December 28, 2012 | Written by: Andras Szakal
Security continues to be of paramount concern to government, large enterprise and anyone who uses an internet connected device. Yep, that would be everyone. However, nothing seems to be working to stem the tide of security breaches especially within large interconnected organizations with a significant IT infrastructure. Most organizations including government have tried to attack the problem through a myriad of initiatives, for example, defense in depth, defense in breadth, risk frameworks, layered defense, etc. None of these strategies seem to be working as cited by Verizon in their latest Data Breach Investigation Report (http://goo.gl/vhRQA). To paraphrase, cyber-attacks and occurrences of data breeches continue to rise even in the face of increased security spending.
A recent article in Dark Reading (http://goo.gl/Wd7JL) does an excellent job of identifying part of the challenge with the industries current strategy. It’s an issue that’s near and dear to my heart as one of the primary authors of the OpenCA standard. OpenCA is the most recognized global architect certification program, managed by the Open Group (http://goo.gl/6e4o5). In the Dark Reading article, Tim Wilson, correctly identifies the problem with how organizations (and the government) approach implementing enterprise security. His thesis being that enterprises must give security architecture top billing alongside enterprise architecture. He also correctly recognizes the success of enterprise architecture (EA) and some of the most successful EA approaches like TOGAF (http://goo.gl/6nQ7f) and by extension the need to implement an Enterprise Security Framework (ESF) as part of an EA. This is where Mr. Wilson and I part ways as to the crux of the problem.I agree that every organization should implement an ESF. However, security is a key element of an Enterprise Architecture (EA) and should be implemented as part of the overall EA roadmap. Each and every project should be evaluated against the EA and associated ESF. IMHO, Mr. Wilson suggests incorrectly, that the problem lies in a lack of Security Architect roles in organizations.
I agree – security architecture is very important and lies at the heart of the industry’s problems. However, as most know in the architecture profession, I do not believe in the role of the security architect. Why you say? But doesn’t the implementation of an ESF necessitate the role of security architect? My reply is, nope, not at all…and that’s part of the problem with folks understanding of architecture and the role of EA. Security is a foundation principle of any decent Enterprise Architecture. Architects by their very nature are multi-disciplinary. Security is a key element of architecture…any architecture. Most security specialists have a very narrow range of experience usually limited to network protection. Slapping the title Security Architect on any of these folks will only exacerbate the problem. Security and Risk Management must extend into every layer of an Enterprise Architecture.
The problem isn’t the need for security architects; it’s a lack of respect for implementing an ESF as a key element of an Enterprise Architecture. Yes, there may be a need for many Enterprise Architects to obtain better security training; however, it’s not the primary problem. The primary problem is an organizations lack of understanding or willingness to implement an ESF as part of the overall EA. Another possible issue is the willingness to recognize that security is not just an operations or network protection function but requires a comprehensive approach which desperately needs to be part of an organization’s Enterprise Architecture. A good bet is that most organizations have considered this approach but are unwilling or unable to bite the bullet. At the end of the day the lines of business are still not willing to fund security over business function. Establishing a comprehensive ESF as part of an EA would go a long way to ensure that a proper risk assessment is completed for each new business function implemented. In addition, new security products would be only implemented if they integrated or complemented the overall EA plan. IBM has an excellent Security Blueprint and Framework (ESF) that any organization can adopt (http://goo.gl/wS2cp). But first you need to have a well formed EA and the organizational fortitude to enforce the ESF as part of the overall EA lifecycle.