In my travels, I have come to observe that many organizations separate out security architecture from other architectures. Does this make sense? Large organizations often have governance practices such as an Architecture Review Board (ARB) yet defer the system quality attribute of security to another entity. Does this beg the question of whether security professionals should have a seat on Architecture Review Boards?
Various architecture “frameworks” also exhibit a similar level of thinking. Security has its own architecture framework called SABSA (Sherwood Applied Business Security Architecture) that seems to move independent of TOGAF, Zachmman, etc. So, if I am an EA using one of the more popular “frameworks” that remain disconnected from the world of security, does that make it easier for me to forget that a secure ecosystem might also be a desirable business outcome?
Should we believe that having a culture of separation where security feels they need to own all thing security is goodness? What if we could revisit our thinking on security architecture. Would we conclude:
- Security is a component of everything and not the responsibility of any single organizational entity?
- Security Architecture in its historical definition is the same as QA/QC but focused on a specific type of error/bug?
- If we wanted to “build security in” as part of our SDLC, that security practitioners should be consulting as part of that SDLC and not solely focused on operational considerations?
We have a knowledge crisis when it comes to security architecture as part of enterprise solutioning. Care to guess how many solution architects when documenting their solution reference bolt-on security technologies to satisfy the needs of ARB checklists instead of integrating security throughout the entire architecture?
Are we bold enough to acknowledge that both Enterprise Architecture and Information Security are in the business of managing risk yet they never appear unified in their thinking, approach, solutioning, governance, etc? Information security professionals have a “duty to protect” yet many of their recommendations often overstate risk and increase costs to the enterprise.
I have been noodling how to help information security professionals to think more like enterprise architects and to not just think about their duty to protect but also embrace the notion of delivering better business-outcome driven security architecture. I would love to know your thoughts on this topic…