The world really needs to take security architecture more seriously! If physical buildings were anything like security systems (experiencing a major breach practically every month), the news would be full of collapsing buildings and crumbling bridges. That’s why I’m pleased to inform you of two resources – the “Practical Cybersecurity Architecture” and “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” books – that can help improve security practices. Take a look.
Building Architecture Quality is Regulated for Safety
Is it really fair to compare physical building versus security system safety and blame the security architects for our current deficit? Maybe not. Security systems, after all, are under constant attack by intelligent human adversaries and buildings (outside war zones) are not.
But perhaps that proves my point. Despite a relatively benign threat environment, building safety needs are obvious to everyone and have motivated countries all over the world to establish stringent rules for building architects, who in many jurisdictions must:
- Have advanced degrees
- Be certified or licensed by the state
- Not work for construction firms to avoid conflict of interest
- Assume personal liability for their work
The same is not true for security systems…
Security Architecture is Still the Wild West
Bluntly speaking, individuals and businesses still do not consider security architecture to be that important. After all, cybersecurity outside of military applications does not kill…Not even occasionally like falling bridges? Not that we know of.
So in general, anyone can call himself or herself a security architect, and work free of liability or conflict of interest restrictions. And often organizations stand by as IT or development teams make only token efforts to understand business security architecture requirements or omit such analysis altogether.
The problem is that with the digital transformation of all aspects of our lives, IT’s ever increasing role means riskier IT. High quality security architecture is important for the safety of smart medical devices, factory equipment, cars, and all manner of systems we depend on. Safety extends to a need for information confidentiality, privacy, and integrity. Oh, and let’s not forget availability of the information we require to run our businesses. (Just thought I’d mention that).
Going back to the books, Practical Cybersecurity Architecture helps security architects do quality work. Rational Cybersecurity for Business helps them open two-way street communication to the business. Solutions must be based on technically sound architectures that align with business context and requirements. Then, architects must sell and adapt solutions to the businesses that will fund, run, and use them.
Working Together to Promote Security Architecture
Seeing the synergy between our books, Practical Cybersecurity Architecture co-author Diana Kelley and I have teamed up on a weekly blog series for the next few months. As I write in my final chapter of Rational Cybersecurity: “This is NOT the end. It’s the beginning of an open information flow.” We want to engage our current and future readers!
Please check out the books and let us know what you think by commenting on this post or any of the Linked In and Twitter shares.
Today, we’d like to hear from readers on the Future of Security Architecture Certification. At that link is an article I wrote a few years back summarizing discussions from a Linked In Security Architecture group webinar about certification. I’m in the process of updating it. Please comment on any of these questions, and I’ll synthesize your inputs into my updated article:
- Should security architects be certified and how stringent should the requirements be for organizations to use certified resources? How should risk factor into that discussion?
- Should security architecture certification standards be set at national, local, or global levels?
- How should certification “grandfather” current security architects with many years experience like me (or us)?
- Has the security architecture certification space changed much since my last article, and how?
A penny for your thoughts.