I get it. I really do. The old saying of “You can lead a horse to water, but you can’t make him drink,” seems to be one of the most frustrating truths in security. I remember on one particular, highlight politicized, multi-vendor public sector project I was on, it was enough to literally make me have to walk around the building from time to time. Eventually, my take on it became…
“Oh…look at all the drown, dead horses lying around!” because no matter what you did – or how thirsty they were – they just wouldn’t pay attention.
It gets you to the point where you feel like one of those crazy super-villains in the movies breaking into someone’s kitchen, grabbing their cute and fuzzy, chocolate brown Labrador puppy, putting a gun to its head, demanding with wild, demanding eyes and spiky greasy hair:
“Read the policy—or the puppy gets it!!!”
Which, of course, doesn’t do great things to either:
- our credibility within the organization and especially with the people we’re supposed to be supporting and keeping safe; or
- their willingness to actually voluntarily read and be guided by said policies the next time they’re trying to run a project.
In fact, what we’re really teaching them to do – through negative reinforcement – is to avoid us at all costs, make sure we never get any money because of the trouble we cause, and lay out the red carpet to uncontrolled and unmanaged cloud IT service providers.
In short: it’s a real pisser.
But sometimes, as I know very well myself, it seems like it’s the only option we have open to us…
…or is it?
What if:
- we could create security documentation people actually wanted to read (or, at least didn’t recoil in horror from as if it were a 3 meter black mamba looking them eye-to-eye);
- we could eliminate the volume of security documentation so that our customers didn’t feel like we were dumping an entire, dusty, physical, leather-bound set of all 17 volumes of the Encyclopedia Britannica every time they “just wanted to access a website”; or even
- we could actually avoid the whole security documentation question entirely by having the confidence the controls required for the solutions the organization needed were automatically being included in the infrastructure configurations (and had the monitoring and reporting capabilities in place to ensure this was so).
Well, maybe we can, and maybe we can’t. And I know for sure that without deeper knowledge of your organization’s business, your technology environment, your organization’s approach to risk and a whole host of things—including the security vendors and components you already have…
…I don’t have a hope in hell of doing it.
But you might—because you probably know all the things on the laundry list I just rattled off already. However, what you might not know is how to take all that information, organize it, prioritize it, model it and communicate it…
…in a way that gets the people you support ACTUALLY believing you’re on their side, and you’re working in their interests, not just your own.
And THAT means, you actually start getting things done.
You start getting your budget.
And you start getting the new team members you’ve been begging for for months…
…all without harming one soft, chocolate brown hair on the head of any puppy used in the writing of this email.
So if you don’t know how to do all those things, then this is precisely why I created the Building Effective Security Architectures education program—and it’s also why I made it 7 weeks long instead of a typical 3-5 day, in person “training jolly” where other people in your organization think you go to wine and dine on the company tab.
But you won’t know if it’ll work for you unless you’re part of the cohort, because no matter what I say, or what anyone else says about it, it ultimately comes down to whether you’re ready to do the work and develop practical skills in applying SABSA to develop truly business-driven security architectures that will even traceably show your DevOps infrastructure is aligned with the dusty, old and boring security policy that applies to the rest of the organization.
To find out, you’re going to need to visit this link and register for the next cohort starting the 24th of February:
Or, maybe the “puppy strategy” is your next best option…because sometimes, it’s all we’ve got left.
Either way…
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
