Since my last email was a bit of musically-inspired guidance on what not to do as a security architect, I thought I’d continue the theme today with probably the best, most direct – and most effective – advice I’ve ever heard about the practice of architecture from a band called Rush.
The lead track of their 1989 album Presto (featuring a whole load of long-eared varmints on the cover) is a song called “Show Don’t Tell,” and it pretty-much sums up the attitudes we face outside of security, and even outside of people who understand architecture:
“How many times do you hear it?
It goes on all day long.
Everyone knows everything
and no one’s ever wrong
…until later”
That kind of skepticism – or even outright cynicism – that security “knows everything” is often one of the biggest barriers we face to doing the work we want to do. And even within our own teams, we can get the “why do we need architecture at all?” vibe because, after all…
…we have all that “best practice” lying around along with all those “critical” controls that surely tell us what our job is about.
How could anything labeled “best practice” or “approved controls” ever be wrong?
…until later…when it is.
Maybe it’s “wrong” because it costs too much.
Maybe it’s “wrong” because it’s not practical given where we are right now.
Or maybe…
Maybe it’s “wrong” because it actually stops the business from doing what it needs to do.
One of the problems with security to non-technical people – and even, or especially architecture – is that it’s generally intangible. It’s not something you can touch or kick…and even if you pay money for it, you still have a hard time proving you got what you paid for.
We can talk all we want about the potential value of reusable architecture…how it’ll make our lives easier…how it’ll make security more responsive…how it’ll make us more efficient.
However, the reality is that when you have an idea…or a promise…
It’s not yet reality. You can’t guarantee it’s value.
To turn an idea or a promise into reality requires at least two things:
It requires faith or the belief that it can work…
…and it often requires proof.
So, in the absence of sufficient faith or belief in the value of something, the faster you can actually prove it – even just a little bit – the faster you can increase the faith and belief of even greater value.
Show me. Don’t tell me.
Because this is ultimately at the root of all the conversations between architects and “the others” about whether they get to do architecture or not. The architect believes in the value. “The Other” is skeptical.
They’re not convinced.
And, from the conversations I often have with other architects…neither are we. At least, we’re not convinced enough to do it anyway. Our faith and belief in the value of doing the work falters.
So when we don’t believe…or we haven’t been able to prove this – even to ourselves – our architecture efforts are minimal.
Or, worst case, they die.
When they die, we’re treated to a whole world of reality that we’ve probably been trying to avoid. A reality of too much stress. A reality of not enough support. A reality of too many requests to handle.
Why too many to handle?
Maybe it’s because we treat them all the same. Maybe it’s because we can’t find the leverage to work them in parallel. Or maybe it’s because each one starts with a blank page.
The *actual* reality is that the value of architecture isn’t that hard to demonstrate—if you know how. The problem is that we often don’t, and we’re preventing that from happening because we’ve lost faith that, regardless of anything else, if we do create architecture, it’ll make things better—even if it’s only selfishly for ourselves and the work we do as individual contributors.
But the secret is how to know where that minimal bar for value actually sits. Where is that point where we truly can “show, don’t tell” the value of what we’re capable of doing
…for ourselves…
…and for our organizations?
After 14 years of working with SABSA and building security architectures for real projects and helping many organizations around the world do the same, I’ve come up with what I believe (there’s that word again) is the best way to quickly show value…not only of architecture, but to then use that architecture to clearly illustrate the value of security to the organization overall.
And I’m ready to teach you what I know and how to do it as part of the next cohort of our 7-week, Building Effective Security Architectures learning experience starting exactly 2 weeks from today on February 24th.
But I can’t do that if you’re not registered, and the time to do that is getting shorter each day.
So to fix that and make sure you can start to apply aspects of The Agile Security System™ to your own work – potentially after even the first week of the program – you need to go to this link:
When you’re there, you need to read the page, scroll all the way to the bottom, and click the big yellow button.
I believe I can help you become a better security architect. I believe that you can become a security architect capable of easily demonstrating not only the value of architecture, but the value of security itself. And I believe that you can do it with a lot less effort than you might think.
Do you?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
