If there’s one thing that I think causes the most conflict between security and “the business”, it’s trying to figure out how to deal with policy exceptions. Now, in some cases, organizations have this pretty well dialed out—but based on my observations, I’m not really sure they truly understand why this is the case.
So let’s talk about why you shouldn’t treat policy exceptions like the blood-drenched, severed head of a zombie corpse, and instead, you should Tzu-t up, and figure out how to make them your best friends.
And the reason is based on the advice of the legendary Sun Tzu:
“You should keep your friends close—and your enemies closer.”
Because policy exceptions can be your worst feckin’ nightmare. Most of the time, they
…lead to everything from bun fights to bloody knuckles with the business ultimately over which is more important: following the rules or delivering value (most often seen wearing the clever disguise of “making money”)
…cause the size of your already “my cup overfloweth” security workload when someone brings you an 11th hour request to do something, has overruled the Security Policy Police, and demands you work all night to give them a solution so they can go live the next morning
…and, worst of all, if you do manage to emerge victorious in the Security vs. Business death match…
…you still lose, because you’re once again just another “security arsehole” that delayed a project and potentially cost someone their bonus.
In fairness…it’s not exactly your happy place.
The solution then is to take your policy exceptions out, wine them and dine them, and have a deep and meaningful conversation with them about who they are, why they exist, and why they’re spending so much of their time and energy making your life as a security professional a living hell.
Fortunately, you don’t have to figure out the magic manual of instant attraction for your policy exception wooing all by yourself. It’s already been done for you, and I can tell you that there’s a systematic way which is nearly foolproof…
…as long as you follow the principles and practices of The Agile Security System™ you’ll learn as part of Lesson 3 in the last module of the Building Effective Security Architectures program that starts next week. Because in this particular lesson, packed into under 20 minutes, you’ll learn how to put all that architecture effort you’ve been spending to work.
And I mean REALLY work…
…to apply the architecture you’ve developed to actually solving problems for real people—including becoming best friends with policy exceptions.
The best part?
When you help real people solve real problems, you’re damn-near instantly promoted from “security arsehole” to “Defender of the Realm”…
…with all the associated credibility and trust benefits that go along with it—like actually getting invited to meetings…like people voluntarily asking your opinion about how things should be done…
…and maybe even being the beneficiary of a few rounds of drinks at the pub.
All from the simple act of becoming best friends with your former arch-nemesis, the humble policy exception.
To learn the tricks to tame this troublesome tyrant, all you need to do is join the next cohort kicking off on Monday, February 24th using this link riatch he-or:
As you probably know, the registration closes on Friday (tomorrow) at midnight, so that means you have just over one measly little day to make sure you join us. Sure, you might have the chance to join another cohort in the future—but it won’t be this one, since it’s a live group of people that’ll be different every time. And judging by who’s already registered, I think this one will be pretty special.
Up to you. Link’s there, and we’ll be kicking off next week, whether you’re with us or not.
Andrew S. Townley
Archistry Chief Executive