Information/CyberSecurity Architecture

I've spent a large part of my career in security doing security architecture. One of the pillars of a good information security program is a strong security architecture practice. Yet, I still get, challenged would be the polite word, on why we need a security architecture.

I don't blame a lot of IT people in general and security people in particular from asking this question as there is a lot of security architecture that is practiced in a non-systematic, non-methodical manner which does not serve the name "architecture". Architecture generally means putting in place a complex and carefully designed structure.

The best way to answer this is usually a metaphor. I spend a lot of time traveling between different places in the world. You can't help but be struck why different places and cities look different ways, even within cultures. Take Paris and London for instance. Paris is a city of stone, often cream or yellow, while London is largely a city of brick, even behind the stone. Some thought reveals the answer: Paris sits on top of a mountain of rock that is readily available for building. London sits in a river bed where the materials readily at hand are soils to be molded into brick. Similarly, my native New York City has skyscrapers, but only in Downtown and Midtown where the tips of 2 ancient mountain ranges will support the buildings. The zoning boards/building authorities in each place set a series of rules governing how to build in order to enforce local standards. That doesn't mean that Paris, or London, or New York has an inherently better way to build in all circumstances. It just means that this way of building is the best way to do it in that location.

The same function is performed by Enterprise Security Architecture within IT and within an organization. Each organization has a security policy that enforces controls aligned with the business and its appetite for risk. There are many tools and ways to build applications, organize data, and support processes. However, to make progress an organization often needs to standardize on one set of tools and methods. This maximizes return on investment in technologies and reduces time, money, and effort to get something done. It also minimizes what is often called, "re-inventing the wheel" (solving a problem that has already been solved, but this time with inferior results).

The broader way to say this is that Enterprise Information/CyberSecurity Architecture will do 4 things. 1st, it aligns security technology investments with business strategy so that security adds value to the organization. 2nd, it creates a single process to control security building blocks (applications, technologies, etc.) & the time, money and effort put into them. 3rd, it provides a guide for what standards/building blocks to use in what situations (e.g. what code/tools/technologies to use). This is important for the reasons above, as an organization cannot support every piece of technology in the market, no matter how good it may be. 4th and finally, it gives ready access via a single point of information/repository to show the information security strategy and provide input for security solutions to show how controls should be used to put policy into effect. This last is particularly important as security architecture done correctly leads to a first assessment of the risk associated with an application/technology/piece of code being introduced into the environment.

So, Enterprise Information Security Architecture is one of the more necessary building blocks for an Information Security Program and for a well behaved corporate environment. It can solve many problems before they become vulnerabilities in the software, and build a strong corporate software and hardware "municipal" infrastructure.