The Cybersecurity Business Alignment Framework for Architecture
To ensure security architectures are relevant, you can define them using the Cybersecurity Business Alignment Framework provided in the Multi-Cloud Security Reference Architecture (“refarch”), Rational Cybersecurity for Business (“the book”), and a few other tools.
Per a previous post about the refarch, the contextual view at the top of the figure above provides a template for describing business and risk context. The functional views describe how to layer the technology and process components of a multi-cloud security architecture. The Cybersecurity Business Alignment Framework sits between these views. It offers guidance and templates for aligning security controls to security-related roles in the business, and to better define how those roles work.
A complimentary detailed overview of the refarch is freely available. The refarch incorporates the book Rational Cybersecurity for Business by reference. The book is also freely available. Between the two resources (and some industry standards) are all the tools required for this methodology. Let’s get started.
Cybersecurity Business Alignment Framework to Roles and RACIs
Security-related functions requiring people, roles, and organizations abound in the modern organization (“digital enterprise”). But not all the roles responsible for those functions report into the CISO, or the security department. For example, security operational roles tend to report to various security and IT management groups. These groups include those responsible for DevSecOps activities, network security, and most everything else in the IT or application development space.
In other areas: The CISO has a role in compliance, but most of the policy and knowhow lives in Legal, HR, or other groups. Audit is – or should be! – separate from both IT and security. To help make sense of this, Figure 2-1 and Table 2-2 from the book detail many stakeholders in security-related roles, and an example of a responsible, accountable, consulted, informed (RACI) matrix for a few of the highest level functions.
Figure 2-1 Image Source: “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” by Dan Blum is licensed under CC-By-4.0.
The security department needs to work with whoever owns business risk (often a CFO, Chief Risk Officer (CRO), or similar C-level type) to identify where in the organization the most important security-related roles are, or should be.
Table 2-2 Image Source: “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” by Dan Blum is licensed under CC-By-4.0.
Both the security department and audit organization should be ensuring security-related roles are defined, operating, and well-aligned organizationally and functionally. The above RACI is just a start – the ISACA COBIT audit standard has RACIs for almost every IT or security control one can think of. Use it!
Cybersecurity Business Alignment Framework to Controls
The refarch functional views map security-related processes and technologies to 20 functional domains as shown in the book’s Figure 6-1 excerpted below.
Figure 6-1 Image Source: “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” by Dan Blum is licensed under CC-By-4.0.
The framework’s functional domains align with the NIST Cybersecurity Framework (CSF). The CSF embodies over 100 granular security controls which in turn map to thousands of granular controls defined in the NIST, ISO, COBIT, and other standards.
For example, the NIST CSF framework maps its control “ID.BE-5: Resilience requirements to support delivery of critical services are established” to the NIST SP 800-53 Rev. 4 controls standard’s more detailed definitions for CP-8, PE-9, PE-11, PM-8, and SA-14.
What none of the standards do is map the controls to your organization’s unique security-related roles and RACIs. That’s where the Cybersecurity Business Alignment Framework comes in. See the book’s Table 6-3 (part of which is excerpted below) for a mapping of security-related roles to the framework’s 20 functional domains from the book. With this, you can identify the stakeholders that should be creating, changing, providing, operating, or reviewing each control capability and align your security architecture and solution delivery efforts with them.
Table 6-3 Image Source: “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” by Dan Blum is licensed under CC-By-4.0.
Next Steps for Cybersecurity Architects
After familiarizing yourself with the materials described herein as well as your employer’s business, use the templates in the refarch to illustrate or specify the business’s high level contextual and functional views. In the functional views, you’ll identify the core technologies and processes for security.
Defining roles, RACIs, controls, and architecture is an iterative process. Typically organizations define general control standards and other compliance requirements in a solution-independent manner. That’s usually enough for the organization to define roles and RACIs in security policies, standards, and high-level procedures. But beneath the control standards, compliance requirements, and refarch you’ll still need more detailed logical and physical (solution) architectures for how functional components work together.
For example, the business function “update accounts receivable” might require accounts and security entitlements in Azure AD, Duo two factor authentication, passage through the AWS Virtual Private Cloud and Oracle database security layers – as well as all the logging, management, configuration, and other technologies and procedures to go with these components. This needs to be designed at the solution architecture layer in ways that conform to your IT or security policies and standards.
After elaborating solution architectures, you may still need to tweak pre-defined roles, RACIs, and other standards. But typically, not that much, and your outcome can be greatly improved by beginning with architecture, standards, and the Cybersecurity Business Alignment Framework.