By Dan Morrison, Lead Security Architect
It’s hard to be confident that your business is not only protected, but that you’re protecting the right things, making the right security decisions, spending your security budget in the right places, and getting the most out of your security technology.
By understanding goals and priorities specific to your business, security architecture can determine the exact controls and technologies that provide the most protection, ensuring you have the right processes and policies to support it, and the feedback and assurance you get is all working. Not only that, but by understanding your business’ goals, a welldesigned security architecture can even turn security into a business driver, not just by protecting your objectives but helping you to achieve them.
But what does a well-formed security architecture look like? The ‘physical’ appearance will be different for every organisation, but ultimately it provides you with a framework where your IT security is:
Business-driven: Your controls, choice of products, alignment with standards – all your cybersecurity decisions – are made with the business’ objectives in mind. Security is not a blocker, but an enabler of business; and it might even create new opportunities.
Risk-focused: Understand what’s important and what needs to be protected most, helping to quantify risks to assets, and apply proportional, measurable controls to it – not just once, but for as long as you need it to.
Cost-optimised: With the volume of tools and job titles in the market it’s too easy to over or under-invest, and it’s not always clear you’re getting value for money. Security Architecture provides clarity on your security spend, streamlining your technology, and ensuring you’re getting the desired return on your investments in line with your risk profile and business needs.
Comprehensive but adaptable: Security Architecture often starts with IT or security teams, but should eventually encompass the whole business. This doesn’t mean every team becomes cybersecurity experts, but that security decisions account for everyone’s needs. It also acknowledges that businesses aren’t static; a well-formed architecture adapts to business changes, providing a secure framework without needing constant redesign.
Measurable: Like businesses, security isn’t static. A strong architecture will provide metrics for security performance, benchmarked against your expectations, giving you assurance that all controls, tools, processes and decisions are continuously providing the right amount of protection, and gaps are highlighted before they become a problem.
Traceable: Why did you buy Product X or apply Control A? Your business has many stakeholders, so you might not have these answers, but a well-formed security architecture ensures that decisions can be justified to all, and that you have acknowledged their needs, in their context in the process of protecting the business. Your CEO probably doesn’t care that your antispam solution has blocked 1,000 phishing emails, but they do care that the business isn’t appearing in the news because of a breach. Your security architecture will demonstrate why your antispam is important beyond its immediate outcomes.
Security Architecture is more than just technology. It considers strategy, policies, processes, operations and people; looking at the big picture and drilling down into the detail to continuously ensure you’re doing ‘enough’ security in all the right places, at all the right times in a measurable and justifiable way.
To find out more about how we can assist you in managing, improving or developing your security architecture, contact the cyber team cyber@waterstons.com