One of the other big problems I see when I’m working with clients and customers that’s a lack of discipline with how they structure their risk assessments. They’re all over the place, and they smack of all the problems we talk about during the SABSA Foundation course:
- They’re highly subjective
- They vary greatly in structure and scope
- They aren’t well targeted
- The scenarios are insanely complex
And, the ultimate example of this are the types of risk scenario that basically is best read with the R.E.M. song playing in the background…
“An attacker uses a tinfoil hat, a coat hanger and your grandmother’s cat to compromise the dishwasher in the canteen which is somehow connected to the financial accounting system and results in them transferring 100 billion dollars into their personal bank account, causing the company to go bankrupt, cats and dogs to live together, and he general end of the world as we know it takes place. So long, and thanks for all the fish.”
Aaaaannndddd I feeeeeeel fiiiiiiiiiiiinnnnnneeee.
So here’s a solution to that nonsense. The mystery final bonus is an augmented version of the VERIS threat taxonomy, mapped to the Baseline Perspectives, the Reference Architecture Attributes and a few examples on how to model end-to-end threat scenarios with ASML™ that show the targeted domains and attributes and the relevant controls that probably do the business of mitigating most of what happens.
This is Bonus #5 of the whole package of how to build better security programs through actionable architecture and the principles and habits you need to develop to actually get it done.
It’s all presented in detail in the book The Definitive Guide to The Agile Security System™ that you can get right now for $247 by using this link:
And if…
…which is still a bit of an if…since we haven’t yet quite gotten across the line with the target pre-orders…
…if the stars align and enough people think this is worthwhile, it’ll ship in mid-January with a $497 price tag—for exactly the same stuff you can get for a few more hours for almost half that.
Assuming we get the orders, the price goes up tomorrow by over $100.
And if we don’t, then I get to refund everyone else’s money.
By the time you read this, we’re probably talking 1…or maybe 2 orders remain to make this whole thing come alive and see the light of day.
Basically, it’s everything I’ve learned in 14 years applying SABSA in real organizations for real projects and advising consulting customers and coaching clients around the world what to do to make this stuff work to build better, more aligned, and therefore, more effective security programs.
If you want the inside scoop on the architecture and security program poop, then here’s the link again:
If you don’t, well…you don’t. And that’s ok too.
I’m out to make a difference in the lives, careers and security programs for those people who want to strive to do their best work. If what I’ve learned across technology, startups, sales, marketing and living and working around the world can help move that objective forward, then that’s good enough for me.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P..S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
