May 20, 2020
Far too many people approach security architecture like Fred Flintstone—that is, if they worry about proper security architecture at all. Mind you, I’m not talking about this here new-fangled, live-action fiddle-dee-dee that most people might think of. I’m talking about the one I grew up with, in the real caveman days. The animated one.
The one that ends at the Bronto Burgers and Ribs joint with Fred ordering a rack of ribs so big that ends up tipping over the car.
Because, unfortunately, that’s the kind of one-size-fits-all approach used by a lot of the architecture frameworks out there, let alone the security ones. We think that if we have more detail, if we have more boxes, stages, layers, phases, templates, labels and models…
…that, basically, it’ll be damn-near impossible to screw it up.
And, if, for some reason we did, the authors and owners of the method don’t want to wake to an angry mob of villagers with torches and pitchforks banging on their door yelling:
“You lied to us! You said the framework was all we needed!”
“You said it was complete!”
“You said it was easy!”
“You claimed it was ‘industry best practice’ and ‘everyone was following it’!”
“So why in the hell are we on the front page of the WSJ and the FT??!!???”
SABSA, for example, often gets a bad wrap for being big, bloated and too intensive to be practical. It’s great in theory, but it’s not possible to put it into practice. Sure, it is big, and it is comprehensive in the way it’s documented and presented in the official certification program—and that really only scratches the surface of how to use it in practice.
And, if you go by the white paper as the end-all-be-all definition of it (which you shouldn’t, but it doesn’t stop people from doing it anyway), then it’s effectively like saying all you need to do to feed the world is grow some corn. Here’s the dirt. Here’s the seed. You add the water, and you’re good to go.
Understand that that’s not a dig at John, David and Andy. Far from it. It’s just the way you have to simplify to get an overview of a 567 page book and 34+ hours of intensive training crammed into a mere 27 pages.
And we also know that everyone gets scared if they’re given too much information to digest at a time – even me – so, eventually, the silky whisper of bad advice becomes verbalized into the directive:
“It’s ok. You can think of [the whatever-it-is method] as a toolbox of things you can just pick up and use as needed.”
Guided by this advice, that’s exactly what people do. They cherry-pick the pieces they like, or that seem useful, or, more often the case…
…the pieces that they remember,
Only to go on their merry way, whistling a happy tune thinking they’ve won the day. I know I’ve done it. Maybe you have too, but I know I’ve done it.
And yet…depending on how many of those cherries we choose to carry around with us, we’re eventually going to have cobbled together our own architecture framework. Which, in and of itself, isn’t a bad thing. Anyone who’s done any architecture work for more than about 5 minutes picks up additional, specialized tools they’ve found useful that might not be a core part of whatever method they’re using.
But the key to being able to make a cherry pie vs. having to cut your picker outta the orchard is whether or not your own personalized framework is built around a solid, theoretical core that hangs together under scrutiny. And, for those of you wondering, just because you have a bunch of conceptual models showing the key relationships between the terms of your framework doesn’t mean you have a robust, well-thought out model that won’t trip over its own twisted knickers when the brown stuff hits the spinny thing.
You might’ve heard the phrase “culture eats strategy for breakfast” at some point talking about the overwhelming power of an existing organization’s culture to cling to the status quo undermining the most promising strategy you could ever possibly create.
Well, here’s another one: principles eat process for breakfast, because if you truly understand the objective you have, and you have a small set of rules and laws you can always count on never changing, your principles, then you have the ability to successfully tackle any potential problem you will ever face…
…large, small or Goldilocks-just-right sized.
But eventually, any process can become so inwardly focused on the process rather than the objective that you’ll end up quite happily chewing through the thin skin of the airliner at 50,000 feet while still being able to rightfully claim you’ve followed the process.
So the question is, whether you’re a roll-your-own architecture framework guy or gal, or whether you’re a by-the-book’er…
What are the set of architecture principles that guide the work you do, every day, without fail and without exception? Can you write them down?
Have you proof that they don’t change over time?
Do you have confidence that if you followed them consistently, every time, that they would keep you out of trouble, aligned with your objective and help you deliver the results that really mattered?
Maybe you do.
I know I didn’t—well, not in a way that met all those criteria. Primarily, because I hadn’t written them down, even though I’d been unconsciously applying them for the last several years in every architecture and advisory engagement I did with Archistry’s clients around the world.
But that changed in July of last year, when I did sit down to consciously define just such a set of rules and laws I believe are the true drivers of successful security architecture.
And, as you might’ve heard me say once or twice, I firmly believe with every fiber of my being that the only viable basis of a successful and effective information, cyber and IT security program – wherever you happen to draw those lines – is architecture.
So that makes getting this whole architecture thing right kinda important.
If you don’t have a framework – a real, conceptual framework of principles, rules and laws that never change, that you can consciously articulate and which you know will keep you from doing the wrong things…
…then maybe you might like to borrow mine.
And I’ll be happy to teach them to you, and how to put them in practice over the 7 weeks of our flagship Building Effective Security Architectures program. In the end, The Agile Security System™ is just 7 principles, 14 practices and 3 Baseline Perspectives™ to help you organize how you think about the organization you’re trying to keep safe. And by fusing those together around the 3 fundamental, integrated and powerful concepts of SABSA’s attributes, domains and governance model…
…my experience tells me that you can’t help but be a better security architect.
And that means you can’t help but improve the overall effectiveness of your own security program too—even just the slightest little bit based on your own, individual and newly focused contributions.
I get that’s a big claim, and you might not know me well enough to believe I can back it up. That’s fair. There’s no question that not everyone agrees with me about this, and some people think I’m bat-shyte crazy to talk about architecture and security the way I do.
That’s ok too. They haven’t done what I’ve done, and I haven’t done what you’ve done either. And unless you’ve been to one of my talks, we’ve had an intense, one-on-one conversation about security architecture, you’ve taken any of the official SABSA Foundation courses I used to teach years ago, you’ve read any of the articles I used to write in security journals or you’re a subscriber to Archistry’s Security Sanity™ print newsletter…
…you only have what you’ve read in these emails and potentially any blog posts you’ve read on which to make the decision as to whether it’s worth taking the risk of throwing almost $5,000 and 7 weeks of your time into the ring to find out.
Again, I’m not you. All I can say is that I’ve finally built the security architecture program I’ve always wanted to take…and it also happens to be just the one I’ve always wanted to teach. And, unless you fall into the “he’s bat-shyt crazy” bin, I think that after 25 years of doing what I’ve done and 15 years applying and teaching SABSA in the field kinda says something.
If it does, then you’re gonna need this link:
And if you hop to it and register before Saturday night, May 23rd at 11:59pm, you’ll also get a hefty $1,000 off the regular registration cost. I said the wrong name yesterday, because the Early-bird registration flew the coup on the 19th of April.
But I did get the discount right for the pre-registration period that’s open now. So, if you need to win over the hearts, minds and pocket-books of anyone else in your organization – or your household – I’d suggest you get moving if you want to collect the discount.
Whether it does or whether it doesn’t mean anything to you only matters to you. I’ll be here with the rest of the members of the cohort who’re already registered either way.
Remember, tick-tock goes the clock, not the paragon of stupidity that some call an app. And in these times, we all have some potentially tough choices to make to do our best to make sure we have the best chance of coming out the other side in as few pieces as possible.
If it’s right, then great. I’ll be glad to have you. If it isn’t, then totally fine. Either way…
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
