How to become the SECURITY LEADER that earns a seat at the table because you have the trust, confidence and respect of both the business and your team!

Why “just speak to the business in their language” is harder than it seems and what over 25 years of hands-on business, technology and teaching experience can do to make it easier  

There’s sure a lot they don’t tell you about being a security leader before you become one—especially if you’ve come up through the ranks of operations. In operations, things aren’t simple, but they are straightforward.

You keep things running, and when there’s a problem, you jump on it, fix it, and then wait for the next one.

That’s what the job is about. That’s what builds your reputation. That’s what gets you paid more.

In short, being good at fixing things – day in and day out, and often under intense pressure – is what success looks like.

Like I said: it’s not simple. But it’s straightforward.

It’s straightforward because you know what to do. And you know what to do because you know what’s expected of you.

And then…you become a security leader!

Being a security leader is very different than being in operations, or even leading an operational team.

Operations is about being in the moment. It’s about making quick decisions. It’s about making small, incremental changes to improve efficiency and effectiveness. It’s the ongoing execution of “continual improvement.”

What being a security leader really means

Being a security leader is about playing the long game. It’s about thinking strategically. It’s about anticipating what the business needs before they tell you.

Being a security leader means making the rules—not following them.

Most importantly, being a security leader is about being able to connect everything you do – and every decision you make – to the business and what they’re trying to accomplish…

…using their language and their measurements for success.

It sounds so easy.

But it isn’t.

Unlike operations, it’s both not simple AND not straightforward—especially if you never needed to know much about business. Or if you never had to think much about what the people who buy from the company actually care about the most.

You might be thinking what customers want is quality.

Sure, customers care about quality. Everybody cares about quality.

But that just gets you on the playing field.

People who buy from the company actually care about a lot more than that. They care about normal things like getting accurate information, how easy it is to deal with the company, and how picking you might save them more time than choosing someone else.

Those are the easy ones.

The tougher ones are about how the products and the company really impact their lives, like:

  • How buying from you rewards them for doing business with you,
  • How your products reduce their anxiety and stress when they’re doing their job or in their personal life,
  • And even how buying from you might make them part of a community of people with the same interests!

Do you know how to relate what you’re currently doing every day to all those things?

And then…there’s “the business” to worry about.

“The business” really only has one job: give the customers something they value enough to want to buy.

So, ultimately, what “the business” wants is what the customers want.

The main difference is that “the business” has a particular approach in mind, and, in today’s technology-immersed world, they can’t do it without your help.

You know this. That’s why you’ve read this far.

But…there are problems actually making it happen.

3 Problems you might be facing right now

Problem #1: you aren't brought in before key project decisions are made

Have you lost count of how many times this happens? Maybe it's even happening every time your team gets engaged.

I'm sure you know the story:

A project owner comes to security after they've already completed the development of "the next big thing." Oh, and, of course, they've promised it to the customer tomorrow.

Why? Why do they keep doing this?

Because they still expect you to just give it a rubber stamp and send it on its merry way. After all, you just need to run a few tests or make sure the firewalls are working and antivirus is up to date, right?

How in the hell are you supposed to approve something you've never seen??!?

Nobody told your team anything about it.

Nobody told your team what it was supposed to do.

Nobody told your team who was going to use it.

Nobody told your team what technologies were used to develop it.

Nobody told your team what information it was supposed to process.

And yet…it's like they want you to just look at the project charter, review a few screen shots and say, "Ok, Bob. That looks fine. Off you go."

It's just not gonna happen. In fact, it can't happen, or you wouldn't be doing your job.

Your job is to keep the organization and its information safe from all the bad guys out there trying to bring you down or put you on the front page of The New York Times.

And if you fail in that job, you know that you're going to be the first to go because something bad happened on your watch. Right now, this is the unfortunate reality. It's just how organizations have chosen to respond.

So, your team circles the wagons and makes sure everything will be ok. Sometimes, this takes a couple of days. Sometimes this takes a couple of weeks.

Either way, you're the bad guy, because all your team ever really seems to do is walk around waving big, red STOP signs and shutting everything down.

Behind your back -- and sometimes even to your face -- your team may be known by names like "the Business Prevention Department" or "the Department of NO."

But you have to do it.

If you don't -- if there's a breach -- nobody will care about the customer pressure and the deadlines because they expect you're going to keep them safe--and you didn't.

Which brings us nicely to…

Problem #2: everybody thinks YOU actually own the risk

But, of course, you don't. You can't.

Your job is to make sure information, technology and cybersecurity risks are managed to an appetite set by "the business."

How does this work in your organization? Is that appetite really set for anything other than financial and maybe operational risks?

Or, is the "risk appetite" you're supposed to support essentially: "don't get breached."

Do you have clear risk owners for those information, technology and cybersecurity risks?

Are they really engaged and aware of the risks they own?

Do they know how their own performance objectives would be impacted if those risks weren't really managed?

If you do and you can say "yes" to the above, you should consider yourself lucky!

In our research conducted over the last couple of years with security professionals world-wide, less than 1% of people we spoke to could make those claims.

In most of those organizations, risk was a dirty word that everyone wanted to avoid like the plague. You could almost see people ducking and diving out of the way so anything with the word "risk" associated with it didn't land on their shoulders.

In reality, the only risk you can own as a security leader is whether you're doing your job as an advisor and subject matter expert.

Your risks are about how well you're helping people identify and quantify the risks they own.

And you can't do that if you're not engaged early enough (Problem #1). You also can't do that if you suffer from…

Problem #3: you don't have enough people to keep up with the work you need to do

Last year's industry statistics say that the average security team:

…deals with 346 security incidents per week…

…meaning over 25 incidents per week per analyst…

…implying you need at least 15 full-time people just handling incidents.

So what about everything else?

What about doing security risk assessments?

What about doing threat intelligence evaluation?

What about doing security strategy and architecture?

What about dealing with all those requests from "the business"?

What about closing all those pesky, check-list audit findings?

With 68% of security teams struggling because they lack resources, at least it means you're in good company. Most organizations don't have it figured out either.

But not having enough people is one thing. Keeping them is certainly another. Those same stats say many of the people on your team will up and leave after 3 years because they just can't take the pressure.

They can't take the pressure? What about your pressure?

Not enough budget to hire people. Endless and increasing waves of attacks. "Do more with less" as a recurring mantra…

It's like they expect you to work miracles!

How are you supposed to work miracles when you may feel just like that hamster on one of those little exercise wheels, always running and running and running…only to get nowhere.

And you're probably only on that stupid little wheel because you're probably not in the loop early enough, and because people don't really understand risk AND because your staff is over-worked and constantly stressed.

So, what's likely to happen?

Things come across your desk, and you don't really know whether you're really safe or not. And because you don't really know how safe you are, it's hard not to slip into that tar pit trap of endless fire-fighting.

What else can you really do if you can't see that far ahead?

This is where your old, operational, "lets fix it now" reflexes kick in. They kick in because you're under pressure, and that's exactly how you handled it and what you did for years.

It always worked before, right?

Yet every day, you slip just a little deeper into that sticky goo--maybe afraid you'll end up like that saber-toothed tiger you saw in the museum or on TV as a kid.

Permanently stuck.

You know you shouldn't "just react." You don't want to do it. You fight it.

You know that somehow, you've gotta get off that hamster wheel. Somehow, you need to break the cycle of fire-firefighting--of reacting.

You need to be more strategic. You need to be more aligned with the business.

But how?

Why frameworks and training will only get you so far

When you're sick, you go to the doctor. You make your appointment. You sit down with them. You explain the problem. And, most of the time, they give you some pills. You take them, and after a week or so, you're fine.

When you're stuck in the cycle of fire-fighting, feeling stressed, overwhelmed and maybe even angry at all those piss-heads out there trying to break into your organization…

…the organization you're trying to protect…

…the organization you're being paid to protect,

You have a pretty small set of options:

Option #1: "physician, heal thyself!"

This one is usually the first port of call. You may try to get more involved in what the team's trying to do. You may end up working extra hours. You resolve you'll somehow "be strategic."

But it's hard.

There's only 24 hours in a day, and you're already probably working at least 12 of them--if you add up all the time you're reading emails, responding to messages and basically keeping tabs on the team outside of normal hours.

Eventually, it wears you down.

Both adrenaline and willpower are finite. When they've reached their limits, must find a way to recharge your batteries.

How will you do that if you're stuck on that hamster wheel? More willpower? More determination?

Where can they possibly come from?

Even then, even if you manage to recharge your batteries, it doesn't really work--at least, not for long.

And besides, if you could really do it yourself, wouldn't you have already done it?

So you keep looking. You might see, read or hear about "best practices" or ways other organizations have solved this problem, so you might try…

Option #2: adopt a framework

This one is another common choice for trying to be more strategic and relevant to "the business." If you don't already have a good structure or process to help make sure you're "doing the right thing," then a proven framework is a necessity.

Unfortunately, there's a question you need to answer first: which one is the best one?

Because there are so many to choose from!

The usual suspects in the US are from NIST -- SP-800 and the more recent CSF -- and the old, yet new again SANS/CSC "Top 20". But outside the US, things become a veritable acronym soup: SABSA, COBIT, ISO/IEC 27001/31000, M_o_R, IRAM2, and the list just goes on and on…

Once you pick one, you're still a long way from getting any better. In fact, you can guarantee that things will get worse -- and sometimes MUCH worse -- before they get any better.

That's just how change works.

And that also assumes you've picked one that is both effective and practical to adopt.

Now that you've picked a framework, you basically have 2 ways forward:

  1. Take the time to learn it yourself, or
  2. Hire someone who's an expert to run the change program for you.

In the first case, you're back to all the issues with Option #1. You're struggling to manage the day-to-day load, and you've now signed up to run a change program while asking your team to do even more each day.

It'll be tough going, but it can be done.

In the second case, the biggest challenge will be making sure it will stick.

You see, normally, because the team doesn't have the time, energy, or sometimes even the desire for change, "The Expert" will do most (if not all) of the work.

The problem is, "The Expert" doesn't really work for you.

Sure, they'll do the work. They'll write all the documentation you ask. They'll build you epic presentations, and they'll diligently customize their own templates just for you.

But when they're done, they're probably still only going to throw things over the wall, get on their shiny, silver airplanes and fly off into the sunset (…and all while dressed in their impeccable Armani suits).

Where does that leave you?

Technically, you've "adopted" a framework, but will everyone on the team really know how to use it? Will they understand why (and how) it was customized for you?

Or, will it end up in a drawer somewhere right next to that document with the title 5-year Strategic Plan?

Again, it's possible to make it work, but even then, odds are, you'll still need…

Option 3: train the team

Training is a key element of growing the capabilities of your security team. In fact, it's critical.

Unfortunately, it too has some challenges…

First, if you're adopting a framework at scale, you need to train, well, everybody.

Who's going to mind the shop while half the team is away on a 3 to 5 day training course?

Right. The rest of the team will need to do it.

Remember Problem #3, you don't have enough people?

How you manage the rotations and knowledge sharing with the rest of the team is critical. It's normally just not practical to train everyone at once.

Second, if you're not adopting at scale, you're probably not really going to get much long-term value out of the training at all.


Because there won't be enough people who know what they need to do to create any kind of change inertia. And without enough inertia, Newton's laws of [organizational] physics apply:

"An organization at rest stays at rest" (Sorry Isaac).

We see this all the time. In fact, when we polled people who had been through security framework training, HARDLY ANYONE had actually managed to put it in use in their daily work!

Not only that: months or years after the training, many weren't even really able to recall how key concepts fit together because they never the chance to use it.

They only remembered the broad themes.

Does that make sense as an investment? Did the training lead to real, lasting change and closer alignment with "the business" in these organizations?

No. It didn't.

Change and the development of new skills is a bit like planting new trees from seeds. Planting the seed is only step 1 of a very long growth process.

If you don't make sure there's plenty of time and space for it to grow before you unleash the herd of angry bulls -- snorting and sparring with each other and without much care to what's under their feet -- that new seedling that's just sprouted out of the ground is going to trampled to pieces!

And yet, that's often exactly what happens with training…

You send your best and brightest. If they're lucky, they don't have to do 16 hour days just to keep things going back at the office, and they actually have a chance to really engage with the course.

If they're not so lucky, they'll join the ranks of millions of "course zombies" around the world just trying to survive the experience, only to return more burnt out and disillusioned than before.

Why would they be disillusioned and not "energized agents of change"?

Most courses are like drinking from the firehose: too much information too fast to process and next to no time to actually practice much of what you've been shown.

And by the time you see something really useful that would make a real difference back at the office, it's already far down the street getting washed down the drain by everything getting covered in the next 8 hours. One tiny leaf of hope riding a torrent of never-ending, soul-destroying slides.

However, if the instructor does their job, your best and brightest show up the Monday after the course chomping at the bit to put what they've learned into action…

…but there's yet more problems.

If you haven't got a plan for how to leverage that learning when your team gets back, they're going to be trampled just like that sapling was by the angry bulls.

If you don't have a plan, any energy and enthusiasm they have to try and put what they've learned into action won't last past opening their inbox. By lunchtime, they'll once again be so immersed in their old daily grind, there's simply no time or space left to try and do things differently.

If you don't have a plan, even if they do somehow manage to avoid the stampede, they will still struggle to figure out how to integrate what they've learned into your organization, your team, and your expectations. And history says they're not likely to get it right the first time either.

So, basically, things are worse than before:

The team's learned all this cool new stuff they don't have a chance to use…

…trying and getting it wrong may have dented the team's credibility with the business…

…and as a result, your own expectations for doing anything different can't possibly be met.

Everybody gets a punch in the nose.

So what does it really take to make all this work?

How to successfully lead change and transform your organization—and your relationship with the business

It takes you. It needs you to step up and lead from the front.

And notice I said "lead," not "manage."

As you may know, one of the key mindset differences between management and leadership according to Harvard Business Review is that managers act to limit choice, tend to focus on compromise and avoid risk.

Leaders live by their imaginations, are just fine with lack of structure and have an overriding drive to transform their organizations to be the best they can be.

Here's a quiz: which one sounds more like the typical security professional to you?

…and which one are you, right now?

If you already have a "Leader's Mind," then that's great! You've already made the crucial transition. And you're ready and committed to doing whatever it takes to build a more effective security organization.

If you're not quite there yet, that's OK too--as long as you understand the change required and you have the desire to make it happen. Making this conscious commitment is basically the rite of passage required of yourself. Just remember, it's not an easy one to keep, however.

But, if you're in the third camp: comfortable in a management mindset, upset at why I think that's not where you need to be, and you aren't yet ready -- or may never be ready -- to walk that path: that's fine--there's just not a lot I can do for you though. Thanks for reading this far, and I hope it was useful.

For those still with me, let's talk about how to get you over that next hurdle and on your way to transforming you, your organization and your relationship with the business.

What if there was a way to not only know how to relate anything you do to what "the business" and the company's customers want but to do it in a way that was drop-dead obvious to anyone--from the Chairman of the Board to the most junior member of your team?

I know it may be hard to believe, but there is a way.

And it's based on a proven methodology that's been around for over 20 years and that was originally developed to prevent payouts of $603 quadrillion in a single day should something have gone wrong.

In case you don't regularly use "quadrillion" (and why would you?), there's 17 zeros in that number. At the time, a single day of screwups would've cost 18 thousand times the global combined GDP for the entire planet--to one organization!

And do you know what?

It worked.

It worked then. And it works now.

I know because I've been using, teaching and implementing this methodology in well-known, global companies across 5 continents for over 14 years. Those companies include major-name banks; utility companies; Internet and media companies; health care and telecommunications providers—and even petrochemical manufacturers.

The methodology I'm talking about is SABSA®.

It's the best there is.

And yet…it's not enough on its own.

You need to have the skill and experience to understand how to take it and integrate it into an organization. You need to understand when to be flexible and when you need to drive change.

The best part?

You don't need to spend 14 years learning, tweaking, adapting, sanding, filing and aligning SABSA yourself to understand how to get the most out of it in your organization.

All you need to do is let me help you use it as the basis of your security program transformation so that the elusive business alignment you seek appears as if by magic--simply by following the methodology.

The right way.

For your organization.

Introducing the Archistry™ High-Value, High-Speed Security™ Leadership Coaching Program

This is a truly unique program combining the proven strengths of the SABSA methodology with over 25 years of my own personal experience in business, technology, security, software development, risk management, marketing, sales, speaking and teaching.

Yes, I know it may not seem possible, but I've actually done (and still do) all those things.

The goal of this program is to help you create the changes required to increase the visibility and alignment of security in your organization (the high-value) and to ensure security operates at exceptional levels of effectiveness and efficiency (the high-speed).

And the greatest thing about this program is that it's all about you.

It's about accurately understanding where you are right now, and developing a clear picture of where you want to go.

It's about gaining clarity on the scope of the change you're comfortable making vs. the scope of the change you know is actually required.

It's about understanding how fast you want to go and where you need to start to add the most value to the organization.

Once we gain clarity on all the above, then we get down to the real work of supporting, guiding and mentoring you where you need it most.

Here are just a few of the things I've worked on with other clients in the past:

  • What you MUST NOT say to “the business” if you want to build your credibility and gain their trust
  • How to nail the executive security briefing (even if you only have 5 minutes)
  • Why you MUST challenge your external threat intelligence reports (and why they aren’t telling you the whole story—on purpose)
  • How to DRAMATICALLY ENHANCE the effectiveness of your security service catalog by making only two simple changes
  • Why executives keep asking you the same questions (and how to stop telling them what you know and give them what they need instead)
  • Ways to easily adopt ANY external framework (without throwing out everything you’re already doing)
  • Why you should TEAR UP your security policies if you want better security
  • When doing LESS work actually gives better and more usable risk assessments (and the one thing you need to have to make it possible)
  • Why it’s so hard to get face-time with “the business” (and how to get them asking for your help)
  • How you can smash silos in the team by playing games (yes, games!)
  • Why it’s not your fault nobody understands security architecture (and what you need to do to build one anyway)
  • What it really takes to STOP solving the same problem over and over again (and what you should be doing with all that time instead)
  • Why most security maturity scores are meaningless (and how to really measure the progress of your program instead)
  • How to 5X, 10X or even 100X your security responses by using 3 productivity boosting tools most security teams have never seen
  • When NOT to write documentation (and why it will actually make people more effective)
  • The parts of the NIST CSF you can safely ignore (and why nobody will ever ask you about them either)
  • Why security leaders MUST forget about operations (and what they need to focus on instead)
  • How to break the operational fire-fighting cycle (and what you need to do next)
  • Where to focus during your first 90 days of SABSA adoption
  • Why nobody should need to do it all (and how to keep your people from killing themselves trying to)
  • How you can deliver Agile Security—even if your organization isn’t

So how does it work?

How the program works

The structure of this program is based on everything we learned doing a closed beta last year. Based on client feedback and internal review, we've been able to nail down what the right structure and value should be and how many people we can handle at once.

We'd originally started with 15 openings in the program, but since we've already had some sign-ups from people we'd asked to review the draft offer, we only have 12 slots left.

Another thing we learned: we won't take just anyone.

I want to make sure not only that the program is a good fit for you, but that you're a good fit for the program. That means that you can't just click the "BUY" button and sign up.

Instead, the first thing that will happen when you're interested in being part of the program is that you'll need to set up a call with me or one of my team.

On this call, we'll talk about where you are, what you want out of the program and what changes you're going to make from your side to give the program the best chance of success.

If we don't think you're really a good fit for the program, we won't let you in.

Why? Because I don't want to waste anyone's time--yours or mine.

I want to make sure the people in the program get all the value they can and have the right mindset.

It's also because I'm not your mother or your boss. You already have those, and you shouldn't need me to keep hounding you about setting up meetings or making progress.

Sure, life can happen, and it can throw us all for a loop. But it's what happens next that says more about you and your chances of being the best leader you can be.

Once you've shown you're up for it, the next thing that will happen is our first 30-minute kick-off call.

This call is to really dive in and set the scope of what you want to achieve and agree the best way I can support you getting it done.

During that first call, we'll agree a rough plan and a concrete next step.

From there, you have the option of setting up one of 7 more 30 min coaching sessions to set new goals, identify things getting in your way and agree what you should do next…

…OR you can set up one of the 3, 1-hour deep dive sessions so we can really tear into a problem, review some work product or gain some insights on a vexing issue you might be having.

Based on what you're doing, we have a lot of comprehensive documentation, process templates, worksheets and reference models you can leverage so you won't need to figure everything out on your own.

Basically, it’s everything we’ve learned from helping customers just like you build more effective security programs over the last 14 years—AND it’s all included as part of the package.

Since one of the biggest challenges of being a security leader is the sense of isolation and not having people you feel you can really talk to, you’ll also have unlimited* email access to me.

This means that I’ll do my best to answer any questions you have or work with you solving problems via email outside our regular sessions. You can send me as many emails as you want, but within reason.

If you’re sending me 100 emails a day, and they don’t have anything to do with the program or you’re asking me to do your job for you, then I’m going to give you a warning. If the behavior doesn’t stop, then I’m going to boot you out of the program, and I’m never going to let you back in—ever.

But, I know you’re not going to do that. Anyone who’s really committed to doing what we’ve talked about above isn’t going to abuse this privilege.

You’re also going to get a certificate that you can use for up to 35 CPE credits to maintain any professional certifications you may hold (and it’ll also give you something to show HR that you actually did complete the program, if your organization requires that sort of thing).

Normally, this kind of access to me would cost between $50,000 and $200,000 and be part of a dedicated change program. Archistry has been doing these kind of engagements for a long time, and we generally only work with large, global organizations. And given the nature of long-term change, those figures represent only a fraction of the average total investment in a comprehensive change program.

But since we can only do so many of those at once and it was clear from our research that there were lots of people struggling with the same kinds of issues, we decided to put together this coaching and mentoring program so we could help as many security leaders as possible.

We’ve distilled the essence of the kinds of guidance and support I give each member of the leadership teams during our long-term engagements into something accessible to nearly every organization—not just the global companies with big budgets.

Even though the above has been more than enough to give our pilot clients results, since this is the first official launch of the program, we’re going to throw in some additional bonuses for everyone who’s ready to get started now.

After we fill the remaining 12 openings, the price will go up and these bonuses won’t be available anymore.

Your additional, limited-time bonuses include:

  • A 43% promotional discount rate until March 29th or the program is full
  • Lifetime renewals of the program at the same, discounted rate
  • At least a 10% loyalty discount on future Archistry coaching and training programs (named individual clients only)
  • 2 bonus 90 minute training and Q&A sessions for your entire team


I don't want you to be "satisfied." Being "satisfied" is for power tools and toasters. I want you to be exceptionally EFFECTIVE!

If things get off track, or for some reason just aren't working, I'll give you 3 free sessions of extra access so we can address the problem and start moving forward again.

If we still can't manage to resolve it after those 3 sessions AND you've put in the time and commitment to try and implement what we've agreed, I'll give you double your money back within 30 days.

What Security Professionals and Industry Innovators are saying about Andrew and Archistry’s High-Value, High-Speed Security Leadership Coaching Program

A True Thought Leader

"Andrew is a highly skilled and experienced architect and consultant. He is innovative in his thinking and a true Thought Leader in his specialist domains of knowledge--in particular the management of risk. Andrew has also been a significant contributor to expanding the SABSA body of knowledge."

John Sherwood -- SABSA Creator and Chief Architect

Fabulous Consultant

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to as he manages to develop highly sophisticated subjects in a very understandable way. His experience is actually surprising!"

Biljana Cerin, Director, Information Security and Compliance

Real Security Architecture

"With Andrew's help, I have learned more about real security architecture than SANS or other basic courses would ever provide. I could not recommend him more highly as a teacher/mentor in this space."

Simon -- Global 300 Security Architect

Makes Things Work

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

Kevin Howe-Patterson -- Chief Architect, Nortel - Wireless Data Services

Clarity, Depth and Breadth

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit."

Doug Reynolds -- Product Manager, MobileAware

Common questions about the program

What if I'm an independent security leader? How can I join the program?

The program works for both full-time and independent contractors who are currently security leaders or who aspire to be one. If you're looking to make a career change or apply for a more senior position than you've had before, let us know as part of the application call what your situation is, and we'll help you work through some options on how you can join the program--even if you think it might be a stretch for your personal budget.

What if we don't get along?

Sometimes it happens. People just don't click, and that's ok. This is part of the reason we have people apply to the program rather than just letting anyone in, because we know that some people just aren't a good fit, or that not everyone will get along with me.

If you make it into the program and it still somehow happens, that's ok. If we really do have a personality conflict or we feel that the relationship just won't work within the first 30 days, I'll give you a full refund--no questions asked.

How can you charge so much? It's more than XYZ training program, and only a fraction of the hours!

That's true. There are training programs out there that cost both more and less than the program, and I've been through or taught many of them. The issue isn't about the cost for the time. If you really don't think there's enough value in the program after reading everything so far, then there's probably not more I can tell you to change your mind. It's almost guaranteed that you're not right for the program anyway, because you'd probably be more focused on how you can make the guarantee work in your favor than on accomplishing what you wanted in the program.

There are only a handful of people in the world who have the experience I have working with global organizations in transforming their security programs, and, right now, none of them are offering anything like what I'm offering here.

Do you get training as part of this program? Yes, if that's what I think you really need.

But it's a lot more than just training. It's mentoring and guidance in applying either the skills I'll teach you or the skills you already have that you haven't quite managed to gel by working on your own.

Practice time -- and practice time with someone who has your back -- is what makes the program so valuable--not marks on a time card.

You have time to put what you know into practice at the pace your organization will take. In fact, you have up to 12 months from when you start the program to use all the sessions, so that's about 51 times the amount of support you'd normally get with a training program--for a whole lot less than 51 times the price!

What if I don’t know SABSA? You talk about it a lot, but I’ve never even heard of it. Will I still get value out of the program?

Sure, it helps if you know SABSA, because you’ve already got a good foundation we can work from since it’s the best security framework out there to align with the business and help you show the value of what you do.

But, if you don’t know SABSA, that’s fine too. If you’re not interested in SABSA, that can also work, but some of the techniques you’re going to need are based in SABSA practice. I’ve just never seen better ways to solve the problems I talk about above (or for solving the problems we see over and over again in each of the engagements we do).

You don’t need to know it in advance because I can teach you what you need to know. And you don’t need to “do SABSA” wholesale or across your organization. We can go a long way to getting you better results by applying a few simple concepts.

Also, what’s included in the program goes well beyond SABSA too. It’s a summary of everything we’ve used and learned in years of successful (and sometimes not so successful) engagements, so that you gain all the benefits of our learning and the mistakes we’ve made without having to make them yourself.

SABSA alone is just a framework, so you need to add experience (your own and ours) to bring it to life successfully.

Why should I believe you’re the most qualified person out there to deliver this program?

I’ve been there, done it and have both the t-shirts and the battle scars to prove the things I say are possible. I’ve been personally mentored and trained by some of the best and brightest, including John Sherwood, David Lynas and Andy Clark—the authors of the SABSA method and leaders in the SABSA community.

We’ve worked together in client deliveries, and I’ve toured the US, Europe, Africa, the Americas and the Middle East speaking and teaching business, technology, security, strategy and problem solving.

I’m not only a qualified security architect, but I’ve written, tested, deployed and run software for major vendors and global consultancies to startups. I’ve founded 4 companies, and I’ve done business on 5 continents.

Put all that together, mix well, and you won’t find very many people who have as complete a picture of business, technology and security as I do.

And, if my claims are somehow not standing up to your expectations, and, despite doing everything I can and leveraging all of my experience, I still can’t help you move your security leadership practice forward, then I give you double your money back.

What you get with the program — if you act right now

We went through it above, but here's the summary so you can see it all in one place.

Remember, this is a one-of-a-kind program with unique access to an additional 25 years of business, technology and teaching experience AND everything we've learned delivering large-scale security transformation programs for over 14 years.

The standard program includes the following:

  • A 30-minute kick-off call to set the scope of the program
  • 7 standard 30-minute coaching sessions to set goals, identify problems and agree concrete next steps
  • 3 in-depth, 1-hour deep-dive sessions for problem solving and exploring issues
  • Full access to any relevant Archistry documentation and templates
  • Unlimited* email support
  • Certificate of completion
  • Earning up to 35 CPE credits compliant with (ISC)2 and ISACA guidelines

PLUS your additional, limited-time bonuses:

    A 43% promotional discount rate until March 29th or the program is full

    Lifetime renewals of the program at the same, discounted rate

    At least a 10% loyalty discount on future Archistry coaching and training programs (named individual clients only)

    2 bonus 90 minute training and Q&A sessions for your entire team (a $2,797 value)

The above is everything you need to help you make a step-change in your effectiveness as a security leader and build a measurably more effective security program than you have today.

You can start immediately after you've spoken to either me or one of my teams to make sure you qualify for the program, and once you've done that, you have 12 months to complete all the sessions and achieve the objectives we set.

Most people don't take half that long. In fact, many people complete the program in as little as 3 months.

That's why the program is about you. It's your objectives at your pace.

I know I can help you be more effective if you're ready and willing to commit to doing what it takes from your side.

The first thing you'll do to get started is schedule a call with me or my team to apply for the program.

After you speak with one of us and we confirm you're right for the program, we'll give you a link to the payment page.

Once there, you'll supply your credit card and contact details to either pay by installments or make the one-time payment.

After the payment has been processed, you'll see a Thank You page, and you should get the welcome emails giving you important information about the program, including a Coaching Agreement that provides all of the legal details of the agreement and ensures a mutual NDA is in place to allow us to work together as part of the program.

Along with the welcome email, you'll also be given an intake form for you to complete that will be used as the basis for our first kick-off call. The more information you provide in the intake form, the more effective that first call will be.

The only thing left to do after that is use the link to schedule the kick-off call and be ready to get the support you need to become a more effective security leader.

So, you're still reading and waiting for the answer to what's it cost, right?

Once we've filled the program or after the 29th of March, access to the program is one payment of $8379 or three monthly installments of $2967.

However, right now, you can get access to the full program -- and all the bonuses -- for three installments of $1697 or a one-off payment of $4779.

Remember, that's 43% less than the program would normally cost. And it only lasts until we've filled the program or 11:59pm US/Eastern on the 29th of March.

To get started and confirm the program is right for you, click on the button below to schedule the application call.


I’m really looking forward to working with you in the program, and I know that it can make the difference so you can change your relationship with the business, enhance the effectiveness of your team and become a better leader.


Andrew S. Townley

P.S. remember there's only 12 slots left, and the discount ends on the 29th of March. If you recognize yourself and have been stuck getting the results you want, this is the best chance ever to make it happen--or double your money back.

* unlimited email access is a privilege. Don't screw it up.


  • Archistry internal research, 2017-2018.
  • 2017 Global Information Security Workforce Study, Frost & Sullivan.
  • The State of Incident Response 2017, Demisto.
  • Harvard Business Review, Mar-Apr, 1992. Reprint R0401G.