One thing that comes up from time to time when I’m speaking to security leaders, like the CISO or the CSO or whomever is in charge of the function, and that’s how far down on the priority list security architecture often is. There’s always new threats to tackle, new fundamental, health & hygiene controls to implement…new people to hire…or whatever it might be.
And I get that. I can understand why security architecture might seem to be less important than bolting the barn door down.
There’s only one question:
Where do you put that door?
I know…I know…it’s a door. It opens. It closes, and maybe it even locks.
And you can rock up to your local lumber yard and they’ve a bunch of them to choose from. They’re just there for the taking, all sealed in their nice plastic condoms, ready for you to take back to you building site, hit a few nails, and…
Boom! You hang the door.
And it opens. And it closes…so, job done.
Except there’s a bunch of different types of doors—because they do different things. There’s solid core, there’s hollow core, there’s vinyl, metal, metal jacketed, sliding, inward opening, outward opening…it’s a pretty long list.
However, that’s just about the door itself. Then there’s the doorway you’re trying to put it in.
Now maybe, there was one there already, and this is just a quick, in-and-out replacement operation. Or, maybe you’re adding a new door because you’re planning on adding a deck out the back—or making a walk-in garage…or just trying to make sure you can open the room really, really wide to get stuff in and out and make sure you get a lot of fresh air.
You see, where you place that door – and which door you ultimately buy – is actually based on a set of requirements. Those are the things it’s meant to do…
…because it wouldn’t be so hot if you arrive home with that massive piece of art you bought at the show, and there’s no way to actually get it in the room where you want it because the damn door’s too small…or it doesn’t open wide enough.
All these decisions, because that’s what you’re doing. You’re making decisions about the way things are going to be. All those decisions, at least as a security leader, define the architecture of both your control environment and the control system (your team) that you put in place.
Because whether planned or not, everything has an architecture.
You just might not know what it is….
…and if you don’t know what it is, then you can’t do a very good job of proving that you’re doing the right things…in the right place…in the right way…and at the right time.
That means the ultimate choice you make is that you’re either doing the planning up front—even if we’re talking about a light, back-of-the-napkin type of an approach…
…or you’re going to eventually need to invest the time it takes to figure it out.
One of the things I did for my sins was a massive, 2-year project for a large public sector organization. And the first 90% of that project was what I called “architecture archaeology.” It was necessary because the project had been running for about 4 years, most of the original implementation teams were gone, and, basically, nobody actually remembered the real problems we were supposed to solve…
…except the technology ones.
I can also tell you that it was a lot of work. And that it probably wasn’t the best use of my time or the consulting fees the organization I was working with at the time was changing for my butt being in the chair.
But it was a decision, and there might be perfectly valid reasons for making it.
However…the only thing I’m asking you to be conscious of is that you are, in fact, making a decision when you decide to jump in, effectively painting the walls before the roof’s on the house…
…or being the equivalent of the software developer who just sits down and starts cranking out code…because they “know” what to do. After all, they’ve done it a million times before.
Back to the point of all this construction-led rambling: your security architecture is gonna happen with our without your conscious awareness and input.
The decision you need to make as a security leader is whether or not you’d like to try and prune it into a beautiful, intentional and designed Bonsai,
…or whether you want it to grow on its own, like trees in the (disappearing) Amazon rainforest.
If you’d like to give it a bit of a nudge in the right direction…
…not to mention get some practical advice on doing the kind of inevitable architecture archaeology I talked about before…
Then now’s the time to pre-order the upcoming book on how to do all that—faster and easier than you might think is possible.
The launch discount is long gone, but until the 15th of January, you can pre-order your print copy of this book that covers what you really need to know about building effective security architectures—without all the over-the-shoulder guidance and time commitments of the learning experience I talked about earlier this month.
It’s not cheap. It’s $374 now, and it’ll be $497 in January. Oh, and it’s a pre-order, as I said before, which means that you won’t have it in your hot little hands until probably the end of January after the final manuscript goes to the printer.
To get it now, get on over to this lumberyard link: https://archistry.com/go/dgpo
Stay safe,
Andrew S. Townley
Archistry Chief Executive
—
P.S. No, there’s still no fancy sales page. Things around Archistry Labs have been pretty busy lately, but it’ll come. In the meantime, here’s what I said about it before—including the list of bonuses you’re going to get:
So here’s the deal: you’ve heard me talking about the pre-order of the Definitive Guide to The Agile Security System™ print book to ship in January. As I’ve said before, it’s everything I know about how to build business-aligned, customer-focused, architecture-driven information and cybersecurity programs—
Along with a few companion pieces to make the puzzle complete in the form of a number of bonuses that I use every day when I do this stuff with our consulting customers, the students in our training programs and with our coaching clients.
In case you forgot what the bonuses were:
- A fully-engineered guide to using the CIS20 controls with SABSA architectures
- 55 Attributes directly lifted from the AEF Reference Architecture that intersect with – but are different from – the attributes you get in the Blue Book
- Visio, OmniGraffle and draw.io stencils for creating security architecture models following the Archistry Security Modeling Language™ (ASML) notation
- A fully-engineered guide to using the NIST CSF with The Agile Security System, including domain and attribute mappings for the control objectives and coverage of what you’re really doing when you apply it in your security program
- The fully-engineered guide to using the VERIS risk taxonomy in the risk assessments we’ll cover in the core of the Definitive Guide. You need something, and this one passes the “Goldilocks Test” as being “just right” for the 80% of what you’ll need to do in practice
And the core book covers the 7 Principles, the 14 Practices and the 3 Baseline Perspectives™ you’re going to use as the basis of The Architecture Wall™ that provides agile, visible architecture across the whole organization’s business and technical teams.
What I didn’t have before was the working TOC (still subject to change), so here it is:
Chapter 1: The World We Face—why all the things we think we should be worried about aren’t necessarily where our focus should really be.
Chapter 2: Defining Agile—what people may not know about “real” agile and why it’s critically important to both the business and your security program. This chapter incorporates some of the material from my COSAC 2018 talk on Agile SABSA that hasn’t yet been republished.
Chapter 3: Core SABSA Concepts—no, it’s not a book to help you get the SABSA certification exam, and we’re not going to cover any more than we absolutely need for you to put the Agile Security System to use in your organization as quickly as possible.
Chapter 4: The Principles and Practices of Agile Security—this is a combination of some of the material from the course and some of the information I presented in the August 2019 issue of the Security Sanity™ newsletter that’s no longer available. It’s updated and expanded based on some things that just wouldn’t have fit in the August issue—even as big as it was.
Chapter 5: The Baseline Perspectives™—this is where you really learn the kind of leverage possible from applying the system and the importance of both the 3 Baseline Perspectives and the Architecture Wall in giving it to you.
Chapter 6: Understanding the Business—you can’t protect what you don’t understand, and you can’t hope to get people to talk to you if you can’t relate to what they care about. This is kinda a “business 101” short course to help you better understand the worlds of our security customers (which happens to be a Principle of the system, rememer?).
Chapter 7: Building Architectures—here’s where we get into the nitty-gritty of applying everything to build security architecture—in hours, not days. It also covers how you can build a security architecture for anything, and how to go about that process of architecture archaeology I was talking about before.
Chapter 8: Architecture Process Integration—having a system that works hard to keep you safe is great, but you still need to understand how it fits in with all the other systems, methods and delivery approaches you might be using already. We cover integrating the system with the core SABSA lifecycle activities defined by our own Archistry Execution Framework™ (AEF), typical waterfall/SDLC and of course, our Agile friends—including DevOps and DevSecOps
Chapter 9: Where to Go From Here—so now you can build security architectures at will…now what? What’s the next step? What do you do with it? How do you socialize and expand your use and influence enabled by your shiny new architectures? Those are all questions we’re going to talk about in this chapter.
And there’s some appendices, references, templates, worksheets and other good stuff—some of which I’ve never before made available outside Archistry—even to our customers and clients.
So there ya go. There’s a lot in it, and it’s going to be a pretty hefty block of paper hitting your doorstep if you buy before the official launch once it’s “finished.”
As always, the choice is yours. Here’s the checkout link again—just in case:
