A Good Read: Adaptive Security Management Architecture
By James Tiller, Vice President, Security Professional Services, North America, BT Global Services
My new book, “Adaptive Security Management Architecture,” is on the shelves. I’m excited about this book for a number of reasons, including the fact that I met a personal goal of writing three books in a decade. But it was a long process, and I thought I’d share a little insight to those who may be interested.
When I began thinking about my third book, security metrics were heating up as a major topic. I soaked up everything I could find on the subject – in and beyond the world of security. I was, frankly, disappointed with what I saw and how metrics were manifesting themselves in the security industry. They were “good,” but in my opinion didn’t speak to the needs of the business.
When I finished writing “The Ethical Hack,” I immediately started on the security metrics book. It was a bear. I collected about 300 GB of material on the subject – papers, articles, models, you name it – from universities, government, and various working groups — to support my research and formalize my opinions.
When I began writing, it was actually about the security model that was necessary to ensure metrics were meaningful. I was on a plane returning from a meeting and was reviewing documentation the company I’d met with provided to me. They wanted my perspective of their security program, especially their model concerning security metrics.
Everything they were measuring had two distinct qualities. First, they were structured in a manner to represent risk, but used indicators that were very technical and oversimplified. This told me they didn’t fully respect the intelligence of the business executive audience, and the information would have to be explained to draw conclusions, which made the information argumentative and disputable. More importantly, the metrics were drawn from aspects of security they either had no way of influencing or, when compared to the security program, no defined methods for influencing. In short, they were measuring the weather.
At that point I realized I was writing the wrong book. The fact that my manuscript was all about the program and not metrics solidified my decision to change direction. I scrapped what I had been writing for months and started fresh right there on the plane.
In the months that followed, I wrote like a man on a mission. Then, with the book nearing completion, I hit a wall. Not writer’s block – a logical barrier. It can be explained as writing myself into a trap. I found that all my research had skewed my original perspectives, and I had essentially written a book on security services management. It was full of references to ITIL/ITSM and was essentially how to create, manage, and apply security services. I was a little disappointed and scrapped it, yet again. Some of the early reviewers of the book said it was very good, “What’s your problem, Jim?”
The problem was simple, at least to me. I wanted to make it more about the business. I knew my writing on metrics and services management would have a place, but a place in something much bigger. I had always seen security as an enabler. Not a constrictive force on the entrepreneurial spirit within the business, but a means to unleash business potential. Pretty lofty. Moreover, the underlying features of this philosophy were value and the concept of quality.
After many conversations with my wife, publisher, and peers, I came to the realization that the book was really about change and adaptability. The book is a journey. It’s as much of a perspective as it is an architecture. It’s high level and meant to be thought-provoking. The architecture is comprised of features that will resonate with everyone and be understood immediately.
Nevertheless, it’s how they are plugged together is what I think makes the difference and makes it adaptable. The book starts by making what some would call bold statements that set the tone and the basis of the approach. From there it, well, begins at the end – giving you a picture of what the end-state could be. This was the hardest part to write and even today, if I had the opportunity to refine, I would – but isn’t that always the case? Once the picture is painted, the journey begins.
Regardless of what side of the fence you end up after reading the book – you may be in the “Jim is crazy” camp, or “Jim may be on to something” camp – everyone will have many things they can take with them and apply in their own way. I’m very passionate about security and see things – potential – way off in the distance. Of course, this has caused its share of friction with others throughout my career, and I’m certain my views have helped as much as hurt me in some cases. I suspect this book will do much the same.
Interestingly, this is not my last book. I met my goal: three books in a decade. I just managed to get it in with a month to spare. Funny enough, I was so engrossed with writing this book I didn’t care about my stated goal, but that doesn’t take away from the satisfaction of reaching it.
The next book is going to arguably follow the trend I’ve started. My first book was technical, my second, a business view of a technical model, and finally a purely business perspective of security. The next book is going to leap pretty far out there. But, I guess my readers wouldn’t expect anything less.