What everybody wants to hear about Security Architecture. For real.

In an earlier article we tackled the question of what Security Architecture is. Today’s article is about why others should care. The first one may be the most difficult question, but this one is the most important question. What’s more frustrating than you slaving away on Security Architecture, and your colleague goes: “So what?”. Or worse: what if your boss goes: “So what?”. Talking about Security Architecture can feel like shouting in the desert with no listening.

Some of your may know I am a Director at the Board of Trustees for The SABSA Institute (TSI). Every year at the COSAC conference we have our yearly face2face board meeting. This year we decided that every board member should be responsible for a focus area. Me and Muhammed MZ Omarjee own the area of ‘framework adoption’. Our goal is to get those organizations and individuals who have not adopted SABSA yet, to do so. If they want to, anyway. This means we test how we position ourselves in the market and how we communicate to those audiences. We have outlined four questions we seek to answer first:

  1. Who are we?
  2. Who needs to know?
  3. Why should they care?
  4. How will they find out?

We have kicked this process off quite recently and are in the analysis phase. We looked at our ‘current state’: how TSI positioned itself up to now and what we did on communication. Next we created a Business Model Canvas for TSI to understand who we are, what we set out to do and who are our customers. We listed the following core customers:

  • Security architects, who may or may not know or use SABSA.
  • Other architects, such as Enterprise Architects or Solution Architects. They may or may not know SABSA, but they might work together with a Security Architect who uses SABSA.
  • CISOs, who tend to own the security domain and may be the boss of the Security Architect or buy Security Architecture services.
  • CEOs/CIOs/CROs/CFOs, who may have concerns about the impact of security breaches on their company.
  • Program & project managers, whose projects must nowadays incorporate the appropriate amount of security.
  • Security staff, who often work with or under guidance of security architects who may use SABSA.
  • Security consultants, who may hold an architect role at their clients or work with Security Architects.

All these customer groups can adopt SABSA in their own way. For Security Architects we would like them to use the SABSA framework. For others it might no more than to understand and speak the language of SABSA. Or it might be to ‘get’ SABSA’s added value in traceability and business-driven security. So the next step in our analysis was to create a Persona and Customer Journey for each of these audiences. I would like to share those personas with you today.

Why do I want to share them with you?

“Yes, but is this stuff not part of your super-confidential marketing strategy, Esther?!”. Sharing is caring and open source is the future!

First of all they could be a useful tool for you to communicate to the other audience groups listed above. I know it says SABSA, but many of the findings are true for Security Architecture as a whole. We can get more people to care about Security Architecture if we understand what they need from it. This might be great news for your career, security in your company or event the quality of your conversations with them. Happy to help!

Second, I realize these draft personas I’ve created might have bias. After all, I am a security consultant and a security architect. I am a woman, I am quite young and I have a focus on security strategy. My own experiences and my interactions with the other groups influence these personas. This is inevitable, but what I hope you’ll do is challenge me so I can get to more accurate, less biased personas. Getting them validated with the people it concerns is my number 1 priority, not secrecy.

Note 1: The focus on is on security and security architecture. Believe me, I am aware the CEO of the average company does not think about security 24/7. But bear with me — if they have thoughts about security, architecture or SABSA, these could be those thoughts…

Note 2: If I offend anybody with what’s in these personas, I am sorry. It is no doubt a result of my bias (and amazing Dutch directness). The reason I have posted these is so you may correct me. Please just help TSI (and me) understand the needs of its audiences better. In the end we all benefit!

Note 3: These 7 personas were what I felt were logical target audiences for SABSA. Our core audience will always be security architects. But I believe that getting the word out to these other 6 groups will make the life of security architects easier by creating an ecosystem for them with people that understand and appreciate what they do.

How can you help me in return?

If you want to help out — AMAZING! You can help like this:

  • Are you a living and breathing person who knows somebody who fits one of these roles? Good on you for making it this far into the article! Can you show the applicable Persona to them, test our assumptions and get back with their feedback?
  • + Are you one of the listed audience groups? Please review and comment on the persona that fits your profile most.
  • + Are you NOT a security architect? What has been your experience working with them? What do you need from them?
  • + Are you a security architect? Please share your experiences interacting with the other audience groups. What are their needs with regards to your role and work? What have you struggled with to communicate to them?
  • + Are you a security architect knowing/using SABSA? Please let me know what communication or materials you would like TSI to share with you? For each of these groups I am also working on detailed Customer Journeys. Security Architects are one of the most important groups for us, as they are or might end up being TSI members. Can we get you to review our Current State Customer Journey for Security Architects by comparing it to your own journey? Pretty please? Let me know via comments or DM.

Specifically to liven up this article I have made an attempt at international and gender-neutral naming and appearance to max out Diversity & Inclusion — for official TSI purposes we will use bland characters. Here they are:

Please leave your feedback in the comments or send me a DM!

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account