Yesterday, I mentioned going through all those reference architects and architecture examples. And another thing I found was something else I really don’t like:
The assumption that control library deployments is all the “security architecture” you really need.
Obviously, if you’ve been around for long enough, you know this is true. Control libraries are…well, they’re essentially pick-lists or checklists of controls you MIGHT use, but architecture. Architecture is something that’s kinda like the Force.
It’s all around us, whether we recognize it or not.
And, each and every single one of those control libraries coming out of the woodwork have one too—but it’s probably pretty opaque to you, and especially if it hasn’t been engineered from the perspective of building a business-driven security program.
However, that assumption isn’t the worst part about our gravitation to control libraries. And the worst part has to do with the way our brains have been conditioned to react through thousands of years of survival…
…and the general “status quo” bias that makes us inherently resistant to change. And, the older and more crotchety I get, the more I think that security people self-select for their natural aversion to change.
Or…maybe it’s just me.
Anyway, the sucker-punch to our architecture comes from being presented with pick-lists of thousands of controls, often mistakenly marketed as “the answer” to all your cybersecurity challenges, or worse…”the security architecture” you absolutely must toil day and night to deploy in your organization lest you be deemed a leper-like outcast from “the kool kids” who eat, sleep and poop security control code in binary.
Because, after all, assembler’s for wussies.
So, here we are, presented with a smorgasbord of controls tantalizing our security taste buds and causing us to salivate with the “control greed” I talked about a while back.
And the sucker-punch comes when we’ve lovingly reviewed all these controls, have committed their descriptions to our subconscious…
…and there’s no way in hell we want to do anything like leave any one of them out. Of course we need them all. How could we possibly give them up (loss aversion).
I mean, after all, somebody went to all this work to work out what this set of controls should be, and they’re all derived from all those menacing security and compliance regulatory requirements and best practices…
…so, we energetically chant “This is the way!” from inside our Mandalorian helmets we can never take off lest we get cast out.
And that, boys and girls, is the exponential combination of loss aversion (don’t take my controls away from me) and aversion to change (there’s already a perfectly good security architecture right there, why screw around with it?”).
The result of this 1-2 combination is that your attempts at true architecture find themselves flat on their back of the canvas, staring into the far too bright lights of the arena, hearing the management team slowly count they days where you haven’t yet delivered a rubber stamp of “Security Compliance” with their pet projects.
It’s a nightmare. But it’s a nightmare we have to face if we want to move past it and develop truly business-driven security architectures with the minimal amount of complexity possible.
We need to learn this skill too…this ability to stare deeply and unflinchingly into the eyes of our deeply powerful psychological reflexes of loss aversion and fear of change…
…and tell them to take a hike. We’ve got work to do, and that work may or may not involve some, all or none of your current favorite control library.
But how do we know what’s right?
How do we develop those skills to stare down our subconscious and still do the right thing—even under pressure, and still have the confidence that this is truly “the way” to enable and protect our organizations?
Like most things, there’s a hard way…and an easy way.
The hard way is to keep throwing yourself against…well, yourself. Until you’ve finally been able to not only master the psychology of short-circuiting that sucker-punch, but you’ve also acquired the skills, knowledge experience and…PRACTICE to justify the confidence you might otherwise encounter dressed in the auspices of arrogance.
You’re probably better than me, but it took your narrator decades to really get to the point where I don’t have to think much about this stuff anymore, and probably at least 5 years before I actually felt confident enough in what I was doing to cut my own path.
Which is fine…if you have 5, 10 or 15 years before you might feel confident to tackle the problems that are facing you right now—especially with all the craziness and uncertainty in the world today.
Or, there’s the easy way. You can leverage everything I’ve learned in 2 decades of professional experience and 15 years doing security architecture, and you can get all that knowledge and experience packaged in a nice, silver box that all you need to do is open your mind, soak it in…
…and complete all the exercises and assignments that are part of cementing the theory into concrete, reliable skills that you’ll be able to use nearly immediately.
All you need to do to take the short-cut is make sure you’re part of the upcoming July cohort of the Building Effective Security Architectures program. It’s 7 weeks, which might seem like a lot—however, that’s the minimum I’ve been able to cover the amount of material I’ve seen missing in many of the security architects and heads of the security program I’ve met over the years and still give you the chance to practice it in a safe environment with review, feedback and suggestions from your living, breathing fellow members of the cohort—plus me, each week on our live Q&A calls.
To join us, visit this link:
And, if you want to do it for the least amount of investment possible to truly shoot your ROI through the roof, you’ll need to make this decision in the next 3 days, because at midnight on Sunday, April 19th, the price goes up by $1,000, and you’ll have missed out on a pretty significant $2,000 discount.
But, maybe that’s ok. Or, maybe, you’re not even interested in the program or becoming a better security architect, building a reliable backbone for your entire security program, and being able to get more done in less time.
All big claims, I know. And I’m not forcing you to believe me. Nor am I forcing you to join the cohort at gunpoint, mental manipulation or any of the other crap that would basically fill the cohort with a bunch of people who weren’t really interested in doing the necessary work, would end up letting everyone down because they didn’t participate, and might even need me to forcefully eject them from the program because they were slacking off.
Believe me, one, two or even twelve seats of wasters isn’t worth the revenue at the expense of screwing up the experience for the people who want to be there. I’ll be just fine either way.
So, we’re fast approaching decision time. Are you in?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
