This evening, my wife and I finally got around to watching Laundromat. If you haven’t seen it, it’s really quite good—along with the similar series on Amazon Prime about the international financial system.
And, it’s partially narrated by the most recent voice of both Zorro and Puss…in Boots, so really, what’s not to love?
As you might remember, the upcoming December issue of the print Security Sanity™ newsletter is all about understanding the security governance of your organization. The thing is…
…you can’t understand what security governance is supposed to mean if you really don’t understand what the governance structures actually are of the organizations we’re trying to protect. I mean really…how many times have you felt like a lawyer digging through the Panama Papers trying to pin the corporate owner on the shell company when you were really just trying to get someone to actually admit they really have a vested interest in some kind of logical or physical organizational asset so they could definitively – and rightly – tell you what the hell the value was to the company overall?
*sigh*
It’s tough, because, like the Russian-doll inspired morass of shell companies described in the film, where each one was owned by another, and controlled by some other kind of entity who nobody seemingly owned until you got the guy in the airport with the two wives, 4 kids…
…and a rrrreeeeeeaaaaaaallllllyyyyyyyyyyy bad day…
Understanding the actual agreements that get things done and drive the complex organizations we’re trying to protect is a really tough problem.
A problem that, unless you’re equipped with an understanding of human interactions, psychology and the ways those can be codified and automated…
…you might be (somewhat) forgiven when you do the emoji shrug and say, “It’s just another one for the ‘too hard’ bucket.”
Thankfully, we don’t have to kill ourselves trying to figure out how to figure out (and then document) the complexities of organizational behavior we really need to understand if we want to fully comprehend the potential impact and risk exposure of cyber and information security events to our organizations.
You just need the proper tools to allow you to think about this…
…and then you need to have a standardized way to draw some pretty pictures you can use as the basis of trying to communicate, validate and then document “that which must be protected” in our organizations.
Because if nothing talked to anything else, and nobody needed to interact, and people didn’t produce and consume information without even an errant conscious thought, we wouldn’t have any security problems at all, and we’d be out of a job…
…or maybe growing bananas in Panama or something.
Fortunately, SABSA gives us those fundamental tools we need in terms of attributes, domains and a standardized governance model.
Ah, young Jedi…yes. Yes, you think you understand the ways of governance, and you think you understand the way the governance forces that bind the organization together flow from the trees…to the servers…to the cloud…to the people…
…but you might not.
If you don’t, and you struggle to untangle the generally convoluted, overcomplicated and poorly defined governance structures of the modern organization in a way that you can – hand on heart – have a hope in hell of confidently saying you can protect and enable…
…then that’s where the December issue of the print newsletter might be able to help. It takes my somewhat aggressive view of “domains everywhere” and the interactions between them as an extension of the psychological and transactional interactions inherent in our behavior as humans, and gives you a way to lay them bare, expose them to the world, and…most importantly…show they’re protected.
If you want to get 20 (or more) pages of prose dedicated to what security governance is really about instead of just making sure all your controls are arranged in neat little lines with colored, adhesive labels on them, then I suggest you might want to mosey on over to this link:
and make sure you subscribe before the end-of-November deadline. After that, you’ll have missed your chance—especially if you didn’t jump on the discounted book promotion a couple of weeks ago.
Even if you did, it’s not going to be the same as the book, because that’s the beauty of the newsletter. You get some focused, topical coverage in one digestible dose you can immediately deploy in your own daily work.
If you want it, then I thank you. If you don’t, then I thank you for reading this far. Either way…
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
