Architecting Cyber Security?

March 2017

Cyber Security is a controversial field. It is difficult to measure performance or demonstrate value. It is therefore considered later and relegated to a few add-on fixes when all design decisions have been made. Typical arguments are;

  • Security hinders the business process rather than helping - just focusing upon "security" rather than real business value?
  • Security tries to deliver controls in isolation without clear understanding of service context, priorities, risks or opportunities?
  • Security leads to increased complexity and cost of delivery and support?
Traditional approaches to Security often contribute to these arguments when;
  • Security (process & technology) design is isolated into domains (or control sets) and incapable of being integrated together (tactical approach).
  • Security and business strategy is loosely coupled (i.e. weak traceability / justification of security investments for business value).
  • Checklist / compliance approach - just checking the links (security controls) in the chain exist but do not test that the links actually fit together to form a secure chain.
Architectural approach to Security will resolve above by bringing disconnected pieces together within a structured framework that breaks down the complexity into modular blocks of simplified views. This is achieved by layering techniques and modular representations of security capabilities and reference solutions managed in an organised repository altogether.