If you’re reading this email, I’m pretty sure I don’t have to tell you about the merits of business-driven security architectures. And, even if, for some reason, you’re not entirely convinced that there’s more to “security architecture” than infrastructure diagrams, that’s not what I’m here to talk to you about today.
Today, we’re going to talk about something else that comes up from time to time when I speak with other security architects, but it might not be something you’re going to think of right away.
That something is having access to people who “get it.” The people who are there, in the trenches every day…just like you…and who are trying to carry the flag for architecture in an organization that just doesn’t care.
The business doesn’t care. They just want you to get out of their way and approve their projects.
The IT people don’t really care. After all, in many organizations, they don’t even have any kind of architecture anyway…
…and even if they do have some kind of IT Architecture or Enterprise Architecture…or even an Enterprise IT Strategy group…
…they’re probably walking around with their heads so far up in the clouds, safely squirreled away in they ivory towers that they don’t really even know what the developer and operations peasants are actually doing on a daily basis anyway.
The security operations people don’t care, because, let’s face it. They’re so overloaded…so overwhelmed…and so buried in the barrage of threat and potential security incident reports they get every day, it’s like the whole team are extras in the next Zombie Apocalypse movie.
And, probably most unfortunately, the risk team doesn’t care about your security architecture at all, because they’re probably stuck entering data into some technical monolithic monstrosity that crunches that information, spits out a mitigation and then gives the business some unjustifiable warm fuzzies that, “We’re ok, Jack,” in the form of convoluted and confusing dashboards with pretty, yet ultimately meaningless, charts and graphs.
…when you, on the ground, probably sitting smack in the middle of the Security Engineering team or whatever it’s called – where nobody thinks much about architecture – know for a fact that there’s very little correlation between what the vendor preloaded in the system for risk appetite and “best practice” mitigations…
…and what you’re actually seeing on the ground with the gaping holes you see in the project designs you have no choice but to send back with their tails between their legs.
Nobody cares at all, it seems.
From the conversations I’ve had, and in the face of all this ambivalence about something you might be trying to do yourself, it’s the lack of being able to reach out to other people who are trying to solve the same problems—or who maybe have already solved them – that is one of the big things holding people back from making progress on their security architecture.
And it’s not just being able to mingle with people and swap business cards and email addresses like you can at security conferences. It’s knowing that you have access to people who are not only trying to do what you’re trying to do…
…but who are trying to do it the EXACT same way you are…
So that when you’re truly stuck – or when you’re reeling from waves of organizational apathy – you have someone to reach out to for help.
Of course, I’ve been through all this before too, but for whatever reason, maybe you don’t feel comfortable reaching out to me. Maybe you feel more comfortable reaching out to people who you know have been able to help you in the past.
People who have already given you new insights…pointers to new solutions…
…suggestions of new stories to tell…
…that might break through the ambivalence and apathy…
…and finally allow you to get on with doing your job.
Those very same people are the people who you will likely find as part of your cohort during the 7 weeks of Building Effective Security Architectures—and some of them are people who you might still be exchanging ideas and suggestions with 6 or 12 months and even 2+ years after you’ve been through the program.
I know that’s how it’s worked for me when I’ve been part of similar programs in the past.
But to get that kind of support, from people who’ve gone through the same things you have…who’ve learned the same methods…and who may have already tried and succeeded…or failed and learned from their own efforts…
You’ve first gotta be part of the cohort, and to do that, it means registering for the program to make sure you have reserved your spot before everything kicks off on the 24th of February.
To do that, you’ll need this link:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
