No, I’m not talking about whether you may have two or three toes. I’m talking about the real issue behind the 7th, and actually the far deadliest of security architecture sins: sloth. Thanks to our toe-challenged friend, we tend to think of sloth as being simply slow. Sure, this is a problem—especially in security architecture.
However, being slow is nothing but a symptom of a far bigger, underlying problem. And that problem is…
Apathy.
Now you might not think this is a real problem, and that’s ok. I know you work hard, and you do what you think you need to do every day to try and “fight the good fight” of security architecture.
Let’s face it: if you didn’t, you probably wouldn’t be reading these emails.
However, apathy comes about because of another feeling we probably don’t really want to admit we might have: despair. And the definition of despair is:
A lack of hope.
In this case, it’s the lack of hope that you’re actually going to have a real chance to do any kind of proper security architecture that doesn’t involve you choking on the weeds of infrastructure for the rest of your days. It’s the lack of hope that someone – somewhere – will finally listen to what you’ve been trying to say about getting closer to the business…talking to people outside of IT and security about what they’re really trying to do…and maybe, just maybe…doing things differently.
Because if you did that…if you had a proper security architecture that was linked to the business, was easy to digest by everyone from the CEO to the security operations and threat response teams…
You’d find it very, very…very difficult to be accused of being slow.
Because everything you needed to make decisions quickly was right there. And if you happened to be using The Agile Security System™ as the basis for your security architecture work, it’d not only be right there—it’d be on the wall. And it’d be so big that you’d have a really hard time ignoring what you had, what the gaps were and where you needed to be focused to better support the business.
But…you’ve tried to make the case a million times.
They just don’t get it.
You can’t seem to escape the operational quicksand…and when you’re asked for anything remotely strategic, you have no choice but to start from a blank sheet of paper—or, maybe, you might have a security strategy and roadmap you did 12-18 (or more) months ago to work from. Which, even if you had, you’d likely need to spend quite a bit of time remembering how it all fit together.
So, really…what’s the point. I mean, it’s a paycheck. They’ve said “no” to business-driven security architecture, or…it’s been pushed down the priority list. Or maybe, they’ve even come to associate the name of something like SABSA with the curse of Lucifer – the Devil himself – to the point that you dare not even mention something like this because you know you’ll get thrown immediately out on your ear.
Or…I’m totally wrong, and the words “apathy”, “despair” and “hopeless” have nothing to do with the way you think about doing security architecture in a way that transcends the limited, infrastructure-centric view that contaminates the minds of many in our profession. Maybe you’re doing it all, and you’re doing it already.
I’ve no idea.
What I do know is:
- this problem is real in many organizations, and it’s probably the single biggest blocker to actually building any kind of effective security architecture program,
- ways to avoid the despair associated with the security architecture sin of sloth are what you’ll find in the pages of the March issue of the Security Sanity™ print newsletter,
- you’ll only be able to find solutions to this and the other 6 deadly security architecture sins if you subscribe in time to make sure the print edition is shipped to your door (free of charge, anywhere in the world), and
- you only have about 4 hours to subscribe in time to make sure you get it.
To do that, here’s the link you need:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
