THANK YOU FOR SUBSCRIBING
Enterprise Architecture: Your Tool for Right-Sizing Security
Ted Kieffer, Director Enterprise Architecture, Grainger
Let's first define Enterprise Architecture. When done right Enterprise Architecture is a body of work that helps to connect business outcomes to the complex technical landscape and decisions that need to be made to deliver those outcomes. Enterprise Architecture helps to bridge the strategic gap between business planning and the detail work needed to build the supporting technology. That connection normally falls apart because there is a significant abstraction between the business function and the way that you have to conceptually break that function down in order to automate and accelerate it using technology. The people that you have working on the technology tend to understand the technology really well. The people that you have running your business functions tend to understand the business really well.
The security-related take away from that is that good Enterprise Architecture will involve a deep understanding of the business outcomes. More specifically it will involve a deep understanding of the tradeoffs that leadership is willing to make to pursue those outcomes. How much are they willing to invest? Which risks are they willing to take to get there? How quickly do they want it? It is that insight that helps to drive great security solutions.
Let's take a look at a healthy security apparatus and see how it relates to what I just talked about. Properly implemented security is about right-sizing security measures in order to sufficiently mitigate the amount of risk that an organization is willing to engage in. There is an interesting tension (at least in my opinion) between complete security and easy business operations. The reality is that a good security approach lies somewhere in the middle of those extremes and that placement depends entirely on the amount of risk that is acceptable to business leaders.
In the same way, a good security team should be fed with enough information about the organization's appetite for risk so that the security technologists can design an appropriate response to that need. When done right the security organization should never be dictating the security response based on their own risk appetite, or even worse "gut feeling." This is where Enterprise Architecture can really serve the right-sizing of a security response. As Enterprise Architecture is assisting with the articulation of business outcomes, it is usually fairly easy to attach information about the security risk appetite. That will feed into the security decisions and tradeoffs that need to be made in solution design. More importantly, that will also help control the costs of the security approach to ensure that you're investing just enough to get as much risk mitigation as you need.
A good Enterprise Architecture practice should be working at a level where it is involved in the development of the business plan and outcomes
If that question is addressed then all of the subsequent work show flow easily. At the holistic level, there are standards frameworks like ISO2700x, NIST 800 series or COBIT which can help design, implementation, and operations figure out what security controls they need to address. Peer groups, vendors and technology forums can assist with the technical aspects. The understanding of the organization's risk appetite is what helps the specialists working on those designs size those controls correctly to enable the business enough while mitigating as much risk as necessary.
A good Enterprise Architecture practice should be working at a level where it is involved in the development of the business plan and outcomes. It should be able to help drive decisions on those things that will cause tension later on during technical design, such as the amount of acceptable risk that a solution can have.
Organizational risk appetite is the key information that will drive a measured and reasonable approach to security throughout the development of designs. As I mentioned in the beginning, that is the question that has plagued good security design as long as I have been involved in security. There is no better group than your Enterprise Architecture team to make sure that it is answered as part of their routine value delivery.