How will you know when you get there? That’s the point our pal Kevin Riggins made during his first RSA Conference talk. He wrote up the talk and allowed it to be posted on the Symantec blog. Kevin uses the metaphor of the Winchester Mystery House as a clear (and rather painful) analogy for how far too many people operate their security environments.

In summary, someone with a lot of money decided to follow an unusual belief that led to 38 years of perpetual building… without a plan. Does that sound eerily familiar?

Oh, but it does. Kevin then goes on to espouse the benefits of a security architecture as a way to structure security activities. I’ll take this one step further and say that the security architecture is an aspect of a broader security program. And if a security program isn’t well defined and accepted by senior management, the architecture isn’t going to help much. Kevin does talk a bit about some programatic aspects, but doesn’t quite say security program, and I think that’s an issue.

Of all the things we can do as information security professionals to help the business, understanding their goals, drivers, and strategies will arguably gives us the biggest bang for the buck. If nothing else, it shows the business that we are engaged in what they want to achieve.

He does talk about the need to understand the business and address business issues (which is what I call the “security business plan” aspect of the security program, and it is critical), but that’s not an architecture to me. Maybe I am just getting hung up on the words, but I believe an architecture is an aspect of the program, not vice-versa.

So get your security program in place; then things like architectures, detailed designs, implementation plans, milestones, dashboards, and reports follow. But without a program, what you do every day will be a mystery to senior management. And you don’t have 38 years to try to tip the karmic forces back in your favor, like Sarah Winchester had.

Photo credit: “Dome Plan Drawing” originally uploaded by Pat Joyce