Cybersecurity architecture can show help us align business and technology concerns by providing modernized views of core processes and technologies. Today, that means focusing on a hybrid, multi-cloud IT environment. To really deep dive on this, please sign up for my Better Security through a Multi-Cloud Security Reference Architecture webinar, coming soon at 1:00 PM EDT on August 19, 2021.
The figure above provides a bird eye view of what we’ll cover. Its an eye chart, so don’t even try to read the fine print 🙂 Just come to the webinar!Â
Business and Contextual Risk Framework
A previous post describes how the Security Reference Architecture I wrote for Techvision Research (download a detailed, complimentary excerpt here) incorporates ideas from the Sherwood Applied Business Security Architecture (SABSA) and other enterprise architecture (EA) methodologies to provide contextual, conceptual, and logical views.
The Business View of the Security Reference Architecture depicts the business context for the security program, security controls, and enterprise security infrastructure required for a Digital Enterprise. It also points to my book, Rational Cybersecurity for Business: The Security Leaders Guide to Business Alignment for a business alignment framework. This identifies security-related roles throughout a business and describes specifically how to align these roles with activities and technologies for six major cybersecurity priorities, often using responsible-accountable-consulted-informed (RACI) matrices.
Functional Views of Security Hybrid IT
The Reference Architecture models both security technologies and security-related processes across digital enterprises’ multi-cloud and edge system IT environments. It identifies capabilities required to support distributed security systems; enterprise security operations and services; customers, partners, and suppliers; and the enterprise IT/OT environment.
The capabilities include security management and control systems, security monitoring, incident response, vulnerability and configuration management, network security, identity and access management, information protection, and more.Â
The reference architecture also maps the capabilities to the NIST Cybersecurity Framework (CSF) controls for convenient linkage to IT Governance, Risk, and Compliance (IT GRC) and solution architecture management tools.Â
Using the Security Reference Architecture
Clients can download a detailed excerpt of the Reference Architecture to get a logical understanding of security capabilities, enable cross-functional alignment of security projects or activities, measure their effectiveness, and facilitate compliance as well as digital transformation of the business. As noted, Reference Architecture also incorporates by reference the certain models such as the security-related roles taxonomy and sample RACIs from my book Rational Cybersecurity for Business (also freely available). These all align in term to the NIST Cybersecurity Framework which incorporates specific controls by reference to detailed NIST, ISO, and COBIT standards.