When you really think about it, maturity models – in whatever form and however benign they might’ve originally been intended – eventually end up proving a quote by the rather provocative Gore Vidal:
“Envy is the central fact of American life.”
Now, while I don’t agree with many things Mr. Vidal has said, what I do agree with is making asking hard questions and challenging the common norms and assumptions most people take for granted an integral part of your life.
And as a security professional, it’s probably even more important for us to do so—to challenge the status quo. To critically analyze so-called industry “best practice” which so much of has originally been developed to further specific vendor agendas so long ago as to have been forgotten by many. Especially people who don’t study history.
In fact, one of my most favorite quotes about this – which is a spin on another classic quote – is this one:
“Those who don’t understand UNIX are doomed to reinvent it—poorly.”
I used to have that one on my wall in my cube at Informix years and years ago.
The common root of all this is of course the deadly security architecture sin of envy. Someone proves something can be done, and we tend to psychology take this as a challenge to our very existence, often asking:
“Why didn’t I think of that?”
When there are probably at least a million good and legitimate reasons for it that have nothing to do with internal attacks on our self worth.
But maturity models are neigh-on engineered to engender envy amongst the very organizations who adopt them, because they establish a top-level bar well beyond Peter Senge’s rubber band example illustrating the need to keep the proper level of creative tension between where you are and where you want to go.
Maturity models take that rubber band and generally pull it so far that it snaps and hits us in the eye.
Of course, not everyone falls victim to the envy aspects of maturity models…but it’s a hard thing to ignore. I mean, if you’ve actually gone through the process to determine that your target maturity level is 2 on a 5 point scale based on detailed and well-considered cost-benefit and ROI analysis…
…you’re always going to get someone, somewhere from above that asks the question:
“Why are you happy with *only* Level 2?”
The implication being, “What’s wrong with you? Don’t you want more?” Likely followed by examples of other organizations with the same team size and within the same industry and using the same technology who have clearly demonstrated they’ve achieved something more than you.
That question…and the motivation behind it…is our evil envy security sin rearing its ugly head.
Eventually, it takes its tool – even subconsciously – and all of the careful reasoning goes out the window, because hey…if the scale goes up to 5, that’s not good enough for us. In classical Spinal Tap style…
…we want our amps to go to 11!
Psychologically, we NEED our amps to go to 11 because somehow that maturity level target has become intertwined with your psyche and sense of self worth. I mean, if *they* have maturity level 4, and they’re in our industry, and we’re “benchmarking” ourselves against them, then why shouldn’t we strive to do better?
Now, having aspirations for excellence isn’t a bad thing. The problem is, “excellence” – like so many other things that really matter – is context specific. So if you don’t understand the context, then “excellence” becomes just a number, and of course…
More is always better.
They have it, so why can’t we?
What we often forget, having thrown the context out with the bath water, is that our world is different than theirs. Sure, there’s some commonality, and we need to understand how to do what’s right for us…
But that takes time, effort, considered thought—and that’s work.
I’m sure there’s a foxy framework we can use to solve that problem today, without all that work, and which will push us past our peers in the magical, mystical maturity race.
And there always is, of course.
But that doesn’t mean we actually need it.
The root problem in all of this is that we’re really just bad at figuring out what we really need to do. And we’re bad at it because we’ve been seduced by all those foxy frameworks, standards, and magic pills that claim to show us what’s right…what we *REALLY* need…
…to the point that we’ve forgotten how to actually think for ourselves and make our own decisions.
That’s a skill.
When you don’t have it, or it’s a bit rusty, it takes longer to do. And it’s a slippery slope back into the “I want it, and I want it NOW” way of thinking.
However, when you have the right way to think…and you practice it enough…it’s actually pretty fast. And it’s defensible. And when it’s defensible, you have ready ammunition for countering the inevitable:
“But you’re only level 3” kind of criticism we face every day.
If you want to learn how to avoid the trap of envy in our security architecture efforts and be able to focus on building what’s right instead of trying to keep up with the Jones’…
…the March issue of the Security Sanity™ print newsletter might be just the thing to help you do it. But time to make sure you get it is running out. If you don’t want to miss it, then skedaddle on over to this link and subscribe today:
The cart closes tonight, and that’ll be your last chance to get it. Next month, we’ll be talking about something different, so if fighting the 7 deadly sins of security architecture is something you want to do, now’s the time to act.
Andrew S. Townley
Archistry Chief Executive