May 22, 2020
Today on a call, I heard a story I’ve heard many times before. And the issue crystalizes the difference between security being seen as an order-taker vs. a trusted partner.
What they’re trying to do is define a specific strategy associated with a very high-profile problem within their organization. However, I just found out that they’ve been having trouble getting a meeting to validate some of the work they’ve been doing with the owner of the problem. You see, from his perspective, he’s had a team of people (not security) document the requirements from “the business”, he reviewed it, and he signed it off, before presenting it to security with the wave of a white-gloved hand followed, presumably, by a Picard-like:
“Make it so.”
And when someone from security had the audacity to reach out and want to confirm their understanding was correct, he was, of course…busy.
Now, as you well know, the work of a security program isn’t quite the same as bellying up to the counter in your local McDonald’s and asking for 3 fried chickens and dry white toast. Not the least because I doubt any of us have customers wearing black suits, black sunglasses, black fedoras and answering to the names of Jake and Elwood.
But far too often, thanks in part to our own common approach to delivering security by stopping project after project, our security customers want as little to do with us as possible. In fact, some of them would probably willingly eat McDonalds 3 times a day for a year rather than sit in the same room with “some crazy security guy” or gal who wanted to ask them questions about their requirements for port filtering, phishing worms and deep packet inspection.
So, security ends up being treated like that freckled kid with the braces and coke-bottle glasses behind the counter, slinging fast food and forced to ask, with every order, would you like fries with that because it doubles the annual revenue (which it did, actually).
As a plucky, young security architect infused with the knowledge that there’s more to security – and security architecture – than just wiring diagrams and packet flows, it can be a pretty big slap in the face to have the people who have the answers…
…not return your calls…
…ignore your emails…
…and sprint the opposite direction when they glimpse you about to exit the elevator.
Thankfully, it’s not your fault. You have a lotta history working against you that probably did its damage well before you ever put your head through the lanyard of your very own security keycard. And, also thankfully, it’s a situation that you can reverse…
…but only if you’re prepared to be the bigger person, not hold a grudge and be willing to do your homework.
Because generally, all it takes is learning what’s most important to the person you’re trying to connect with, be it to get a meeting…or even get a bunch of likes on Zoom Bachelorette. You’ve gotta do your homework, you have to make some educated guesses about what’s important…
…and you need to somehow learn to be genuinely interested in whatever it is that matters to them.
If you can figure all this out, then it’s often pretty straightforward to discover how whatever it is you’re trying to do gives you a chance to start a conversation—like helping them deliver their project on time and without security issues, for example.
Unfortunately, getting that background to be able to understand – broadly speaking – what matters most to your business security customers can be quite tricky. And it’s not something that many security people are willing to invest the time and effort required to absorb it by direct immersion and osmosis over years of reading HBR, the Economist, FT and the Wall Street Journal.
But…it is essential in our business – if we’re going to be successful in enabling “the business” – for us to know something about the business.
That’s precisely why Module 2 of the Building Effective Security Architectures program is focused on getting you as familiar as possible with the motivations, language and priorities of the business…
…and to enable you to do it as quickly as possible—all while at the same time making it abundantly clear why and how it matters to the work we’re trying to do as security architects.
Funnily enough, Module 2 often turns out to be the part many people who’ve already been through the program found the most valuable, in part because many security people have never really been exposed to this stuff before.
So, if you’ve ever struggled getting a meeting, making a connection with your business customers, or being able to understand why an experienced, highly-paid business professional would prefer to deploy a service today with known security issues vs. wait 3-6 weeks (or months) until they’re all hopefully addressed…
(hint: it’s not because they’re greedy bastards, either)
…then TODAY is the last working day to register for the July cohort of the program and still get $1,000 off the regular registration fee. Sure, the price doesn’t go up until Sunday morning, but that’s just mostly to give people enough time for the world to spin through quittin’ time in the event they’re waiting for that last-minute, managerial approval.
But if you’re just waiting and debating, and you can’t decide, time’s a wastin. You’re gonna need to decide to join the cohort and save $1,000 of someone’s money (maybe even yours), or your’e going to need to decide to procrastinate just a little bit longer, lose the $1,000 discount, and then hope that the winds of budgetary change blow through town sometime between now and when the final, drop-dead cutoff for joining the cohort will be towards the end of June.
Either way, a decision must be made. The question is will you make it, or will it be made for you. And, I get it, I really do if you personally see the value of the program, want to join, but The Powers That Be (TPTB) are as rigid about COVID-related budgetary constraints as the wooden stake that slayed 10,000 vampires in the 7 seasons of Buffy.
Them’s the breaks. We’ll run it again…eventually. But I can’t tell you for sure exactly when it’ll be. Maybe next year, or maybe not. I’ve a bunch of new stuff in the pipeline, and at least one of them is another, different, cohort-based program. Given I only have so much time to run these per year, it is possible it’ll get bumped until 2022.
I just don’t know.
What I do know is that there’s still a few seats left in July’s cohort, so if you think the skills you’ll develop as part of it will make a real difference in the work you do in the next 12-24 months, then I think you know what you need to do.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
