Role of Enterprise Security Architecture

Security Architecture addresses the issues and provides all of the benefits of IT Architecture as described in the "Benefits of Architecture" section together with a broad spectrum of security and risk-specific business issues.

An Holistic Approach

“Security is only as strong as the weakest link” is a commonly-used adage when discussing information security.  Many organisations address this issue from the point of view of ensuring that no links are missing by performing check-lists of technical components: “Do we have passwords, access control, firewalls, door locks, encryption technologies, and a policy?  Oh good, then we must be secure!”

This piecemeal technically-led approach provides executive management with neither “security” nor the benefits of architecture.

Architecture takes a wider more holistic approach to solving the business problem of security by ensuring that all of the components are specifically designed, procured, engineered, and managed to work together for the benefit of the business.  It considers:

  • Do we have all of the components?
  • Do these components work together?
  • Do they form an integrated system?
  • Does the system run smoothly?
  • Are we assured that it is properly assembled?
  • Is the system properly tuned?
  • Do we operate the system correctly?
  • Do we maintain the system?

Measurable, Fit-For-Purpose Solutions

Security Architecture recognises that technological components will change over time, that business needs are dynamic, and that risk appetite varies from organisation to organisation and business unit to business unit.  Security can only be defined relative to the value and risk propositions of the business.

Security Architecture ensures that when an organisation makes a claim to be “secure” that it has understood its business needs and delivered solutions that:

  • Meet the needs of the business
  • Are fit for purpose
  • Provide measurable levels of security
  • Ensure security can be, and is being, properly managed
  • Provide demonstrable Return On Investment

Return on Investment & Return of Value

The Return on Investment for Information Security is often mistakenly described in terms of Insurance: a necessary cost required in case things go wrong.  However, just as a life insurance policy will not enable the policy-holder to live forever, designing security as an insurance-like recovery measure will not prevent security problems from occuring.  To provide a business with an effective return from security, Architecture should be designed to ensure proactive defence-in-depth coverage through resolution of vulnerabilities and reduction in potential impact across the wider spectrum of:-

  • Prevention
  • Detection
  • Containment
  • Recovery
The SABSA Business Attributes taxonomy is the basis for providing users with a unique set of tools and techniques for normalising, communicating and measuring ROI and Return of Value in a meaningful and motivational  manner.