• Strategy
  • Risk
  • Governance
  • Compliance
  • SABSA®
  • Login

Archistry

exceptional performance since 2006

  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact
You are here: Home / Archistry Daily / Do you really want security making business decisions?

October 1, 2019

Do you really want security making business decisions?

This was a topic that came up during one of today’s sessions at COSAC. Originally, it was about software developers making business decisions because they weren’t aware (or chose to ignore) key business or legal requirements when they were actually implementing the software that runs the business.

Now there’s a lot of issues with this, but it’s actually the same root cause that I’ve been talking about for the last couple of weeks. It’s a breakdown in the Requirements Engineering process used to capture and translate the real requirements into something you can use to guide the implementation, validation and testing of the software.

When you extend this to security policies, it’s truly the birth of the Department of No. It gives the security team license to claim they’re making decisions in the name of keeping the organization safe.

Unfortunately, that’s not good enough. It’s only half of the mission and purpose of security. You can’t just keep the organization safe in a vacuum, because you don’t know what safe really means. Safe from what? The basics?

What basics?

What’s the value in safety anyway? Keeping the organization safe to do what?

These are all questions that are either answered in a way that empowers and enables the organization…

…or in a way that stops it dead in its tracks, destroys your reputation and credibility within the organization, and makes you the target of active avoidance tactics as far as your business customers are concerned.

Because that’s what you’re doing if you can’t walk the traceability between the organization’s security policies and the goals, objectives and the operating constraints they’re meant to support.

Getting it wrong gets that much more complicated in Agile environments, and even in traditional SDLC or V-model environments, additional layers of “translation” between the security team and the customer can result in security making business decisions about what is right and wrong.

That’s not our job, and we can do better.

But you won’t understand how until you understand what Requirements Engineering really is, how it works, and how it relates to the security policies you’re really trying to create.

We’re down to the wire to get your hands on the October issue of the Security Sanity™ print newsletter that tells you about how to do this right and build the right security policies that are flexible and modular enough to both enable the organization and traceably justify the value.

And while if you know SABSA already, you can go a long way with that basic knowledge, there’s more to it than just core SABSA that many people don’t realize. And when you don’t realize it, you’re going to continue making the same mistakes we’ve been making for the last 30 years.

To make sure you get this issue, you’re going to need to make a decision today. After today, you’ll have missed it.

Maybe that matters. Maybe it doesn’t.

If you decide it does, and you want to have confidence you’re enabling the business and can fully justify and demonstrate the business value of your security decisions,

here’s the link: https://securitysanity.com

It’s the last chance. After 11:59pm US/Eastern, you’ll have missed the boat.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, Business Enablement, Policy Engineering, Requirements Engineering Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • The real difference between architecture and engineering
  • The myth of the isolated project
  • The boneyard of failed architecture initiatives
  • To re-architect or not to re-architect your security controls
  • Afraid up-skilling your security team will train them for their next job?

Looking for something else?

Archistry

Practice Areas

  • Strategy
  • Risk Management
  • Corporate Governance
  • Compliance
  • SABSA®
  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2023 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall" and "Archistry Execution Engine" are trademarks of Archistry Limited.