There’s a quote by a long-dead Unitarian minister named William Alger that gives us a good introduction to today’s security architecture sin: wrath. It goes:
“Men often make up in wrath what they want in reason.”
And, as far as we’re concerned, you can quite easily replace the word “reason” in Alger’s quote with the word “architecture,” because in my experience, pretty-much every time security folks get their knickers in a twist about those “evil business users” doing something they think is wrong…
…it eventually boils down to a lack of security architecture that enables them to do what they need to do the “right” way, and in conformance to the holy security policies of the organization.
I mean, at times, and due to the vehemence of security in saying, “No, you can’t do that, it’s against the security policy!” it’s almost like…the Spanish Inquisition!
[NOBODY expects the Spanish Inquisition! Our two weapons are fear and surprise…and ruthless efficiency—three! Our THREE weapons are…]
But still…we get angry at the business, and we tend to forget that we’re actually working for them rather than them being subjects to our merciful and benevolent rule.
Now, sometimes, yes…I will admit, we’ve done our job, we’ve aligned with the business, and we’ve provided a set of flexible security policies and control implementations that should very well support the current and expected future needs of the organization…
…and they still can’t follow directions.
Yeah, it’s frustrating. And, the more overworked and stressed-out we are doing a bunch of other things than architecture work, the more likely that frustration will spiral into downright wrath and eventual loss of respect.
If (or when) that happens, it’s pretty-much game over for security as an enabler of the business, and the clock starts ticking until the inevitable major security incident that makes headlines. Because, if you treat your customers with contempt and anger instead of trying to deliver value, they’re going to start to take great delight in circumventing your security guidance any way they can.
[NOBODY expects the Shadow IT Solution! Our three weapons are easy, cheap, and functionality we actually wanted…and getting it done fast—four! Our FOUR weapons are…]
Now, I’m not suggesting security should wiggle like a wet noodle.
What I’m saying is that security should be firm.
Al dente. Not over-cooked.
But we should be firm in all the right ways and in all the right places.
And if we’re want to get angry about people not following the rules, then we’d better start taking a long hard look at those rules and how they’re actually being created—not start shooting the messengers and blaming them for our frustration.
Fortunately, there’s a solution to this particular security architecture vice too, and it’s one that I’ll cover in the upcoming pages of the March issue of the print Security Sanity™ newsletter that will ship shortly after the beginning of the month.
However, you won’t get this helpful harbinger of the virtuous practices that will specifically address each of these seven deadly security architecture sins you might be unwittingly undertaking unless you’ve subscribed before Saturday’s deadline using this link:
To hopefully dispel any potential confusion on your part about whether you’re already subscribed since you’re reading this email, unless you’ve gone to the above URL, clicked the GINORMOUS bright yellow “Subscribe NOW!” button, and successfully provided your credit card details for the recurring fee of the admittedly expensive $97 monthly subscription fee…
…you ain’t gonna get a pretty white envelope delivered to your doorstep every month containing your monthly fix of sanity in our crazy world of the modern security program.
And maybe that’s ok. Or maybe you’ll be sorry you’ve missed out on the insights and answers you can apply immediately after devouring each delectable leaf.
Only you know the answer.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
