As much as we like to deny it, our primal, animal brains control a lot more of our life than the average person who considers themselves civilized and educated would care to admit. And if you doubt this, just look at the TV news, or especially scroll through social media feeds or read the comments sections of the online newspapers.
So…maybe we’re actually embracing our animal survival instincts more than we’d like—even though many of the fears we have today have been carefully and meticulously manufactured by some stand-in for Squealer from Animal Farm.
Today, it’s hard to avoid it.
Unfortunately, it happens because of something so deep in our brains that we developed when were having to avoid getting eaten by a lion, or we needed to decide which berries to eat, or when we’re faced with life-changing questions like:
“Do I take the red pill or the blue pill?”
All these survival activities are actually underpinned by a nearly automatic classification mechanism we have hard-wried into our brains. We have to put things into boxes. In fact, we can’t stop doing it…
…unless we’re dead.
It’s just part of the way the brain works.
Good vs. bad.
Friend vs. foe.
Pain vs. pleasure.
Loss vs. gain.
None of these things are absolute, but our brain has developed an automatic distinction for which is which that we can only short-circuit when we engage our “Slow Thinking” brain to start thinking about exactly why something goes in one bucket or the other.
All this was designed to keep us safe, but there’s a real problem with it: we’re not consciously aware of why we make these choices. It’s much easier to draw a box than explain why we did it—explaining what’s really the defining reason we chose to separate one set of things from another.
Now for us as security, “safe” is a big deal. But it’s another one of those words like “security” that is really context-specific.
Safe from what?
Lions, tigers and bears…oh my!
And since safety and security is kinda what we do, we’d better have a good way to avoid relying on our Neanderthal brains to determine what we really mean by good vs. bad or threat vs. opportunity.
Fortunately, as a SABSA practitioner, we have just the thing for that as part of our toolbox: the Domain concept.
However, the standard definition of a domain as a set of elements subject to a common security policy is a bit too far away from our Neanderthal needs. It’s just too sophisticated to solve the problem I’m talking about here, because it’s like sitting down to watch Star Wars: A New Hope and immediately after you’re introduced to Luke Skywalker and R2D2, you jump straight to the end where Han Solo shouts,
“You’re all clear kid! Now blow this thing so we can all go home!”
The story we need is there, but we’ve just kinda skipped some steps.
Domains work and are powerful for many reasons, but one of the biggest ones is it allows us to keep our Neanderthal brain happy. We get to define as many “us” and “them” boundaries as we want.
In fact, we can do it forever, but that’s a problem for another email.
The “missing step” – which isn’t really missing if you understand SABSA and how domains work – is explicitly defining the characteristics that caused you to draw that box in the first place.
Now working backwards from the official definition, if they’re subject to a common policy, why might that be?
What’s a policy? Well that’s also potentially the topic for a whole month’s worth of emails, but since we’re talking about a SABSA policy here, it’s a set of control objectives and the way those are implemented down through the layers from our little beady brains all the way down to spinning fans and lights a blinkin.
But why those control objectives? Where did they come from?
Well, we have control objectives (a shorthand because I don’t want to write “control and enablement objectives” or “CEOs” or anything else I’ve tried to use over the years to make it easier to say and type) because we’re mitigating a set of risks within the domain where this policy applies.
Ok, right. So we have a common set of risks, so we need a common set of control objectives.
So why do we have a common set of risks?
Well, there must be a common set of threats or vulnerabilities, right? Yeah, well…you just go ahead and dance with those Angels. Mind the edge of the pin head though.
Why are there a set of common threats and vulnerabilities?
Well, because the “we” elements inside the box must have a common set of characteristics. And in this case, I’m not talking about SABSA Attributes—unless you expand those to include not only the name, the definition, the metrics and the performance targets. Sure, the Attribute Profile in a domain is a common set of characteristics, but those aren’t the ones that start the ball rolling.
The ones that start it are the characteristics of the elements themselves.
Are these the berries that caused me to barf my guts out last week?
Is that sound coming from a rogue velociraptor that escaped from a movie set?
So really, what our domains SHOULD do for us, is allow us to leverage our psychological reflex to classify the world in to things we understand by actually forcing us to describe those characteristics that matter.
Because at the end of the day, those characteristics are probably far less likely to change over time than the set of risks that drive the policy.
Ok, so that was a bit deeper than I’d originally planned, but at least you should understand domains a bit better. Now what?
If you’d like to figure out how you can actually put them to work IMMEDIATELY in ways you probably haven’t done before to express the security work you’re doing right now,
There’s still time to get the August print newsletter that includes the definition of an entire system of principles, practices and pictures to help you do just that.
If you’re still sitting on the fence, you just might want to notice you’re running out of fence.
When the issue goes to the printer on the 1st of August, it’ll be too late to subscribe, so best do it now:
Andrew S. Townley
Archistry Chief Executive
P.S. And to be clear, this is different than these daily emails. This is something you can read and use as a real resource and reference to take concrete actions to start being more effective in your security work every day—regardless of what that security work actually is.
P.P.S Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.