Yesterday, I was having a variation of a conversation that I’ve had with loads of security leaders and architects in various parts of the world over the years, and it’s a conversation that centers around how to “find the time” to be more strategic in your security architecture efforts.
There’s a couple of things at play here, and the first one has to do with “finding the time.”
We all have the same 24 hours in the day, and if we follow Arnold Schwarzenegger’s recent advice to “sleep faster”, that leaves us with about 18 hours during the day, at least 8-10 of which is generally focused on our jobs.
So we have to ruthlessly prioritize, and we have to have a focus, otherwise, we’re not going to make sure we get the most out of those hours we put in. If we have a goal of being more strategic, then that directive has to be woven in to everything we do every day.
It comes back to the mantra I’ve adopted this year of “we can only control our activity and behavior.” Anything else, we can only influence.
The second thing is that we’re basically spoiled by the way we think about things today. We live in a disposable society—everything from diapers to dresses are basically made for single or short-term use, and that’s how we think.
Want to grab a breakfast at an average US hotel? Of course, you’re going to be given plastic forks and paper plates and cups.
What a change from the late 19th and early 20th century where people were very creative with whatever they had. For example, when my mother was a child, she and her dolls wore dresses made from the feed sacks they bought on the farm. In fact, she’d go to the store to pick out which one she wanted as a little girl, because they came in different patterns.
Earlier than that, when blankets, dresses, shirts, and pants were worn out, the parts that weren’t were recycled, and they were used to seed the social circles of midwestern housewife activity: making patchwork quilts.
Nothing was thrown away. It was just stitched together in a way that suited the larger objective.
In the case of a patchwork quilt, it was to keep warm in the cold midwestern winters.
In the case of our 11th hour tactical architectures, what are we doing now?
In many cases, we’re focused too closely on THE project or THAT problem or THIS risk, and we miss an opportunity to be strategic—even when we’re working tactically.
It’s why the first principle of The Agile Security System™ says:
“Every security decision we make – every day – is intended to deliver our mission and purpose as security.”
What is that mission and purpose?
It’s to allow the organization to deliver its own mission – whatever it is – as quickly and safely as possible.
In practice, what this really means is that every time we’re drawing boxes and connecting them with lines to talk about the impact or the security recommendations of something, we need to be able to place them somewhere on a map of the organization’s world.
…which is kinda hard if you don’t have one, because then you get sucked back into Catch-22 land where you’re trying to “find the time” to figure out what’s important to the organization.
That is, you have this problem if you’re not using The Agile Security System’s Baseline Perspectives™. Because there’s a standardized, yet not too constraining, domain model that represents what my 14 years doing security architecture tells me is important to understand about carving up an organization from the view of itself. That’s the Enterprise Baseline Perspective.
And then, there’s a set of boxes and lines that talk about how any organization relates to the outside world, both friends, foes and John Q. Public. That’s the External Perspective.
And finally, for our DevOps teams, there’s a service-specific slice through the Enterprise Perspective that narrows the scope of each of those core domains to the specific requirements and elements used to deliver any given service or service family you’re going to build. That’s the Service Perspective.
So if you have that picture, then you know where every piece of the puzzle you’re solving fits within the bigger world of your organization and the value propositions it delivers to its customers.
But only if you have a system.
For the next 3 days, you can get the full story of how to build your own patchwork enterprise security architecture, one piece at a time and without channeling a 19th century midwestern housewife, for 95% less than you could learn these skills as part of our flagship online training courses and coaching programs. In real money, that’s over $4,700 less than it’s ever been available before.
Because I’m writing a book about it called The Definitive Guide to The Agile Security System, and you can pre-order it now for $247 using this link until 11:59pm on October 31st:
It will ship sometime in the middle of January, and it’s going to be only available as a printed book—but only if there’s enough interest and we get 10 pre-orders by the end of the month.
It will give you everything you need to start building architectures faster and more consistently than you’re likely doing right now, and by using the 7 principles and 14 practices, you’re going to build a habit of security architecture, not just trying to follow a process.
That means that you’ll be able to build security architectures on a 30 minute phone conference during an incident response, starting from the tippy-top of your organization’s business strategy or down in the weeds of a project charter for a low-level infrastructure upgrade. And there’s going to be a full set of annotated architecture examples for the enterprise, project and working from your security policies as part of it.
You’re also going to get some bonuses that are separate resources you can use as your build your own architectures following the process integration patterns for the typical SDLC and Agile/DevOps delivery methodologies you’ll find in the book.
Bonus #1 is a fully-engineered set of SABSA attributes and domains extracted from the latest version of the CIS20 control library. You’ll get the coverage map of these controls in terms of the Baseline Perspectives, you’ll get a list of services, you’ll get a list of mechanisms, and you’ll see how this control set really aligns with the SABSA policy architecture layers and the architecture framework itself. It’s ready to pick up and integrate into your own efforts for those of you relying on this set of controls.
Bonus #2 is an additional set of 55 SABSA attributes that are part of the Archistry Execution Framework’s Reference Architecture. You get the definitions, their candidate mappings to the Baseline Perspectives and the attribute aggregation graph you can use as the starting point or as a comparison reference for your own organization’s set of unique attributes.
Bonus #3 is a set of stencils for Visio, OmniGraffle and draw.io that you can use to standardize your security architecture models, including instances that correspond to the Baseline Perspectives, the 55 attributes of the AEF Reference Architecture, and the inter domain and security association relationships, risk events and attack vectors I’ve found useful in my own work.
But you might not need it, if you’re rolling all these things yourself. You might already have seen parts of what will be in the book and bonuses as part of either our print Security Sanity™ newsletter where the Agile Security System first appeared or our online training courses—or even in some of my recent COSAC presentations.
Or you just might not care. You might think it’s not relevant, or that it’s too expensive, or that I don’t really know what I’m talking about.
And you’re probably right. These things may very well be true for you.
If you do want to be more effective, consistent and faster when you create security architectures that really do fit together into the bigger picture of your enterprise security architecture…
…automatically, and without extra effort,
or you do want to be able to read any phrase or sentence and immediately convert it into potential elements of your security architecture,
then now’s the time to decide to take action. If we get the necessary pre-orders, book will only get more expensive as we get closer to January, and, in particular, the pre-order price will go up by $100 on the 1st of November, and it’ll be almost $500 by the time the book ships.
Nobody can decide but you.
If it’s yes, then high-tail it over to this link with your credit card right now:
If it’s no, then that’s totally cool too. There’s still plenty of tips in the regular emails that I hope will help you build a more effective security program.
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com