Dear Frustrated Security Leader,
You’ve been told a million times that your security program needs to be aligned with the business and deliver value. You’ve been repeatedly asked to present and justify the ROI of your security investments to the Executive Leadership and the Board of Directors. You’ve done the cost models. You’ve consolidated your security vendors. You’ve streamlined your security staffing requests.
And yet, your explanations of how well you’re doing at effectively using your security budget to keep bad things from happening…
…has either occasionally fallen a little flat, teetering precariously on the edge of technical jargon and overwhelming, operational metrics…
…or has been undermined by the fact that bad things did in fact end up happening since your last official report.
So, whether nothing happened – or things did happen, but they just didn’t get worse – because of the long hours and tireless efforts of you and your team…
…or because you just got lucky…
…you’re in the same situation:
You’re just not happy with how easily you can explain the value of the security investments you’ve made in concrete business terms…
…and you’re struggling to frame the benefits of your security investments in terms that result in a “no-brainer” approval from the Executive Leadership Team and the Board…
…without once again leaning on the crutch of pending compliance requirements or the disaster that happened last week at your closest competitor.
You’ve integrated all the “best practice” advice out there from the industry leaders. You’ve implemented all of the leading control frameworks. And you’ve mapped it all into a “maturity model” scorecard that you’re using to track the overall evolution and enhancement of your operational security controls.
But the numbers still look bad.
Because every single day you get a flood of new telemetry data that describes all of the potential ongoing security issues in your environment. You get an endless sea of vulnerability reports, new patches to deploy and operational incident notifications.
The entire Executive Leadership Team – and even a Board Member – failed the last round of phishing exercises. And they still won’t complete the mandatory security awareness training that’s been pending for the last 3 months…
…since the CEO themselves sent out the all-hands email that stated how important it was that everyone was continually vigilant in their cyber education.
You’re under-staffed. You’re overwhelmed.
Many of your top people are either overtly or covertly looking for their next opportunity.
You have a slew of new complaints by the Program Owners of the most important customer-facing applications because they’re over-budget, behind schedule…
…and once again failed the mandatory, go-live security reviews.
You hardly have time to take a breath.
And your inbox is stuffed with every security vendor on the planet telling you how much worse it’s going to be next year…
…and how much harder it will be to get the funding you need in the current economic climate—especially in a US election year.
It’s enough to make you wonder some days why you ever wanted to do this job in the first place!
A Different Way Of Thinking
One of my favorite quotes from Albert Einstein is something along the lines of:
“We cannot solve our problems with the same thinking we used when we created them.”
I’ve personally found this true in many different areas of my life, and one thing I’ve learned as a senior security professional and advisor to CISOs and security leaders around the globe for more than 20 years is that this is as true in security as it is for anything else.
Because the way of thinking we’re using to try to solve our security problems today…
…is basically the same thinking we’ve been using for the last 50 years.
The only thing we’ve really done is change the mechanisms we’re using to try and do it with so that we can do it faster and with fewer people.
Otherwise, nothing fundamental has changed—including the very definition of “security” itself.
But before I go any further, let me take a moment to introduce myself. My name is Andrew S. Townley, and I’m the Founder and Chief Executive of Archistry. What I do is help large, global organizations with revenues in excess of $50 billion create effective, value-driven security programs.
This means that not only is security inherently aligned and proportional to the areas of the business that generate the most value to your customers…
…it also means that because of taking this approach, it’s virtually impossible to NOT be able to express the value of security in business terms.
Now, I will warn you. This isn’t something that you can do across an organization of the size I just described overnight—or even in a month or two.
However, because the approach I use to help people do this is based on a fundamentally different way of thinking about security than anyone else is using, it means that it not only actually works to help you find the leverage you need to dramatically improve your security program…
…it also gives you the clarity to know where to start looking.
Not because there’s anything magical about where to start, but because the approach starts and ends with business value.
You don’t have to make it up.
You don’t have to take it on blind faith whether or not your investments are going to make a difference.
You know.
And most of the time, you can even express it in terms of hard numbers measured in time and money.
But even for the times when this isn’t readily obvious or it would otherwise be too time-consuming and tedious to calculate…
…the beauty of this approach is that it’s infinitely scalable, and it’s based on decades of hard science, psychology and methods that have been proven in the field for over 70 years.
It may initially seem somewhat simplistic in the beginning, however I can happily show you firsthand that the approach scales from the likes of a 5-minute hallway conversation…
…to structuring the way your entire team is thinking about and doing the work they need to do.
And since I realize that this might be the first time you’ve been exposed to such a different way of thinking about security, I’m offering you an exclusive opportunity to experience it for yourself as part of a unique and highly practical program I’ve put together called…
The Security Value Delivery Bootcamp.
The Security Value Delivery Bootcamp™ is a special, highly focused, learn-as-you-execute program that combines live education and Q&A sessions with mandatory, daily homework assignments to ensure that you not only learn the fundamentals of surfacing and communicating the value of your security program…
…you also create an extensible starting-point you can build on going forward as you apply it to all areas of your security program and to the organization you support.
Now, you might be tempted to have one of your senior people go through it on your behalf, since it does require a guaranteed minimum time commitment over the 5-days of the program.
However, I would strongly urge you to not do this.
Because the thing is, as a senior security leader or executive, this is an essential skill you need to have yourself.
Sure, you can assign the expansion and evolution to what you start in the bootcamp to your team going forward…
…but if you don’t have the skills yourself, it won’t help you talk about your current and future security needs and capabilities “off the cuff” in high-profile situations like strategic planning sessions or when answering unexpected questions from the Executive Leadership Team and the Board during your regular reports.
The good news is that once you learn a few basic concepts and practical techniques, it is pretty simple to do.
All you need to do is establish the right understanding of the organization you’re trying to enable and protect…
…and then apply the simple model that’s the basis of my approach to almost instantly highlight where your security investments are truly aligned with the business and delivering value that matters…
…and where they might not.
Because ultimately, that’s exactly what you – as the leader of your security program and the primary interface between security and “the business” – need to be able to do.
You need to have clarity on where things are under control, and you need to be able to know what decisions need to be made in order to address those that aren’t.
But what’s more is that the exact same information you’ll be using to make those decisions once you’ve learned and are able to apply what I’ll be sharing with you during the bootcamp…
…will also be the business-focused justification the Executive Leadership Team will be ready to accept.
Because security isn’t ultimately about technology, infrastructure, threat actors or vulnerabilities.
Security is ultimately about effectively demonstrating that you are truly enabling and protecting your organization.
And the best thing yet is that it doesn’t take a lot of technical jargon or knowledge of security on their part in order for you to be successful in explaining the true value of your security program in clear business terms.
So, if you’d like to be able to not only do this yourself, but enable your team to do it too, let me explain…
The structure of the program.
The Security Value Delivery Bootcamp is a program that takes place over the course of 5 consecutive days. Each day is mandatory, and attendance by anyone other than the person who registered is not allowed.
The purpose of each day is to provide digestible, practical learning and skill development through the combination of live, interactive sessions and focused homework assignments that ensure you can understand and apply what you’ve learned.
Each of the sessions take place virtually, so you can easily integrate your participation in the bootcamp with your other day-to-day obligations. No time out of the office. No travel expenses. And no jet-lag and wall of problems waiting for you once you get back to the office.
The structure of the program is designed to be as easy as possible for you to complete alongside the work you already do simply by allocating only an hour a day for each live education session, up to 20 minutes to answer any questions you might have about the material or the homework from the previous day and between 60-90 minutes of focused, time-boxed effort every day on your own time to complete the homework exercises.
Even with such a minimal time investment, I think you’ll be surprised at what you’re able to accomplish during the bootcamp—and especially the additional free time it will give you going forward, thanks to the foundation you establish for you and your team during the bootcamp.
I mentioned earlier that this was an exclusive program, and it is. Only the first 12 people to register will be allowed to participate, and those that register the earliest will have first pick as to when to experience the bootcamp.
There are 2 sessions per week for people in the Americas, Europe and Africa, and a single session per week for people in Asia, Australia and New Zealand.
The sessions will run from June 3rd to the 28th, and you must register for your desired session at least the week prior to you participating in the program. This allows for the appropriate logistics and scheduling to take place, and for adequate reallocation of anything required to enable you to fully participate in the program.
Once the available slots have been reserved, they will be gone. Given the way my schedule comes together for the rest of the year, I may or may not decide to offer this program again.
So, if you’d like to make explaining the value of your security program in business terms easier for the 2nd half of 2024 than it was for the beginning, then I would urge you to book your slot immediately so you have the best chance of getting the session you want.
Here’s a more detailed breakdown of what will be covered each day.
Day #1: Understand the Business
One of the common challenges I’ve seen among security leaders across the globe is that they struggle to really connect with the business. Most of the time, this is because the vast majority of CISOs and people leading the security function have a technology background. This makes them much more comfortable talking to the IT and Security teams than trying to relate to other executives and senior staff who are non-technical.
During the first session on Day #1, I’ll be walking you through the easiest tools I’ve ever found to quickly and confidently get your head around your organization from a business perspective. This will give you the necessary vocabulary and concepts to easily communicate with executives of any level, and you’ll have the confidence to translate any future business or security-related conversation into the technical controls, frameworks and standards you and your team may currently be more comfortable with.
Day #2: Understanding Value Streams
Value streams are an end-to-end sequence of activities that give a result – and ideally delight – a customer. Value streams are similar to business processes, but they are not the same. However, the most important aspect of value streams is being able to understand which ones are responsible for supporting your organization’s most critical customers.
Fortunately, there is a single, fundamental model that you can use in absolutely any situation to be able to start from anything you know, and then work in both directions to discover what you need to know about any value stream you encounter. Once you understand the value streams, you’re 80% of the way to being able to express the value of security in business terms.
Day #3: Understanding Risk
I realize that as an experienced CISO or leader of a security program, you probably already know a lot about risk. However, that’s part of the problem. Because, like security, much of what you probably already know about risk is based on a set of thinking – especially in the cyber realm – that isn’t really going to help you very much when it comes to explaining the true value of security in business terms.
During this session, we’re going to revisit the concept of risk, and I’m going to share with you several models based on thinking differently about both security and risk. These models aren’t new. In fact, they’ve been used in a variety of industries and disciplines for over 70 years. However, not many people are aware of them, so they haven’t yet been widely applied to security. This means that not only will you finally be able to talk about security and risk in business terms, no matter what issue is on the table. You’ll also be a stand-out leader among your peers, because there’s a good chance that they’ve never heard of this, and they’re going to still be struggling for a long time—just like you were before attending the bootcamp.
Day #4: Understanding Architecture
Again, you might already feel you have a good understanding of architecture, and in particular security architecture, before you attend the bootcamp. However, here again, I’m confident that you’ve never thought about security architecture quite the way you will after you go through our session on Day #4.
In fact, without even realizing it, you’ve been laying the groundwork for a true, value-driven enterprise security architecture as you’ve been completing the homework up to this point in the bootcamp. What most people don’t realize about architecture – and most certainly about security architecture – is that it’s not about the documentation and artifacts that are produced. It’s not even about the things that are built based on that architecture. Architecture is really about finding a common and consistent way to express how you see the world in a useful way—not just for you, but for everyone working with or for you. After the bootcamp, you’ll be leveraging what you’ll now know about architecture as the foundation for transforming your entire security program and making it much more effective and relevant to the business.
Day #5: Opportunities for Delivering Additional Value
By the last day of the bootcamp, you’ll have an understanding of your organization like never before, you’ll have shifted your perspective and approach to security, risk and architecture, and you’ll be able to express the value of the security control environment you already have using the concepts and techniques you’ve learned. However, in order to continue to be able to enhance your security program and successfully justify the future investments you want to make, it’s useful to be able to prioritize some “quick wins” that can easily demonstrate the value you’ve obtained from the bootcamp—both to yourself and to the rest of the Executive Leadership Team.
In this session, I’m going to take a look at your security program from the perspective of what I call the Security Value Streams™. These value streams were introduced briefly on the first day of the bootcamp, but now I’m going to present them in more detail. As part of this conversation, I’ll show how security directly supports the delivery of each one, and I’ll highlight a number of potential opportunities for improvement you might have in your own organization. This conversation includes things that I’ve assisted other clients with in the past, and I’ll also show you some practical, value-oriented security metrics that you can adopt to help demonstrate the value of these improvement initiatives in clear business terms.
What You Get By Attending The Program
The overall objective of the program is so that you’ll be able to confidently speak to the Executive Leadership Team, other business leaders, customers, partners and the board of directors about how security is helping them deliver their business goals, not just how it’s supposed to keep bad things from happening.
Once you’ve completed the bootcamp, you’ll have the knowledge and skills to be able to do this successfully in any situation, about any topic or persistent threat that happens to come across the table. You’ll have a solid system you can rely on, based on a simple, fundamental and proven model, that will work every single time, because it ensures you’re thinking and talking about the right things.
Additionally, you’ll also get:
- A fundamental understanding of what business is all about (which is something your business colleagues may not consciously think about, but which will allow you to easily focus your conversations on what they care about most)
- Practical knowledge and skills in applying one of the most universal tools ever created to talk about what’s important to the organization (something that your business colleagues will instantly understand)
- The 8 critical decisions you need to make about your security program to ensure that it stays focused on the business and its value is obvious to everyone
- Your own, personalized model of the organization that allows you to connect security to business value (a model that you’ll build and evolve through the bootcamp and then leverage going forward for as long as you’re with the organization)
- Clarity on the “hard numbers” security really supports in the business (numbers you’ll use to express the value of security from here forward)
- Practical ways to explain the difference in the scope and objectives of enterprise vs. information vs. physical vs. cyber security
- Reliable, detailed models you can use for yourself and your team to categorize and classify any security problem, issue or project that will ensure it’s easy to align with and explain to the business
- A working understanding of value streams, why they’re so important and how to use them to highlight the value security provides (including a model of the 3 most important value streams that exist in any organization)
- The revised definitions of security and risk that are required to prevent security from being swept under the rug and deprioritized because its seen as “non-functional” requirements
- Clarity on the 3 fundamental causes of risk that most people either overlook or don’t even know (because these are the causes that give you the leverage you need to always talk about security in business terms)
- The ability to talk about risk from a business perspective in any are of the organization (thanks to a generic risk model I’ve developed over the last 20 years that I share with you as part of the program)
- A “reality check” as to what security architecture is really all about (and why without the right approach, you’re struggling to both deliver and demonstrate the value of security)
- The “blueprint” for establishing business-focused metrics across security operations and security’s role in project delivery (metrics you can apply immediately to discover where you should be focusing that you probably aren’t, and which will show exactly the progress you’ll make going forward in pure business terms)
Beyond all of these things, I want to reiterate that the purpose of this program isn’t just for you to acquire knowledge. The purpose of this program is to work with you to help you build out a picture that describes the value your security program is delivering to your organization—right now.
That’s why we have homework, so you can build out the materials you will be using to support the conversations you have with the Executive Leadership Team and the board right now. You aren’t going to have to do it on your own. I’m going to be working with you, every day, to make sure that you end up with a true starting point you can build on for as long as you like.
The true value of this program to you is that it will change what you think and talk about with the people around you, and by changing what you think and talk about, you’ll change what people see when it comes to security.
Program Schedule
The first session of the program will start on June 3rd, and the last session of the program will end on June 28th. You will be able to choose the session you wish to attend based on a first-come, first-served basis. This means that your desired session may not be available by the time you’ve registered, so please ensure that you have two choices ready in the event that previous participants have already reserved the spot you want.
The sessions are scheduled to support participants in the Americas and Europe based on the times below given in US/Eastern, and participants form Asia, Australia and New Zealand have options for a single session each week given in Australia/Eastern time.
You will be working with me directly, one-on-one for the duration of the bootcamp, and it will not be possible to skip or reschedule a session. The sessions will be confidential between the two of us, so we can discuss things that are directly relevant to applying what you’re learning on each call. Each of our sessions will be recorded as we go, and these recordings will be made available to you separately via the Archistry Learning mobile app.
Week of June 3:
- 9:30-11:00am US/Eastern, Monday to Friday.
- 1:30-3:00pm US/Eastern, Monday to Friday
- 10:30-12:00pm Australia/Eastern, Monday to Friday
Week of June 10:
- 9:30-11:00am US/Eastern, Monday to Friday.
- 1:30-3:00pm US/Eastern, Monday to Friday
- 10:30-12:00pm Australia/Eastern, Monday to Friday
Week of June 17:
- 9:30-11:00am US/Eastern, Monday to Friday.
- 1:30-3:00pm US/Eastern, Monday to Friday
- 10:30-12:00pm Australia/Eastern, Monday to Friday
Week of June 24:
- 9:30-11:00am US/Eastern, Monday to Friday.
- 1:30-3:00pm US/Eastern, Monday to Friday
- 10:30-12:00pm Australia/Eastern, Monday to Friday
Participants in the US/Eastern sessions must submit their daily homework assignments by 11:59pm US/Eastern.
Participants in the Australia/Eastern sessions must submit their daily homework assignments by 11:59pm Australia/Eastern
Registration
To register for one of the 12 available spots in the bootcamp, you can either use the button below to instantly save your spot using a credit card, saving 50% off the regular registration fees of $14,999.
Otherwise, registration on a P.O. basis will be charged at the full rate of $14,999. If you are using a P.O. or you require an invoice be issued, please ensure that you allow enough time on your end for the payment to be processed.
The full fees for the program MUST be paid strictly in advance. If payment has not been received prior to the start of your scheduled session, there will be no refunds. In the event that a later spot is available, you may reschedule your session. However, if no available spots remain, then you will forfeit your ability to attend the bootcamp, and no refunds or alternative arrangements will be considered.
To claim your spot in the bootcamp TODAY using your credit card, simply click the button below right now.
Otherwise, send an email referencing this program to bootcamp@archistry.com and include all of the following information:
- The name and contact details of the person attending the program
- Your first and second choices of sessions
- All information necessary for issuing the invoice for immediate payment, including bill to, ship to, P.O. and responsible party as applicable
Payment of the invoice is due immediately on receipt. If this is going to be difficult given your organization’s AP policies, then I urge you to use the above button and register with a credit card instead.
Security Value Delivery Intensive™ (Special Upgrade)
In speaking with some people about offering this program, it became clear that having an additional amount of ongoing, post-implementation support was beneficial. Therefore, if you would like to get an additional 3 weeks of ongoing support from me in the form of a 60-minute call and unlimited (within reason) access to me via email and Slack (or the collaboration tool of your choice), I’ve put together a special upgrade opportunity above and beyond what you get with the standard Security Value Delivery Bootcamp package.
The upgraded package includes:
- The regular Security Value Delivery Bootcamp™ (normally $14,999)
- An additional 3 weeks of dedicated, 1:1 support, guidance and mentoring (normally $37,500)
- Access to all 40+ worksheets of the Architecture Ignition Kit™ (normally $1,199)
- Access to the Supercharge Your Security Architecture™ Masterclass (normally $499)
- Print and digital editions of my book, Getting Started with The Agile Security System™, (normally $117)
Normally, this complete package would require an investment of $54,314.
However, if you reserve your spot before June 3rd, you can get the special Security Value Delivery Intensive™ upgrade package for only $24,999.
As this level of investment likely requires approval and expedited invoice payments, I would urge you that if you are interested in this opportunity to work with me directly after the bootcamp as part of this intensive upgrade, that you act sooner rather than later.
If you would like to register for the special upgrade offer, send an email as per above to bootcamp@archistry.com, including all of the following information:
- The name and contact details of the person attending the program
- Your first and second choices of sessions
- All information necessary for issuing the invoice for immediate payment, including bill to, ship to, P.O. and responsible party as applicable
As above, payment of the invoice is due immediately on receipt. If this is going to be difficult given your organization’s AP policies, then I urge you to use the above button and register with a credit card instead.
Stay safe,
—
Andrew S. Townley
Archistry Chief Executive
What People Are Saying About Andrew
A True Thought Leader
“Andrew is a highly skilled and experienced architect and consultant. He is innovative in his thinking and a true Thought Leader in his specialist domains of knowledge—in particular the management of risk. Andrew has also been a significant contributor to expanding the SABSA body of knowledge.”
John Sherwood – SABSA® Creator and Chief Architect
Makes Things Work
“Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work.”
Kevin Howe-Patterson – Chief Architect, Nortel - Wireless Data Services
Clarity, Depth and Breadth
“Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit.”
Doug Reynolds – Product Manager, MobileAware
Fabulous Consultant
“Andrew is a fabulous consultant and presenter that you simply enjoy listening to as he manages to develop highly sophisticated subjects in a very understandable way. His experience is actually surprising!”
Biljana Cerin, Director, Information Security and Compliance
Interesting, Useful and Full of Ideas
“Found the link to the July issue and read through this afternoon. Think you’ve done a really good job with it and especially around the objective of it being interesting, useful and full of ideas—which the newsletter easily met. Really looking forward to the September issue. If, in the unlikely event an August addition become available, I would happily purchase!”
Andy Smith – Security Architect
More Value Than Anything Out There
"As you have mentioned before, it always all about controls and frameworks. The gap between where the industry is and where we should be seems to be about 180 degrees. Whenever someone asks the question, 'should we have a framework to align business to security?' well they need to look at what Archistry offers. I refuse to pay for any other training class out there. No value after taking BESA, and it's the reason why I spend my money on Security Sanity instead. Absolutely more value there."
Tereston Bertrand – Enterprise Security Architect
A Source of Sanity
“I have been working flat out the last 2-3 weeks on a very detailed program. The one thing that has kept me sane has been your daily emails about the Archistry training. Keep those great emails coming!”
Shane Tully – Enterprise Security Architect
Compelled to Subscribe
"Reading your blogs and content I was rolling at some of the references you make. You write like the frustration of the past guides your fingers across the keys. I was compelled to subscribe to the newsletter."
Vince Nalin – Enterprise Security Architect
Thought-Provoking, Practical Ideas
"Your thought-provoking messages about security, leadership … are welcome. I enjoy reading them. There are many ideas which can be applied to the work, even within the limits of a heavily-regulated organization like my employer."
Helvi Salminen – Information Security Manager