Is architecture an old-school thought in cybersecurity at a time when DevOps, SRE and agile development methodologies are pushing an organization through rapid transformation? A mandate to follow a standard architecture can slow down project delivery at times; architecture is nothing but an abstract PowerPoint exercise … these are some of the comments we hear about architecture and the thought process that questions the value addition of architecture practice in cybersecurity. After speaking with numerous cyber executives and more than 15 years of my own experience in security architecture, strategy and innovation function, I can tell that having a strong architecture is a foundational need for any security organization’s success.
Why Is Architecture Critical for IS Organizations?
Running after new concepts and shinysecurity toys influenced by vendors’ marketing pitches may successfully convert customers’ “desires into the needs,” but won’t scale well in future with increased demands. Architecture helps building a secure, scalable, reliable and repeatable design patterns to enable the organizations move fast, avoid rework and integration challenges. Without a standard reference architectural, organizations build technology with a short-term project-specific view that lacks the bigger picture of integration, automation and operational effectiveness. As a result, discrete technologies that don’t talk to each other are adding more technical debt than value. That is why security organizations are emphasizing on architecture function these days.
How to Build a Successful Security Architecture
- Start with a clearly defined vision & mission statement
Define your vision or goal of the security architecture function. Ideally, it should enable business to come up with products and services against the competition in a faster and more secure way by protecting the confidentiality, integrity and availability of information assets while keeping the firm out of legal, compliance and regulatory trouble.
The mission statement should talk about what will be done to achieve the mission. At a high level, it could include setting up the right program charter, fixing processes, building the framework and hiring the right talent.
- Build a solid plan
The plan should outline a phased approach with timeline estimates from analyzing the current state deficiencies to maturing the practice. It should have the ask in terms of resource and funding along with the return on investment well-articulated for management support.
- Socialize with leadership and obtain support
The more business value that can be articulated in a simple way, the better chances of getting senior leadership buy-in for funding. Leadership is always interested in learning the value-add of the investment in security architecture, so the benefits of architectural initiatives yielding direct and indirect quantifiable business value should be articulated clearly.
- Build an ace team
It all starts with the right recruit. Architecture lead often makes a mistake of hiring people without defining the structure of the organization and identifying the skills needed in the team. Create an organizational structure that aligns closely with security control domains. Hire experts from the industry and within the organization. Try to achieve a healthy balance between internal and external hires, unless the skill set does not exist internally. Hire candidates coming from architectural background with experience in other functions such as engineering and operations. Avoid hiring abstract thinkers lacking practical implementation experience; at the same time, don’t hire people who can do detailed engineering but cannot do high-level business thinking to build a modular reference architecture. Having experience and balance on both sides will be the key for the new hires. A good architect should have an overall technical knowledge as well as decent understanding of business and processes.
- Build an architectural charter
A clear taxonomy of deliverables and life cycle along with governance processes must be defined clearly. For example, the first artifact to be produced will be baseline architecture, then perform a threat model to identify security holes, get operational metrics to understand inefficiencies and connect with experts to identify gaps with industry trends. All this information will be necessary to build the target state functional or reference architecture. Then a product-specific view must be built with a technology rationalization, and finally a strategy or road map to be created detailing how the organization plans to move to target state from current stage. A clear definition of design patterns, what deviations from a reference architecture warrants the creation of a new design pattern, and how the patterns should be created, consumed and periodically reviewed for applicability should be fully documented and socialized with partners.
- Innovation and quick prototyping
There needs to be a process for innovation, how to create an innovation pipeline and document how to prioritize based on business need, regulatory or compliance urgency, operational inefficiency or security risk. Once a control is identified through innovation process, it must be tested with a prototype before considering it for detailed investigation and eventually adding in the control stack.
- SDLC process integration
The architectural deliverables need to be integrated with the software delivery lifecycle (SDLC) process for consumption and there needs to be a mechanism built for validating a proper adoption of the architectural patterns in the production environment.
- Building awareness
It is critical to make all peers and partners aware of the new architectural process. This can include periodic meetings, being a guest speaker in partner town halls, doing roadshows and conducting periodic webinars to spread the awareness of architectural existing, contribution and engagement process.
- Metrics and data-driven decision-making
Keeping the data available on resource utilization, project completion, initiative pipeline through established methods such as Kanban or Scrum is highly recommended. The architectural team should also collect and analyze metrics around design pattern adoption, business value, etc.
- Communicate success stories with the C-euite
The C-suite leadership should be kept apprised of periodic progress and success stories to keep their confidence in the program.