Security is hard to demonstrate. Business, c-suite or senior management always want to see concrete and measurable outputs. Nobody cares how many attacks you prevent or how you catch attackers before any compromise until a doomsday when you fail. Security architecture suffers from this flawed point of view too. That is why everything must start with the same simple terminology, perspective and approach so that it will help the business understand the concept in your context. Only then they may meet at your action line.
What is Security Architecture
We need to start with the definition of “security architecture”. When you look up its definition, you may come across many. Simply put, security architecture is to securely transform business needs and security policy into concrete and sound measures in a structured way. In other words, it is to secure systems against threats in a risk-based approach based on coherent and flexible principles.
The scope of security architecture is not predefined or fixed that matches for every need. It depends on an organisation’s objective, attributes, problems and target groups and is related with a reference architecture. Security architecture can not be independent of other architectures such as business, information, application and technical. It is not only a vantage point on the underlying other architectures, but it also covers them like a surface layer.
Business Benefits of Security Architecture
The main benefit of security architecture is its standardization. It helps to gain harmony between the balance and consistency of the information security of the entire organization. Security architecture is cost-effective due to the reusing of controls and generic building blocks described in the architecture. This structure provides some business benefits like as following:
- Reducing the actualization time, size and complexity in projects.
- Realization of new services faster and with less effort.
- Limitation of waste of resources through imbalanced and incompatible measures.
- Realizing a more stable, uniform and a better demonstrable level of security.
Since many benefits are hidden and indirect, to what extent these are achieved depends on various factors such as the maturity level and dynamics of an organization, the complexity of IT infrastructure, business risks and so on. Also, it is challenging to realize cost savings in security. The costs of specific measures in IT are also often ambiguous which complicate to identify the savings there. For example, investing in a security architecture in case of incurring expenses for ad-hoc solutions may not regain the costs quickly. For this reason, based on the savings, a security architecture for an organization provides advantages as a whole, not solely for each project or specific system and it should be considered as a cumulative and comprehensive gain.
A Simple Operating Model of Security Architecture
There are various frameworks describing architectures, such as Sherwood Applied Business Security Architecture (SABSA), COBIT, The Open Group Architecture Framework (TOGAF) and so on. Using frameworks can provide the alignment of defined architecture with business needs, goals and objectives. Regardless of the methodology or framework being used, the security architecture should be based on the risk profile of an organization. It should be transparent, essential, concrete, coherent and depending on other architectures (business, information, application and technical).
In connection with this, there are the target groups (stakeholders and users), the interests/needs of these groups and the parties who implement the interests/needs. The stakeholders (business) are those who want their needs/interests included in the architecture and the users are those who use the architecture, and the interests may be objectives, attributes, governance, security policy and other architectures. In this context:
- Firstly the objectives and risk profile of the organization must be determined in advance. The degree of security must correspond to the value of the information and risks that the organization accepts.
- Secondly, the organization must have a governance structure that clearly defines the depth of levels in which a security architecture can be operated.
- Thirdly, the organization must build a security policy that incorporates the basic information security principles and the classification of information.
- Lastly, the related controls/measures have to be matched to the business risks regarding the classification.
To sum up, success criteria for security architecture depend on having a common language with business, a clear information security policy including a classification system, the usability for the target groups and well-defined scope.
Useful Resources
- https://www.cisomag.com/top-five-ways-to-talk-cybersecurity-with-c-suite-and-board/
- https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
- https://www.csoonline.com/article/3326301/a-layered-approach-to-cybersecurity-people-processes-and-technology.html
- https://www.scottmadden.com/insight/security-operating-model-strategic-approach-building-secure-organization/
- https://www.pvib.nl/kenniscentrum/documenten/expertbrief-security-architecture/downloaden
The featured painting above is “Architect’s Dream” by Thomas Cole