• Strategy
  • Risk
  • Governance
  • Compliance
  • SABSA®
  • Login

Archistry

exceptional performance since 2006

  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact
You are here: Home / Archistry Daily / Wisely wielding the power of organizational mind control

September 27, 2019

Wisely wielding the power of organizational mind control

Yesterday, I let you in on one of the biggest secrets of security: that the primary role you have in delivering your mission and purpose of security is creating and maintaining the organizational security policies.

Today, I’m going to let you in on the biggest secret of security:

You have the power to control the behavior and the decisions of the entire organization you serve.

Think about hat for just a minute…and let it sink in.

You have the power…

…the ULTIMATE power…

…to influence the decisions, and the activity of the organization you serve.

That’s pretty powerful indeed.

It’s pretty powerful because what you’re doing as security, is defining the way people are supposed to respond to the meaningful events within the organization.

Did you realize that?

Did you really?

By going through this whole, boring, time-consuming, tedious and potentially really, really annoying process of “Requirements Engineering” to take what we discover from the worlds of our customers and translate it into the normalized, prioritized directives for how the individuals in our organizations should respond to the events we deem important…

what are we doing?

That’s right.

We’re influencing their activity.

And if you remember from some of the earlier emails – and specifically from what I talked about in the August issue of the no-you-can’t-get-it-anymore-don’t-bother-asking Security Sanity™ print newsletter – the whole of our existence on this planet boils down to what we can control.

And the only things we can ultimately control are our behavior, how we choose to spend our time…

…and our activity, how we choose to respond to events.

But buried in there somewhere is the truth that if we’ve going to define our activity, then that means we need to make some decisions about what event are actually important in our world.

We need to define exactly which events are worth paying attention to—and not just paying attention to, but figuring out how we identify them so that we can take some specific actions when they occur.

But if we want to take some specific actions, then we need to at least define some principles to guide the decision we make about what we’re going to do, and how we’re going to respond.

So let’s think about security policies for a minute. Maybe this isn’t your Grandma’s security policy which weighs a ton and that’s as thick as the classic edition of the Unabridged Oxford Dictionary of the English Language.

Maybe it’s the security policies that we should be defining. The focused ones. The ones that are relevant to the worlds of our customers. The ones that really help drive the decisions they make about what’s important that they do in response to the events in their world, m and how those decisions can either enhance or undermine the overall security posture and risk exposure of the entire organization.

Those policies.

And if we, as security, can do a good enough job of understanding the worlds of our customers, and then prioritizing and translating what they’re trying to do into a set of capabilities we need to deliver in our world that will give them confidence they can achieve their objectives, then we’ve done something really powerful.

But that power comes with a catch. What is it?

Well…the catch is…they need to understand the implications of the day-to-day decisions they make in terms of the overall risk exposure of the organization. And, if they do this, our HOPE is…

because, remember, the best we can do is influence the activity and behavior of other people—we can’t control it.

Our hope is, that they make the right decisions – in their world, faced with the challenges they encounter every day – that will keep the organization as safe as possible.

So…if we can do this, what have we done?

We’ve developed a mechanism for mind control across the ENTIRE organization. And not only that…we’ve done it so that it’s pervasive, and they can’t make a decision  without our influence.

Pretty cool, huh?

It certainly falls into the category of the old saying, “With great power comes great responsibility.”

So if you want to figure out how to do it right…so that you are effective and influential with the organizational mind control you’re actually, deep, deep down really trying to achieve…

…for the good of the organization of course…

then you might want to check out the whole October issue on the mindless, boring and otherwise “old skool” topic of Requirements^?^?^?^?^?^?^?^?^?^?^?^?Policy Engineering I’m covering in depth, so you can have the best chance possible of delivering the mission and purpose of security of keeping the organization as safe as possible, while it executes its strategy as quickly as possible.

If you find yourself in an “evil genius” and “mind control” sort of mood, then here’s the link:

https://securitysanity.com

But be warned, these secrets of organizational mind control are going to go the way of the Dodo in just 4 days, so you need to make a decision as to whether this is the right thing to do or not.

Either way, I’ll be here, doing my best to keep you pointed the right direction.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

P.S. Please forgive the typos. I’m in the cheap seats, 10,000m above Harare as I write this on the way to the ultimate congregation of SABSA and Security Architecture practitioners, the COSAC and SABSA World Congress in Naas, Ireland. Hoping to see some of you there in a few days, and I’m sure I’ll learn much more than I’m able to convey in my presentation.

Article by Andrew Townley / Archistry Daily / Agile Security, Policy Engineering, Requirements Engineering, Security Policy Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • The real difference between architecture and engineering
  • The myth of the isolated project
  • The boneyard of failed architecture initiatives
  • To re-architect or not to re-architect your security controls
  • Afraid up-skilling your security team will train them for their next job?

Looking for something else?

Archistry

Practice Areas

  • Strategy
  • Risk Management
  • Corporate Governance
  • Compliance
  • SABSA®
  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2023 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall" and "Archistry Execution Engine" are trademarks of Archistry Limited.