“Come on tell me who are you
Oh, I really wanna know”
If there was ever one song recorded that captured the essence of what we do as security, I’d have to give it to the classic “Who Are You” by the Who—especially after the deep dive into thinking about authentication and access control I did recently for the June newsletter I was talking about last week. It’s a song I’ve been listening to for years—well before the 1988 release of “Who’s Better, Who’s Best” that I bought around that time.
One of the things you quickly learn when you’re first exposed to SABSA is that there’s a lot more to security than the traditional CIA triad you focus on so much with the CISSP exam. Sure, those 3 things are important – and there’s generally even attributes defined for them – but at the end of the day, security comes down to decisions you make about who does what, to whom, and how often. And it’s all implemented in terms of some binary decisions based on who you claim to be, how much I believe you, and, if I’m so inclined to believe your claim, whether you’re actually allowed to drink the milk out of the big jug in the refrigerator or not.
In our house, the answer is a flat-out no—no matter who you are. But in your house, the answer may well differ.
And it differs because different things are important to you…wait for it…
…based on who you are…
…and who the other person (or thing acting on behalf of some other person) claims to be.
That’s the context of security that so many organizations I’ve encountered tend to gloss over. Maybe it’s because they don’t know how to ask. Maybe it’s because they know what to ask, but they can’t get anyone to meet with them.
Or maybe it’s because, in their organization, they have a compliance and/or control-based view of security that places more emphasis of demonstrating you’ve turned your controls up to 11 than it does on ensuring that the controls you actually do put in place are enabling and protecting the business in meaningful ways.
It’s that last bit that is why there’s more than 3 attributes in a SABSA security architecture, because there’s potentially a bunch of different things you’re going to need to measure and report to the people you support in order to earn the credibility and trust that enables security to transcend the traditional labels of the Department of No and being seen as simply the Policy Enforcement Police…
…which most definitely gives a whole other spin on getting a PEP talk, now doesn’t it?
But maybe you don’t believe me. So let’s take a walk together through some attributes. Generally, there’s a set of between 50 or 60 that’ve come up regularly enough in my own security architecture work for me to isolate and establish consistent definitions. And, depending on the threat and control frameworks you use, you might have many more.
For example, my latest analysis of the CIS20 common controls defined 47 unique attributes, 27 attributes impacted or implied by VERIS and another 48 attributes extracted from the recent CSA Enterprise Architecture analysis I did for April’s newsletter about cloud security.
However, what matters most isn’t the number of attributes you might identify—it’s how you define and use them within your security architecture.
It doesn’t change the fact that what you need to identify as security is to answer the “who are you?” question, though. The focus of the question just changes the more complex the nature of the capability you’re trying to measure and the further away from the CIA triad you get.
What’s an attribute like “Ethical” got to do with access control, you might ask?
In this case, it’s down to clearly identifying a set of whos and the specific access control decisions that need to be made to successfully deliver it:
- Who decides the definition of “ethical” behavior?
- Who’s going to enforce that definition?
- Who’s going to define the acceptable evidence of whether any instance of conduct fits the rules?
- And, ultimately, are you the who that allows you to actually do what you’re trying to do?
Because each one of those ultimately depends on a well-established access control system within the scope associated with the capability itself.
The thing is, we just don’t tend to think about it that way.
Which brings me to another question I tend to get asked from time to time:
Why do you offer a coaching and mentoring program about security leadership instead of more traditional “security consulting” types of services?
The answer is, well, Archistry does offer, from time to time, some more traditional security consulting and “done for you” types of services. But what I’ve found over more than a few years of doing that kind of work is that…
…if you don’t change or expand the way an organization’s security team fundamentally thinks about the job they’ve been hired to do first…
…then any “security work” done by anyone – me, you, or any other company you might think of – is generally only a short term solution (at best)…or quickly forgotten or replaced (at worst).
So the epiphany I had at some stage was that the real value I can add to helping you address your security problems is brining in all the myriad experience I’ve had doing it wrong, seeing it being done wrong…
…and ultimately figuring out what tends to work more often then not…
…and then helping you figure out the best way to leverage that knowledge and experience yourself, in whatever role you have, and trying to tackle the problems that stare at you with red, glowing eyes from the ceiling at night when you just can’t seem to sleep.
Because that’s how lasting change happens. It has to happen from the inside. It can’t be something someone does for you—although, clearly there’s a time and a place for that too.
But, most of the time, I’m happy to let someone else worry about that stuff.
So if you’re not getting the results you want in your security program, and you’ve been through the exercise of systematically changing the people, the processes and the technology you use…
…maybe it’s time to think a bit differently about the problem you’re trying to solve.
And maybe I can help you do just that as part of our Effective Security Leadership coaching program.
If you’d like to talk about it, you can set something up using the big, yellow button at the bottom of this page, right here:
https://securityleadershipcoaching.com
But…if it’s not for you, then that’s ok too. It’s not for everyone, nor is it for every organization. You’ve gotta be ready…
…and you’ve gotta be committed to making a change—even if that change is just in the way you, as an individual, decide to tackle the job you do.
If you’re not, then it’s going to be a disastrous waste of your money and both our time.
“I really wanna know
Oh, I really wanna know
Come on tell me who are you, you, you, you”
And who do you want to be?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
