Many organizations view security as an attribute for assuring service quality, the reality is that security has more to offer. A mature security organization provides the enterprise with a comprehensive security strategy and management across identity and access management, applications, infrastructure and technology operations. Such an organization can describe the services that they provide but they also need to work with enterprise architecture to define the security capabilities required by the enterprise.
The reality for a large number of organizations is that security is often a painful discussion point and enterprise architecture often does not understand the security requirements or motivations of the security organization. Security controls add additional processes and technology, requires specialized skills, additional effort, impacts performance, increases costs and do not add any functionality to the enterprise services that are delivered. For this reason, security is scorned for adding additional costs and overhead often without a clear, tangible benefit. Many folks outside of the security organization find it difficult to understand additional security requirements to lessen or eliminate the risk of detrimental threats that may never materialize. For these reasons, security is seen as a cost-centre that can be expendable in initiation or challenging times.
Security is also inappropriately sold on fear and emotion especially if recent risks have been realized. As an example, an internet sales company would likely adopt a control/capability to thwart a distributed denial of service (DDoS) attack shortly after they have been exposed of one that brought their commerce site down. It is natural for a realized risk/threat to change the perception of their likelihood but a prudent organization would have assessed the risk and consciously chosen to accept, mitigate or eliminate it. For an enterprise to realize their business and security objectives, they should view security as a capability to respond to operational events.
Enterprise Architecture must also understand security requirements and help define the security capabilities needed by the organization to achieve the enterprise’s business goals. In the above example, the enterprise architect – in collaboration with the security organization – would need to identify the security capability to “protect against online attacks”. In defining this capability, the security organization’s subject matter experts would specify the threat profile faced by the enterprise, and identify the risks to the enterprise. Once the risks and the likelihood of occurrence are understood, senior stakeholders must then decide if they would accept, mitigate or eliminate the risk. The security organization and enterprise architect would provide the details of each option so that the senior stakeholders had the information they needed to make an informed decision.
Organizations that place a priority on security often have a security architect bridge the security organization and enterprise architecture and drive the role as described above. A security architect needs to have oversight of how the enterprise is addressing its identified risks through its people, process and technology. In addition, the security architect needs to have a close working relationship with the security organization to understand the security requirements and drivers.
If you are a security architect or if your organization staffs a security architect, please share your views of their role and how this role works with the security organization and enterprise architecture group. If your organization does not have a security architect and security is a high priority we would like to hear from you as to how your organization bridges the role of the security architect.