I’m serious. And actually, you’re right not to care about it.
Let’s face it, it’s not like we’re building La Sagrada Familia or something that grandiose. While the idea is that if we do our job right, lots of people will benefit. It’s neigh-on impossible for anyone to come along 100+ years later and wander through our collection of attributes, domains, services and the things that implement them to appreciate the intricacy of the traceability links we have or the artfully appropriate and succinct language we used for our control objectives and security policies.
Nope. None of that’s gonna happen.
And let’s face it, to do architecture right is a skill that takes time to develop—especially when you don’t have much guidance, much time or much support. And it’s just one more thing we’re supposed to do, that nobody else cares about…
…or thinks is important
…or, frankly, can even consistently define.
So, I get it that it’s not a priority.
The more people I’ve talked to, both SABSA and non-SABSA people, there’s about 1-2% that are actively practicing any kind of security architecture.
Which is also not so crazy, because the majority of organizations I know don’t really have very mature IT architecture either, so trying to do something in security is kinda seen as either a) not their job or b) a Sisyphean task.
In fact, what we want is to not go insane
…or end up with a heart attack from the stress
…or just pick the top item off the Urgent and Important pile and hope we can get it done before today becomes the day of “the big one.” The breach that would end your career in some organizations.
You just want to get stuff done, cover your backside and hope that’s good enough to keep your organization safe.
And if you know SABSA, there’s a good chance you think it’s great. But there’s also a good chance that you think there’s no way you can do it at the same time you’re doing anything else.
And up till now, you’d have been effectively correct. That first step on the SABSA path is often somewhat vertical, or even 120º, meaning that you feel a lot like you’re trying to climb upside down with tools you’re not sure about and minimal confidence you’re using them in a way that’s actually going to work.
Well, I have news for you. While I can’t make you care about architecture, what I can do for you is at least make it easier to do—and do well. And after 25 years working with technology and business, I truly don’t know how it could be easier.
And when you apply the 7 principles to every decision you need to make, and you apply the 14 practices enough that they become second nature – habits you don’t need to think about – what you’re going to end up with is some business-driven and risk-proportional architecture that lives and breathes everything SABSA promises, but without the majority of the start-up costs in terms of time and investment. And it does that because it IS a SABSA security architecture.
So what you’ll end up with is a view of what really matters to the business and how those things are protected that’s accessible to the whole security team. It’s something that’ll even be accessible to everyone—business and technology alike. And it doesn’t matter if you’re SDLC, Agile, DevOps, DevSecOps or any other kind of critter.
I’m confident it’ll work for you.
And I’m confident it’s a complete system that will help you do what you need to do to keep your organization as safe as it needs to be.
It’s *almost* a way to build architecture without “doing” architecture, meaning you don’t have to care about the architecture per se. All you need to care about is the value it can give you and your team in helping to make better security decisions.
But you’ll only get it if you subscribe to the print Security Sanity newsletter before Wed, July 31st at 11:59pm US/Eastern. And you can only do that with this link:
However…a word of caution, before you get too excited. You need to read the sales letter very carefully, and you also need to be committed to doing rather than just accumulating knowledge. Because as amazing and game-changing as I think it is personally, like anything else, it’s only going to do you any good if you actually do the work of trying it out.
So if you’re not an “operator” as they say. If you’re not someone who actually wants to find a better way of working so they do more with less effort and stop answering the same questions over and over again, then
…save your money.
The August edition isn’t meant to be collected. It’s meant to be used. It’s the Volvo, not the Pagani.
So grab the kids, strap ‘em into the car seats, take your Volvo-Driving Soccer Moms (or Dads) by the hand, and let’s go buy some groceries so we can get to work!
Tick-tock. Less than 3 days left, and I wouldn’t wait till the last minute.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
