Polices. Everybody has them, and whether they’re good or bad is actually irrelevant. Because if you want to practice real security architecture in your organization, you’re going to have to eventually bite the bullet and do something with them.
If you want to keep them, you have to be able to prove they actually support and enable the business…
…and if you want to change them, you need to be able to demonstrate quite clearly how – and how often – they’re stopping the business dead in its tracks.
In this particular case, I have some good news, and I have some bad news.
The bad news (which always goes first) is that depending on your organization, the set of security policies you’ll need to be able to untangle can be quite extensive and quite dense.
The good news is that you don’t have to try to eat the whole policy elephant in one go—if you know what you’re doing…
…and what you’re really trying to accomplish by doing it.
To deliver agile security, that means you need to be able to move quickly and easily—and you can’t do that if all the details of your security policies are locked in documents somewhere that the vast majority of people have never read—even with the mandatory force-feeding required by the typical security awareness program.
If you’re familiar with SABSA, then you’re familiar with the whole story between the difference between business-driven policy and the policy-driven business. However, that isn’t quite correct, because when the policy “drives” the business, it doesn’t really resemble the smooth lines of an F1 driver expertly navigating the course…
…it end up being a lot more like the Saturday Night Demolition Derby where the business tries to go somewhere, and then…
WHAM!
Out of the blind spot comes Security Policy Q1423.1-7, and hits the business so hard the engine stalls…
…just before Security Policy A12739-6 comes barreling around the track and hits them both right in the—well, I think you get the idea.
But to fix it, we can’t just shout “It sucks and needs to be fixed!” at the top of our lungs. We need to follow that oft-quoted mantra of management advice,
“Don’t come to me with problems. Come to me with solutions.”
The even better news is that like Sammy Hagar’s magic number of ways to rock, there’s only one way required to put your polices in their place…
…be that validated they’re correct…
…or that they’re ready to be recycled or remixed.
And by the time we talk about this process – what I call architecture archaeology – as part of Lesson 9 of Module 3, you’ve already learned how to do it, and you’ve also been able to get plenty of practice doing it as part of the practice exercises and module assignments earlier in the program.
It just may not have been quite clear that what previously may have seemed an insurmountable problem…
…easily succumbs to the application of the principles and practices of The Agile Security System and ends up packaged into SABSA security architecture tidier than the plastic-wrapped, pre-formed burgers at the local butcher.
Because what I want you to get out of the Building Effective Security Architectures program more than anything…
…is the ability to practically apply the skills of security architecture to the problems you have sitting in your inbox RIGHT NOW.
Not in 2 weeks, 2 months or 2 years…or when you have time, budget and a team to tackle it.
That’s what it’s all about.
Practical skills. Practical tools. And predictable value.
Of course there’s always more to learn, and you can always dive deeper into the pool.
But you can’t swim if you first don’t jump in and get wet.
And the quickest path to policy slicing and dicing with Ginsu precision is by joining the upcoming run of the program kicking off on the 24th of February (which is less than a week from now). The link to join us is right here:
After that, you’ll never again feel overwhelmed or constrained by any security policy you’ll ever encounter because you’ll be confident that you can either apply it – or fix it – faster than anyone else around.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
[NOTE: the registration deadline for this cohort of the program has passed. If you want to make sure you don’t miss out on the next one – and the opportunity to register at a significant, early-bird discount – then you might want to consider signing up for the daily emails via either the pop-up or the form on the right sidebar. — Ed.]
