The way I see it, the ultimate litmus test for whether your security architecture is up to the job boils down to the answers to these two questions:
- Does it enable the right decisions to be made by the right people to keep the organization safe?
- Does it document the existing decisions in sufficient detail to enable and support everyone else?
If you can’t answer both of those questions in the affirmative, then whatever you’re doing regarding security architecture isn’t really getting you the results you need to build an effective security program.
But that, in and of itself, might be just another problem.
What do we mean by “effective” anyway?
Do we mean that we’ve reached a given magic maturity level like I talked about the other day?
Do we mean that we’ve completed a Security Architecture Bingo card like the 36 cells of the SABASA matrix…
…or implemented all the controls in something like CIS20, the NIST CSF or ISO27001?
Do we mean that we can show we’ve adopted “industry best practice” frameworks, controls, standards and methodologies?
If we’re focused on the wrong goals, then we’re going to build the wrong enabling infrastructure. If we’re just chasing security bingo for control implementations, then someone might rightly think that if we’ve got all the tools…and we’ve learned all the tactics…
…then we’re “effective” and we’ve laid the right groundwork, and “security architecture” is just the way we’ve deployed our controls in our infrastructure, so…
…if that’s what it is, then what’s the big deal?
We know we have infrastructure…
…and we know we have all the controls for all that infrastructure – or at least we know where the gaps are –
So tick the box, turn out the lights, and the first round’s on me!
Or not.
In my world, building an effective security program means that you have a security program that delivers the mission and purpose of security:
“To enable the organization to deliver its mission as quickly and safely as possible.”
And the best way I know after 25 years of professional experience to do that is to make sure the foundation of that effective security program is an effective security architecture that satisfies the above two criteria.
Those decisions may need to be made by security people, e.g., which controls are the recommended baseline for this kind of software solution,
Or those decisions may need to be made by business people, e.g,, what are my existing options for connecting with our customers—and do I believe that these are good enough?
Another advantage we get when we focus on the decisions vs. any kind of predetermined list of controls or elements in a framework bingo card is that we know that – unlike the later, which is fixed – the decisions the organizations make are going to be highly dynamic.
So if we’re supposed to support effective decision-making, then our security architecture needs to be able to flex and adapt based on the nature of those decisions and the directions the organization has chosen to take.
I realize this isn’t a shock. It’s what everyone tells us we have to do as security.
In fact, they’ve been telling us the same things for years.
But we have to ask ourselves some questions:
Why isn’t this a solved problem?
What is it that’s really missing?
And how well would we grade our own efforts against the two success criteria above?
Obviously…I think I might have some answers to all those questions—except the last one, because I’m not you, nor am I in your organization, nor do I understand the exact challenges you’re facing every day.
But, based on all the work I’ve done with organizations that probably aren’t all that different than yours (it’s a pretty wide scope), I’ve come up with some strategies and approaches to making sure that you have the best chance possible to enable the creation and operation of an effective security program…
…by making sure you first build an effective security architecture that captures the essence and gives direction to the decisions you need to make every day about how best to keep your organization safe.
These insights are based on my own experience, and, in particular, they’re based on working with SABSA for 14 years before I understood it well enough to distill it down so you can build security architectures as smoothly as a triple-distilled Irish whiskey velvetly drapes the contours of your tongue.
And, as an added bonus, they’re not just any, garden-variety security architectures…they’re SABSA security architectures. You just probably didn’t realize it at the time.
That’s why it’s a system, and while the best way to learn how to effectively wield The Agile Security System™ is working directly with me through our coaching and mentoring program…
…the next best way is by working with me and up to 20 of your security peers and colleagues for 7 weeks as part of the next cohort of our flagship training program, Building Effective Security Architectures.
If you register this week, you get the lowest possible rate for the next run of the course – that’s a 60% savings off the standard rate of over $4000 – and you have some extra time to make sure that you can plan your work schedule from the 24th of February to the middle of April to make sure you get the most from the course.
The answers to the question about how to make sure you build a security architecture that delivers those two critical characteristics comes in Module 3 of the course, after we’ve spent the first 5 weeks laying the foundation and giving you hands-on practice and individual evaluation of what you’re learning.
So if you care about building effective security architectures, and you want to know how you can do it faster, easier or more reliability than you might be doing right now, then here’s the link to join the February cohort:
The early-bird discount is really designed for people who self-fund their security education, but if you’re looking to get approval out of any remaining 2019 training budget, you’d better get a move-on. On the 14th of December, the price goes up, and you’ll have missed the opportunity to save yourself – or your team – a bit of money.
The choice is, as always, one only you can make. I’m confident that you’ll make whatever decision is right for you, but I would really love to have you join us for the February cohort.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
