One of the shows my kids like to watch is Rusty Rivets, where Rusty and his friend Ruby and their team of robots create all kinds of crazy machines out of recycled parts to solve problems (and most of the time, problems they’ve inadvertently created for themselves).
For example, Rusty and Ruby get his great idea to tie a bunch of balloons together so that they can go for a ride—just like in a hot air balloon, and complete with an observation basket. Unfortunately, while they were off collecting the last bits of gear, their troublesome friend Liam gets in and accidentally sets off on an uncontrolled adventure on his own.
After assessing the situation, Rusty and Ruby decide that the best way to rescue Liam is, naturally, to pop some of the individual balloons so he’ll float gently to the ground. Their solution?
“Let’s combine it and design it!” as they say.
They take a tennis ball serving machine, Ruby’s vehicle chassis and a pair of caterpillar tracks they just happened to have lying around, result in…
The All-Terrain, Balloon Blaster 3000!
Which, after a few false starts, succeeds in rescuing their friend.
Now, one of the problems we face as security architects in particular is that we’re forced to solve problems our organizations may have inadvertently created for themselves based on either unclear implications to the decisions our customers make…
…or simply the fact that the way decisions are actually made isn’t often the same as the way we think they should be made, and which are (un)helpfully documented in reams of RACIs.
What we really need to be able to find are the real relationships and implications of the decisions the organization makes about how it “does its thing” without getting bogged down and overwhelmed in the details of security policies, controls and project documentation.
Fortunately, our security architecture scrapyard has a few neat parts lying around, like attributes, domains and relationships. All we need to do is a bit of “combining and designing” of our own so that we end up with a repeatable process for focusing our security efforts in the right place.
That’s right, we need The Organizational Governance Mapper 9000!
Lucky for you, you don’t have to figure out this “combining and designing” thing all by yourself, and you don’t even need your own team of Rusty, Ruby and the robots either.
All you really need is the information in the soon-to-be-shipped print edition of the Security Sanity™ newsletter that talks about all the inner workings and steps to untangle organizational decisions, relationships – and yes, the dreaded RACI chart – into something you can actually use as the basis of your security solutions.
Now, you might be thinking to yourself, “But we already have security governance.” And yeah, you probably do. But how does that illustrate the individual security requirements and priorities you need to demonstrate for each project?
Or, you might say to yourself, “I don’t need to understand governance to do architecture.” Um…nope. Architecture is about the structure of systems to manage the element interactions and information flows to deliver some kind of useful outcome. You can’t separate the two.
Or, you might (shudder) say, we have our security governance and interactions all mapped out in a framework, we follow industry best practices, and we have the RACIs to prove it.
*sigh*
All I can say to that is, if you do, congratulations! You’re in the distinct minority. However, I’d challenge you on whether your frameworks are doing the same thing I’m talking about and give you the potential for the n-way traceability required to really justify the value of your security activities every day.
Maybe they do. Maybe they don’t.
If you want to get my take on architecture, governance and the way it all fits together – along with some practical guidance to get it done without your head exploding – then get thee on over to this link:
Because at the end of the month, the velvet rope is closed, and the two big bruisers at the door won’t let you in to this holiday party, no matter what you aren’t wearing or how much cash you’re prepared to splash.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
