Imagine we were given all the individual parts of a car and were asked to put it together, without any design or architecture documents. Firstly, it would be nearly impossible to do this if we have never done it before or seen what the car looks like. Secondly, it would take us a very long time to put the car together (enough time to make our design of the car obsolete) and thirdly if we missed one small important part or misplaced it, the car wouldn’t function and troubleshooting this would be a nightmare.
Similar are the challenges faced by most CIOs/CISOs in organisations today when it comes to implementing enterprise security across their organisation. Several organisations today are still stuck in a “whack-a-mole” routine wherein they buy technologies to address specific IT needs or prevent specific information security issues. There is no consideration of how this technology will fit in the overall picture and if it will deliver on business objectives. Now, if you have multiple departments all following this process and doing their own thing, you can see how difficult it will be for them to interact and integrate with each other let alone deliver on business objectives. Complex internal processes and technologies bought as knee-jerk reactions to point in time issues leave a business vulnerable to cyber-attacks even after big dollars were spent on security technologies. Cyber-risk is quite real and the recent Equifax breach proves that a successful cyber-attack has the capability to cripple a business.
Now that we see the risk, let’s look at how we can address it. In the example of building a car it is simple, let’s develop a design/architecture document with pictures that details the function and placement of each part to help build a car that works as expected, in a reasonable amount of time. In the context of enterprise-wide security, this means developing an Enterprise Security Architecture (ESA) that will align the budget, capabilities, processes, controls and technologies across the organisation to deliver on business objectives while providing two-way traceability from the top (business objective) to the bottom (tools and technologies) and vice versa. Also, it should be noted that once an ESA is developed and implemented it is meant to evolve continuously. It is a process and not a once-off exercise that once done will remain constant for the next several years. However, if done right the ongoing changes to this architecture over time should be minimal.
ESA is a continuous process of understanding the changing business objectives and then developing, implementing and updating information security policies, processes, controls and tools (across all business units) to deliver the common business objectives, while mitigating risks and leveraging opportunities during the process.
Some of the obvious benefits of implementing an ESA are that it helps deliver on organisational compliance/contractual obligations, measures and improves the security posture of the organisation, etc. Besides this, the three main benefits I see from a business owner/ board’s view are as follows:
- Single vision – All departments of the organisation are following similar processes to deliver on common business objectives rather than each department doing their own thing and delivering outcomes that don’t line up with the business’s objectives. This means every person and department can see their role clearly in the big picture and they all work towards achieving common business objectives.
- Value Assured Investment – ESA will ensure departments are investing into processes, policies and technologies that contribute to achieving the business goals. No “Whack-a-mole” exercise of creating random processes/policies or buying ad-hoc technology solutions to address point-in-time issues without analysing how these processes/policies/technologies will integrate with other departments and help in delivering business objectives. This will enable the department owners to effectively plan, prioritize and use their budgets.
- Two-way traceability – Each process, policy, control or technology deployed within an organisation/department has complete traceability to at least one business objective. Therefore, it is easy to see the value of each process/policy/control/technology that is present in terms of the business objective it is delivering or contributing towards. To compound this, as business objectives change it is easy to see which processes/policies/controls/technologies are irrelevant or are not delivering on the current business objectives and hence need to be removed or replaced. This is a benefit to the board to see how the money they spend on security is enabling the business.
Now, I understand it is not a quick and easy job to implement an ESA in an environment where people are used to working without it. There are some challenges managers face such as cost, lack of skills, lack of time, lack of management buy-in, resistance to change etc. towards implementing the ESA but in my opinion if pitched the right way (highlight cost benefits to board members and easy of process use to employees) it can make an enormous difference to an organisation’s success and security posture.
In my opinion, most reasons for not implementing an ESA are irrelevant as the consequences of not having one are far greater. This is the reason why most organisations and government departments are forcing compliance regulations on their partners before they do business with them.