Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / Policy grinder

February 22, 2020

Policy grinder

Polices. Everybody has them, and whether they’re good or bad is actually irrelevant. Because if you want to practice real security architecture in your organization, you’re going to have to eventually bite the bullet and do something with them.

If you want to keep them, you have to be able to prove they actually support and enable the business…

…and if you want to change them, you need to be able to demonstrate quite clearly how – and how often – they’re stopping the business dead in its tracks.

In this particular case, I have some good news, and I have some bad news.

The bad news (which always goes first) is that depending on your organization, the set of security policies you’ll need to be able to untangle can be quite extensive and quite dense.

The good news is that you don’t have to try to eat the whole policy elephant in one go—if you know what you’re doing…

…and what you’re really trying to accomplish by doing it.

To deliver agile security, that means you need to be able to move quickly and easily—and you can’t do that if all the details of your security policies are locked in documents somewhere that the vast majority of people have never read—even with the mandatory force-feeding required by the typical security awareness program.

If you’re familiar with SABSA, then you’re familiar with the whole story between the difference between business-driven policy and the policy-driven business. However, that isn’t quite correct, because when the policy “drives” the business, it doesn’t really resemble the smooth lines of an F1 driver expertly navigating the course…

…it end up being a lot more like the Saturday Night Demolition Derby where the business tries to go somewhere, and then…

WHAM!

Out of the blind spot comes Security Policy Q1423.1-7, and hits the business so hard the engine stalls…

…just before Security Policy A12739-6 comes barreling around the track and hits them both right in the—well, I think you get the idea.

But to fix it, we can’t just shout “It sucks and needs to be fixed!” at the top of our lungs. We need to follow that oft-quoted mantra of management advice,

“Don’t come to me with problems. Come to me with solutions.”

The even better news is that like Sammy Hagar’s magic number of ways to rock, there’s only one way required to put your polices in their place…

…be that validated they’re correct…

…or that they’re ready to be recycled or remixed.

And by the time we talk about this process – what I call architecture archaeology – as part of Lesson 9 of Module 3, you’ve already learned how to do it, and you’ve also been able to get plenty of practice doing it as part of the practice exercises and module assignments earlier in the program.

It just may not have been quite clear that what previously may have seemed an insurmountable problem…

…easily succumbs to the application of the principles and practices of The Agile Security System and ends up packaged into SABSA security architecture tidier than the plastic-wrapped, pre-formed burgers at the local butcher.

Because what I want you to get out of the Building Effective Security Architectures program more than anything…

…is the ability to practically apply the skills of security architecture to the problems you have sitting in your inbox RIGHT NOW.

Not in 2 weeks, 2 months or 2 years…or when you have time, budget and a team to tackle it.

That’s what it’s all about.

Practical skills. Practical tools. And predictable value.

Of course there’s always more to learn, and you can always dive deeper into the pool.

But you can’t swim if you first don’t jump in and get wet.

And the quickest path to policy slicing and dicing with Ginsu precision is by joining the upcoming run of the program kicking off on the 24th of February (which is less than a week from now). The link to join us is right here:

https://archistry.com/besa

After that, you’ll never again feel overwhelmed or constrained by any security policy you’ll ever encounter because you’ll be confident that you can either apply it – or fix it – faster than anyone else around.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

[NOTE: the registration deadline for this cohort of the program has passed. If you want to make sure you don’t miss out on the next one – and the opportunity to register at a significant, early-bird discount – then you might want to consider signing up for the daily emails via either the pop-up or the form on the right sidebar. — Ed.]

Article by Andrew Townley / Archistry Daily / Agile Security, BESA, SABSA, Security Architecture, Security Policy Management

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.