Business-driven Approach for Enterprise Security Architecture
Security architecture is the art and science of modelling and managing the development of risk-free, damage-free, and threat-free business information systems. It is all about safeguarding the organisation’s goals and assets when it comes to security. It entails putting in place a set of business controls that are adapted to specific business requirements derived from a risk assessment and analysis. The purpose of risk management is to prioritise risks so that organisations may focus on the ones that require the greatest attention.
In most organisations, information security technologies are frequently developed, purchased, and deployed on an operational basis. There is limited opportunity to evaluate the strategic component throughout this process. The organisation ends up with a patchwork of technical solutions that are built and specified independently, with no guarantee that they will be compatible and interoperable. There is frequently no examination of long-term costs, particularly operational expenditures, which account for a large percentage of the total cost of ownership, and no strategy that can be identified as supporting the business's goals.
The establishment of a business-driven enterprise security architecture that outlines a structured inter-relationship between technical and procedural solutions to support the long-term objectives of the business is one way that avoids these piecemeal challenges. If the architecture is to be successful, it must provide a coherent framework within which security solution selection decisions can be made. The decision criteria should be derived from a thorough understanding of the business requirements.
Security Architecture Needs a Holistic Approach
Figure 1: The Eternal Triangle of Conflicting Objects
Enterprise security architecture must be driven from a business perspective and must take account of a wide range of requirements that may often be in conflict with one another. This conflict is portrayed in Figure 1 as an endless triangle, in which the three requirements are constantly in tension, pulling in opposite directions. To achieve higher level of security or usability will cost more. To increase security often affects usability, and vice versa. The successful architecture balances the tensions between these conflicting objectives. The successful security architect is an experienced and intelligent person who is a good communicator and can bring together many skills and wide-ranging knowledge from many parts of the team. He or she is someone who can comprehend the business requirements and use architectural skill to transform complexity into simplicity.
While security architecture approach must be determined at the oversight board level, it should definitely not stop there. In order to be effective, it must be embraced by the entire organisation. With reputational damage, financial losses and legal consequences on the line, it is crucial for organisations to create and implement an incident response plan in the event that an information technology incident occurs. Responding quickly and effectively will not only mitigate these risks, but also ensure a successful recovery.
Selling the benefits of Enterprise Security Architecture
Organisations will want to manage business risk appropriately. Good security architecture helps to provide consistent risk assessment and mitigation across all parts of the organisations. Security architecture also assists to promote a fast turnaround on projects. By creating a security architecture in the form of a roadmap, aggressive time targets can be met. This is because a well-designed security architecture allows for the creation of flexible solutions for new business initiatives, allowing them to be implemented swiftly and reliably.
Author: Aaron Tan Dani
President of Singapore Computer Society EA-Chapter firstname.lastname@example.org
Founder and Chairman of Iasa Asia Pacific email@example.com
Aaron Tan Dani, Chief Architect of ATD Solution firstname.lastname@example.org
Join the EA activities in Singapore and learn how you can implement Digital-Business-driven EA in your organisation.
Computer Society EA-Chapter: Home - Singapore Computer Society (scs.org.sg) and
Learn more about ITABoK (IT Architecture Body of Knowledge) skillsets and about the roles, scopes and impacts of EA Specializations.
Acquire successful Digital Transformation adoption with ATD Enterprise Architecture consulting and training services.
ATD Solution: www.atdsolution.com