Is Security Architecture Failing?

“One of the discussions that never happen in relationship to the numerous successful hacks is: What was the security architecture? Security architecture – or any architecture for that matter – is the foundation upon which we should secure and protect our systems. A great security architecture will stop many (not all) hacks from happening. But, the security blogs and security conferences do not address or feature the need for robust security architectures and architects. We need to enter the need for resilient and well-planned security architectures into the global cyber-discussion.” Via Bill Ross from INFOSECURE.

And so did a rare discussion begin on Linked In’s Security Architecture group. I’ve edited some of the responses to recreate the flow. The first four seem to hold that security IS failing because of:

•  Insufficient funding: “This is more of an observation than a suggestion: I see Assurance (audit, monitoring) and Advisory (architect, design, and implement) functions fighting over the same budget. Usually assurance wins over advisory…”
• Insufficient top down support: “There is a general consensus that overall, security needs to be a mandate from the top. We know that, just by reminding people occasionally to be vigilant about phishing scams, the rates of people not clicking on phishing scams and reporting can be made to drop dramatically. Security is about many things, education being one of them, especially at this time as for most people, this is brand new territory. Physical security isn’t new, but Logical security is. Once upon a time the security guard at the door held the secrets to the company safe, now we are in a new era.”
• Lack of understanding: “As the world races towards a digital economy…there is a grave lack of understanding on cybersecurity; CIOs and CTOs may resist the reality of the CISO as a peer officer. Even worse, the hiring of ‘labels’ who don’t understand foundational security concepts is mind boggling. All these in my experience are the reasons why security architecture is always failing.”
• Security pigeon-holed as a technology problem: “Organizations should position the security function direct to the Board through Risk and Audit Committees, just as most codes of governance globally require. The CISO should be on the strategic level not on the tactical or operational level. World economics are changing and so are threats. A well-thought organizational structure with well-defined processes and controls must be the foundation for security architecture. Only then we can talk technology, layered in-depth security architecture and its management.”

A glimmer of hope?

“Security architecture is not failing but people are failing the security architecture. People should wake up and understand that the world has evolved since 9/11. Some of us are still holding on to old teachings and forgetting that we are in 2015 and not 2002. The days of a strict IT Security mentality are over.  My experience has taught me that only a risk-based organizational structure and an understanding of organizational threats lead to successful security outcomes that bring risks to acceptable and controllable levels.”

Editorial comment: I’ve often said that security architecture is more than an elegant arrangement of technical patterns. Rather, security architecture is built of people, process and technology patterns and inescapable from the governance structures that define it. Perhaps we can create governance structures that give architecture – writ large in people, process and technology – the chance to control risk. Please see my ideas on Operating the Matrix.

Not Yet. There’s Still More Challenges for the Security Architect

Other commentators highlighted additional (and major) challenges security architects face:

• Unconstrained threat environment: “I know, from years of experience, that no system of any complexity is “hack-proof”. There ought to be a formal proof of this in the literature, but if there is I am unaware of it. There are always weak-links in a given systems chain, which someone somewhere will exploit. The plain fact is that we, as security administrators & management, can never get inside the OODA loop of every attacker – in fact the opposite is true – someone, somewhere will inevitably get inside ours…Internet crime, much like terrorism, can only be wiped out in the same way that seagoing piracy was wiped out. That is: by eliminating all safe harbors, treating Internet crime like any other crime with the rapid identification and arrest of the attackers, and punishment by severe criminal penalties. As a global community we need to come up with a joint international and enforceable policy on internet crime that incorporates these points.”
• Complexity: “I’m not sure that I would say that security architecture is failing, but certainly the technology and threat landscapes have become far more complex. Application architectures are larger and more mission critical. But many application environments have grown in an ad-hoc manner and are far from being optimal from a security architecture perspective. Existing, functional production environments are not easy to change.”
• And more, including bring your own device (BYOD), unmanaged cloud usage by business units, encrypted traffic streams that IT can’t inspect, more sophisticated malware, and rapid advancement of attack technology fueled by cyber-conflict and nation state espionage (a phenomena I call the ‘erosion of assurance.)”

Still, even these commentators ended on a note of hope. “It is critical for architects to have a firm grasp of the basics as well as these newer factors to create effective security architectures. Good network security architecture is NOT a silver bullet which will save you from all attacks, but it is a critical foundation on which everything else should be based. Experience has shown me that organizations who do have sound architectures in place have been in a FAR more robust position when the bad stuff happens.”

 Last Words

 “Many organizations today are in search of security architecture but their overall security maturity is not at a level to engage in a successful initiative. If they start nonetheless, they likely set themselves up for failure. In order to prevent – or at least reduce – failing security architectures, we need to define the baseline maturity level and provide suitable method and process frameworks and tools for security architecture. We need to train a pool of resources to make use of the aforementioned. In that sense, a Global Association would be a good platform to foster exchange and development and help organizations to get this right.”

 This last comment refers to a prior post form Bill Ross (INFOSECURE, LLC) who wrote: “Two years ago, I proposed the idea of creating the ‘Global Information Security Architecture Association (GISAA).’ I think a forum like GISAA is needed for the global cybersecurity community. I wish I had the time to sponsor it as it would take at a minimum one FTE. It would parallel the ISC2 organizational structure but be much more architecture-oriented. It seems our SABSA brethren are close to being the GISAA but not quite.”

The Linked In Security Architecture Group continues working on this question, and some of us are having an ad hoc webinar security architecture certification this week. We wish we could invite all our readers, but space is limited to enable productive discussion. If you want to know more, tweet on @ArchITSec, sign up for our Newsletter on this site’s Home Page, or join the Linked In group. We’ll keep you posted!