• Strategy
  • Risk
  • Governance
  • Compliance
  • SABSA®
  • Login

Archistry

exceptional performance since 2006

  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact
You are here: Home / Uncategorized / The myth of the isolated project

March 14, 2023

The myth of the isolated project

Photo by Luis Dalvan.

I was recently reminded of a pretty pervasive problem that often sneaks in to our worlds as security. That problem is the myth of the isolated project. It often starts simply enough (and if you have kids, you should recognize these warning signs):

“It’s just this one time. I won’t ask you to do this way again.”

“It’s just a pilot. We’re only trying to see whether this approach is a good fit for us or not.”

“This is a temporary workaround until the main project can be completed. Once that happens, the whole thing’s going to be thrown in the bin.”

Uh, yeah. Right.

Fool me once, shame on you. Fool me twice, shame on me. And, unfortunately, unless you’re in an organization of one, you’ve probably heard this much more than twice—even from the same people.

The general consequence of this line of thinking is that “because it’s temporary, we can cut corners…we don’t need architecture…we don’t need security controls,” and on and on.

Now, I’m not saying pilots, test projects and emergency solutions are evil, bad things. They’re the reality of getting things done. You need to prove solutions. You need to evaluate technologies. You need to build band-aids to cover the hole that just can’t wait two more days for a “proper” solution to appear.

What I’m really saying is that you have to think about them the right way. I’ve seen far too many cases in my 25 years of doing this stuff professionally – both while making decisions to run the business and as someone making technology decisions – where the “temporary fix” or the “pilot project” is so successful…

…it ain’t temporary no more, no more, no more. So hit the road, Jack. That ship done sailed and you’re dancing around on the dock wiping the tears from your eyes.

And this kind of “we don’t have time” or “it isn’t necessary” mindset pervades flaccid agile adoptions—and it even lurks around the edges of real agile teams too, just waiting for them to drop their guard, so it can pounce, devour them in one bite and leave a gaping hole in the project the bad guys are sure to find and exploit at will.

As I’ve said many times before: everything has an architecture. The choice you need to make is whether you’re going to take control of it, or whether you’re just going to let it grow organically wherever the hell it wants to go, depending on who screams the loudest and who has the tightest deadlines.

I would hope that it’s obvious that the organic approach to architecture might seem the easiest path, but it’s going to end up being much more expensive, time consuming and cause you many more headaches on just the day when you feel you can’t handle anything else.

Wham! It’ll smack you upside the head like a 2×4 with a rusty nail, accompanied with a gleeful, “Remember me, mate?”

If you do it right, taking control of your architecture doesn’t mean slowing things down. In fact, and validated with years of my own practical experience, doing architecture correctly actually makes things go as quickly as they possibly can—both in the delivery of the oh-my-god-it-must-be-delivered-yesterday projects and from the perspective of responding to the day-to-day events the world throws at us.

But, if you do it wrong, not only will you end up creating a bunch of stuff that turns out to be expensive paper-weights or useless gigs on an enterprise file share, it’ll piss off everybody.

And, I do mean, everybody.

The people that want it are mad, because it isn’t there and they have to do it themselves,  under pressure and without the right support.

The people that are delayed because of it are mad, because their projects are delayed by things that should’ve been caught earlier when they were cheaper to fix, adding not only project delivery risk, but cost and the necessity of scraping the political eggs off their face.

The people that have to fix it later are mad, because they have no idea what kind of crazy drugs the people who designed and built this thing they’re now stuck with were doing and can’t figure out where the right place is to make the fix.

The people that operate and use it are mad, because someone told them they have to use it, but it’s a right PITA based on the real job they do, and it takes 10 more steps than they’d like to do something they do 1,000 times a day.

Now, maybe you’ve never seen this in practice yourself. If that’s the case, you’re either new…or you’re very, very lucky.

The thing I want you to remember is that everything has an architecture, and if you don’t manage it, it ends up ultimately managing you. And you – or I – can prove it given any real problem to analyze and solve. There is no such thing as a project that doesn’t need architecture—especially in the context of the modern enterprise. Everything is supposed to fit together. Even the tests and pilots are part of delivering some larger goal and objective.

And if the thing actually works, it’s going to become part of the normal BAU quicker than your heart beats after the cute girl at the bar winks at you and asks you to come talk to her, since all you’ve been doing was just staring at her for the last 2 hours, and she’s finally done waiting for you to make the first move.

So, you need to be ready. And you need to be able to figure out how to convince all and sundry that architecture isn’t a “nice to have”—it’s a business imperative to ensure things work the way they should.

And, I don’t care what kind of architecture you want to talk about—or at what scope. Enterprise, solution, security, data, infrastructure, business, buildings…any of it. You either pay now, or you pay later.

The tax rate is a lot higher later, but it’s also a lot easier to take the attitude that you’re going to worry about tomorrow tomorrow. Well, that’s not good enough. And it shouldn’t be good enough for you, your team or your organization.

The good news is that there’s generally all kinds of little ways you can prove this point and make this case—even without any support whatsoever from your management. You just need to decide to make the effort, both to make your life easier AND for the overall benefit of the organization. And if they don’t care – or you think they don’t care – then do it for you so you aren’t quite so agitated at the end of the day and can actually enjoy your friends, family or your favorite TV show.

It only takes a decision, because if you don’t choose to make one yourself, someone’s going to end up making one for you, and you just might not be all that crazy about what it’s going to mean to you.

If you want some help, then here’s a potential way to get it:

https://securityleadershipcoaching.com

If you don’t, then that’s all fine too. One last thing, you can always click that link, and I’ll always be willing to see if I can help. However, this is the last time I’m going to be talking about it for a couple of weeks, as there’s some other stuff I’ll be talking about for the next while.

Unlike the rest of what I generally talk about, there’s no hard deadline for this. So you’re free to procrastinate or debate whether it’s actually going to make a difference to your own personal day-to-day work life or not. That’s intentional. If you’re not ready, then it’s just going to be a waste of time and money for you. That’s why, in this particular case, you need to be really, really sure it’s right for you.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Uncategorized / Cibersecurity, cover, Cybersecurity, Effective Security, Security Architecture Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • The real difference between architecture and engineering
  • The myth of the isolated project
  • The boneyard of failed architecture initiatives
  • To re-architect or not to re-architect your security controls
  • Afraid up-skilling your security team will train them for their next job?

Looking for something else?

Archistry

Practice Areas

  • Strategy
  • Risk Management
  • Corporate Governance
  • Compliance
  • SABSA®
  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2023 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall" and "Archistry Execution Engine" are trademarks of Archistry Limited.