I’ve been looking at a lot of “security architecture” recently, including some live, organizational architectures, some “off the cuff” things that I’d call security architecture “sketches”, and some formalized, published reference architecture models. And it hit me when I was taking a break, sitting in the fleeting sunshine this afternoon and listening to some Jimi Hentrix, that there’s a whole lotta confusion out there about what security architecture really is and what it’s supposed to do for you—and your organization.
I was sitting there, birds chirping, and frustrated. I was really frustrated because I actually can’t figure out why this problem is so pervasive.
And in the background, Mr. Hendrix was singing:
“My heart burns with feelin’ but
Oh, but my mind is cold and reeling”
And I swear I heard, in my warped mind, Jimi say next:
“Is this architecture, baby,
Or is it confusion?”
Of course, that’s not really what he said. The title of the song is “Love or Confusion”, which is what he was talking about.
But damned if I didn’t hear what my mind was fixated on.
So, maybe that’s the root of the confusion about security architecture too. We’re so fixated on the “cyber” and the threats, and all we see – day in, and day out – are library after library of controls…
…and the maturity models rating us against how many of those controls we have.
I guess it’s inevitable that we’d be led to believe that it’s all about the controls and how many we have…
…instead of worrying about why the hell we might need them, right there, in the first place.
If we want to call ourselves “security architects”, then it’s gotta be about more than just shuffling cyber control Lego bricks around the organization – and in the cloud – trying to follow the instructions to get them in the right place.
If we do that, we’re implementing someone else’s solution—and, let’s face it, there’s not a whole lotta thought required beyond the cybersecurity equivalent of:
“Honey, do you prefer the sea foam or the mint meltdown?”
And it’s a problem, because far too often, all that guidance on what THE security architecture should be…
…is based on nothing more than a checklist of regulatory and industry guidance.
What we tend to forget is that architecture is about innovation…that there’s more than one way to skin the proverbial cybersecurity cat…and that if we’re not trying to innovate because we’re forced to problem-solve based on the real constraints required by our real security customers –
That’d be “the Business”, not the auditors –
Then we’re not really doing architecture at all. We’re confused, so it’s no wonder that whatever we produce is going to be confused as well.
We need to boldly engage with our customers, to seek out new constraints and new requirements where we’ve never gone before. Because constraints are what architecture’s all about.
Not control libraries.
Not “best practice.”
It’s about creatively solving problems so that the business can do what it needs to do as safely as possible. And it’s about having the confidence to tackle these challenges because you know you have the architecture chops to do what it takes to find a solution.
These are indeed the voyages of the starship Security Architecture.
But maybe…just maybe, you’re feeling like a stowaway on that ship. Maybe you don’t have the confidence to engage our real security customers. Maybe you don’t have the background and knowledge to ask the questions that will turn on “the Discovery Channel” and allow you to deeply understand the worlds of the customers you’re trying to protect and enable.
Or, maybe, you’ve missed the boat completely, because you don’t have the opportunity to do architecture—even if you did have the skills. Maybe you’re too busy always getting pulled into operational and technical discussions rather than being able to think strategically and deliver real value.
Maybe it’s something else. Only you know.
I sure don’t.
I do know what I’ve seen in other organizations, and I do know the kinds of challenges that keep popping up with person after person that I work with in our coaching and mentoring program.
And I do know that if you’re serious about addressing any of the points I mentioned above, to dispel the confusion, and lead your organization on a path to business-driven security architecture, there is a way to condense 14 years of practical experience and hard knocks into a 7-week program where you’ll learn how to start from anywhere…
…and any arbitrary sentence you will ever see, hear or read…
…so you can start from anywhere at all and effortlessly engineer that critter into the 3 core elements of a full-blown SABSA security architecture—and do it at whatever scope you’re trying to tackle.
The program is called Building Effective Security Architectures, and it does exactly what it says on the tin: teach you what you need to know to be an effective security architect, by going back to basics, by learning how your customers think, by learning the right way to build security architecture – almost by accident – and by learning how to integrate your architecture efforts into Agile, DevOps and traditional delivery processes.
All in 7 weeks.
Starting on the 6th of July.
To find out if it really is for you and whether you’ve got what it takes to complete the program, just visit this link:
And if you register between now and Sunday night, the 19th of April at 11:59pm US/Eastern you get to take a nice, juicy $2,000 bite out of the normal price of the program.
Maybe it’s for you, and maybe it’s not. Only you can decide that. But the door’s open if you want to come in, clear your confusion, and get busy enabling secure business success.
Andrew S. Townley
Archistry Chief Executive