One of the things you always hear when you talk with the people in an organization about what it is, what it does and how it does it, you’ll always hear about how unique, different or just…
SPECIAL…
…that organization is in relation to other organizations on the planet, its peers, competitors and other places where the people telling you might have to work someday if things all go horribly wrong.
And while this is true in many different ways, at our core, we’re engineers and architects…
and “special” just doesn’t cut it.
We need to know special how? In what ways? What is it that makes it unique? What are the classifications and structures and relationships that distinguish this organization from everyone else?
We have to find the structures…
…the patterns
…the taxonomies
…and the forms, damnit. Because without those, things are just different. And you can’t do anything with different, and you can’t tell what’s important “different” from cosmetic “different” vs. financially-significant “different.”
So part of what we have to do as security is figure out how to carve up our world so we can put all this different-ness in some kind of structure. For example, we know that, at a bare minimum, a manufacturing organization needs to have a few things, or it’s not going to be a manufacturing company. It needs to have:
- Some kind of raw materials or inventory of parts,
- Some kind of model, pattern, recipe or assembly instructions,
- Some kind of assembly mechanism, and
- Some kind of finished goods or product.
Now, you can cut that up any way you like, but there’s a model there – a fundamental model – of what constitutes the definition of a manufacturing organization. You might not agree with those 4 items, but whatever it might be, there’s a model.
So if you want to understand a manufacturing organization, what do you need to do? That’s right, you need to start asking questions about that fundamental model. What are the required raw materials? Where do they come from? How much do they cost? How long does it take for me to get them?
And a million more potential questions you can think of. But it’s like Jazz. Jazz doesn’t just start because a bunch of people are playing different notes. Even in improv, there’s some kind of fundamental structure that everything else decorates…hangs off of…that makes it coherent…
…even with all those crazy notes, rhythms and solos.
You’re not making it up—and that’s a good thing.
In fact, that’s the point.
Because when you make it up, you’re doing stuff you’ve never done before. It truly is a special snowflake—by definition. And the thing about making it up is that it’s really easy…
…dangerously easy…
…to forget something. Because you don’t know the structure. Like, the robot’s going to be missing an eye or something, or have a leg sticking out his butt because, well, you’re making it up. You don’t know what will work and what won’t.
So if we want to have the best chance of getting it right, we need to know what it is we’re supposed to be doing, and what the fundamental structures are we’re supposed to recognize and explore.
Because it’s through the exploration of those structures – those models – that allow us to figure out the right questions to ask our customers, you know… those security stakeholders we’re supposed to be supporting.
Structures, or a system, is going to trump a list of questions because we won’t know which ones are important. We have to kinda guess, or go through and feel our way through.
But with a structure, or a system – especially one we understand – then we have the hard decisions already made for us. We just fill in the details.
And by recognizing what’s missing…what we don’t know…what we don’t understand…
we have a roadmap – a red carpet – laid out in front of us, and we just walk along, picking up the information we need from the mouths and the fingers and the writing instruments of our customers…
so we can build the right architectures…and pick the right controls…to deliver our mission and purpose of helping our organizations achieve THEIR mission, as quickly and safely as possible.
Now, you might have some of those models already, or you might not. However, one of the key pieces of The Agile Security System™ is a set of 3 baseline perspectives that give you the 3 most critical structures – and the relationships within them – to help you carve up the complexity of your organization and eat it for breakfast.
To carve up the complexity of understanding your customers’ worlds into manageable, digestible pieces. To make sure you say the right things to get the interviews you need…
to make sure you ask the right questions to understand what’s most critical to the organization…
to understand where you need to put your controls…
to understand when you need to panic about a threat or vulnerability and when you don’t.
Those Baseline Perspectives and how they relate to getting, structuring and visualizing the whole process of interviewing your security stakeholders and translating that into architecture and controls that live, create, adapt and enable your organization…
is quite extensively covered in the upcoming September issue of the Security Sanity™ print newsletter. And, if this should be useful to you…and help you do your job better, faster and with far fewer tufts of hair covering your desk and keyboard…
then shoot on over to https://securitysanity.com
And make sure you subscribe before it’s too late.
Or keep starting from a bank of questions…or a blank page…and just wing it. I’m sure it’ll all work out ok…right?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
