Yesterday, I let you in on one of the biggest secrets of security: that the primary role you have in delivering your mission and purpose of security is creating and maintaining the organizational security policies.
Today, I’m going to let you in on the biggest secret of security:
You have the power to control the behavior and the decisions of the entire organization you serve.
Think about hat for just a minute…and let it sink in.
You have the power…
…the ULTIMATE power…
…to influence the decisions, and the activity of the organization you serve.
That’s pretty powerful indeed.
It’s pretty powerful because what you’re doing as security, is defining the way people are supposed to respond to the meaningful events within the organization.
Did you realize that?
Did you really?
By going through this whole, boring, time-consuming, tedious and potentially really, really annoying process of “Requirements Engineering” to take what we discover from the worlds of our customers and translate it into the normalized, prioritized directives for how the individuals in our organizations should respond to the events we deem important…
what are we doing?
That’s right.
We’re influencing their activity.
And if you remember from some of the earlier emails – and specifically from what I talked about in the August issue of the no-you-can’t-get-it-anymore-don’t-bother-asking Security Sanity™ print newsletter – the whole of our existence on this planet boils down to what we can control.
And the only things we can ultimately control are our behavior, how we choose to spend our time…
…and our activity, how we choose to respond to events.
But buried in there somewhere is the truth that if we’ve going to define our activity, then that means we need to make some decisions about what event are actually important in our world.
We need to define exactly which events are worth paying attention to—and not just paying attention to, but figuring out how we identify them so that we can take some specific actions when they occur.
But if we want to take some specific actions, then we need to at least define some principles to guide the decision we make about what we’re going to do, and how we’re going to respond.
So let’s think about security policies for a minute. Maybe this isn’t your Grandma’s security policy which weighs a ton and that’s as thick as the classic edition of the Unabridged Oxford Dictionary of the English Language.
Maybe it’s the security policies that we should be defining. The focused ones. The ones that are relevant to the worlds of our customers. The ones that really help drive the decisions they make about what’s important that they do in response to the events in their world, m and how those decisions can either enhance or undermine the overall security posture and risk exposure of the entire organization.
Those policies.
And if we, as security, can do a good enough job of understanding the worlds of our customers, and then prioritizing and translating what they’re trying to do into a set of capabilities we need to deliver in our world that will give them confidence they can achieve their objectives, then we’ve done something really powerful.
But that power comes with a catch. What is it?
Well…the catch is…they need to understand the implications of the day-to-day decisions they make in terms of the overall risk exposure of the organization. And, if they do this, our HOPE is…
because, remember, the best we can do is influence the activity and behavior of other people—we can’t control it.
Our hope is, that they make the right decisions – in their world, faced with the challenges they encounter every day – that will keep the organization as safe as possible.
So…if we can do this, what have we done?
We’ve developed a mechanism for mind control across the ENTIRE organization. And not only that…we’ve done it so that it’s pervasive, and they can’t make a decision without our influence.
Pretty cool, huh?
It certainly falls into the category of the old saying, “With great power comes great responsibility.”
So if you want to figure out how to do it right…so that you are effective and influential with the organizational mind control you’re actually, deep, deep down really trying to achieve…
…for the good of the organization of course…
then you might want to check out the whole October issue on the mindless, boring and otherwise “old skool” topic of Requirements^?^?^?^?^?^?^?^?^?^?^?^?Policy Engineering I’m covering in depth, so you can have the best chance possible of delivering the mission and purpose of security of keeping the organization as safe as possible, while it executes its strategy as quickly as possible.
If you find yourself in an “evil genius” and “mind control” sort of mood, then here’s the link:
But be warned, these secrets of organizational mind control are going to go the way of the Dodo in just 4 days, so you need to make a decision as to whether this is the right thing to do or not.
Either way, I’ll be here, doing my best to keep you pointed the right direction.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Please forgive the typos. I’m in the cheap seats, 10,000m above Harare as I write this on the way to the ultimate congregation of SABSA and Security Architecture practitioners, the COSAC and SABSA World Congress in Naas, Ireland. Hoping to see some of you there in a few days, and I’m sure I’ll learn much more than I’m able to convey in my presentation.
Leave a Reply