probably right. Because they don’t understand what “luck” really is.
But you, dear reader, aren’t like them at all…because I’m going to let you in on a little secret.
And that secret is: luck is like leprechauns—it doesn’t exist.
At least, not in the way most people think.
Remember back to a few days ago when I talked about the Law of the 7 P’s. The one that says: Proper Previous Planning Prevents Piss Poor Performance.
Yeah. That one.
“Luck” is simply a word people who fail to plan use when they watch someone who lives by the Law of the 7 P’s act to take advantage of an opportunity they see right in front of their nose (And, mind you, I’m talking about this in a good way, not an exploitative and manipulative bastard kind of way).
It’s “luck” because to them, they just don’t see how that situation could’ve been anticipated. And that makes sense, because they’re just not playing the same game we need to play.
So what does “security luck” look like and how do we make our own?
Well, the first thing we have to do is understand what we’re really trying to do in our job.
Our job – as an architect, an engineer, and ESPECIALLY as a security leader – is to enable the business to operate safely, effectively and with as little disruption as possible.
Back to what we said yesterday, that means we have to understand what it is we’re trying to support, what kinds of wolves might be living in the woods and exactly what Little Red Riding Hood might need to do to make sure she gets to Grandma’s house before she’s short a relative.
And if we understand that, we’ll be able to say the right things, make the right connections and share the right insights so that we build our credibility and earn the trust of our business colleagues and the executive leadership team.
And when we have that credibility, we can make sure we’re doing the right things, at the right time and in the right way so we can both think strategically and act tactically in ways that guarantee we’re building an effective security program.
Some might call it “luck.”
But we know it’s more than that. It’s Proper Previous Planning in action.
So when you find yourself a bit down on your “luck” and you want some help getting your mojo back:
- Go to this URL: https://archistry.com/go/LuckFactory
- Scroll to the bottom
- And click the big, yellow button.
I’ll be waiting for you with your little green hat, your little green vest and your lifetime leprechaun membership card.
Andrew S. Townley
Archistry Chief Executive
P.S. Don’t wait too long. We’re getting closer and closer to the deadline when this round of the program will close, and I wouldn’t want you to miss it.