When I started my Security Architecture journey with SABSA way back in 1995, I never met anyone in our field who referred to themselves as an “Architect”. Today, both in our consulting operations and in our training programmes around the world, I meet literally thousands of people who call themselves “Architects”.
But what is “Architecture”? What is “An Architect” and what does an “Architect” do? And how does that relate to the “Enterprise” way of thinking to deliver business value particularly in the field of information/cyber security?
Let’s start at the beginning, with the fundamental definitions.
What is (an) Enterprise?
Enterprise: A company or business. OED
Enterprise: An organisation, especially a business Cambridge
Enterprise: A unit of organisation or activity, especially a business organisation Merriam Webster
That’s obvious and easy, right? But what is the entomology, why do we refer to a business or organisation as “an Enterprise”?
What is Enterprise?
Enterprise: Thinking of new ideas and activities in business and making them successful despite the risks Cambridge
Enterprise: The ability to think of new and effective things to do, together with an eagerness to do them Collins
Enterprise: A project or undertaking that is especially difficult, complicated, or risky Merriam Webster
Enterprise: A project taken or to be undertaken, especially one that is important or difficult or that requires boldness Dictionary.com
How interesting: Risky; Difficult; Complicated; Important; Bold; Complex! We use the term Enterprise because to succeed the organisation needs to overcome significant and complex challenges. In short, it wants and need to be “Enterprising” to achieve really difficult “stuff”.
The Enterprise as a Complex System
In a business or organisational context, why is it that being enterprising (being new, effective, eager, or innovative) is so risky, difficult, complicated, bold, and complex?
Because the modern business organisation exists as a complex system. It is composed of many constituent parts which interact, are inter-dependent, with conflicted and systemic relationships. It is an eco-system, changing organically as a result of the innovations and behaviours of its parts, each of which has its own objectives, success factors, methods, risks and opportunities. What is good for one part is bad for another. The Enterprise and/or its parts also interact with the ever-changing environment in which the Enterprise exists.
The bottom line is that a complex Enterprise cannot be defined by reference to its constituent parts alone because no part exists completely independent of the behaviour of the other parts.
So what?
All over the business world we do precisely that: we attempt to define the whole complex system by reference to its constituent parts alone. Security and risk decisions are made entirely in isolation, in siloes of specialism or self-interest. We make critically important decisions with no ability (and often no attempt) to understand or articulate the positive or negative effects of those decisions on the Enterprise as a whole.
Instead, we hide behind so-called “Best Practice” because copying is easier than the innovative thinking required to solve complex problems. We shelter in the safe harbour of standards, policies, and checklist-based compliance, even though today’s policy is often inherently in a state of tension with the imperative to innovate a better tomorrow. And that checklist approach, undertaken without vision or balance, inflicts consequences on other parts of the Enterprise. Then we are perceived as a “Business Prevention Department” that cannot get support, buy-in, or empathy, from those whom we have inhibited and constrained.
What is an Enterprise Approach?
Approach: A way of dealing with something; a way of thinking about a problem or task OED
I therefore see an Enterprise Approach as being the way of thinking about, and dealing with, the problem of enterprise complexity such that no part of the Enterprise is considered independently of the other parts.
What is Architecture?
Architecture: The art or practice of designing and constructing.
The complex or carefully designed structure. OED
Architecture is defined as both the practice of executing the approach and the structures that result from the practice.
What is Enterprise Architecture?
The term Enterprise Architecture is therefore the practice of executing an Enterprise Approach to deal with the problem of Enterprise complexity such that no part of the Enterprise is considered independently of the other parts.
It is also used to refer to the structured results of executing an Enterprise Approach to deal with the problem of Enterprise complexity such that no part of the Enterprise is considered independently of the other parts.
What is the role of an Enterprise Architect?
It is this holistic perspective that differentiates an Enterprise Architect from someone who operates at the “solutions” level. Much in the same way that a conventional building architect provides the context and structures that enable masons, carpenters, plumbers, electricians, glaziers, and other highly skilled specialists to perform their roles, it is the Enterprise Architect who provides the holistic perspective and Enterprise context within which solutions should be delivered.
What is Security?
To understand the role and value of Enterprise Security Architecture we must first understand what is Security.
Security: The state of feeling safe, stable, and free from fear or anxiety OED & Merriam Webster
Security: The fact that something is not likely to fail or be lost.
Freedom from risk and the threat of change for the worse.
Freedom from danger: safety. Cambridge
So, is Security a feeling or a factual state or both? The answer is that it depends. Just like risk, Security is a property that cannot be adequately or fully described without reference to a context.
In an I.T. and Cyber context, Security is often defined as properties of confidentiality, integrity, and availability. This definition reflects what mattered most in the history, legacy, and origins of our profession. But the world changes and Security has become meaningful across a much wider spectrum of organisational contexts that require more sectoral and culturally specific interpretations to adequately communicate a more aligned value proposition for stakeholders. Security is really about protecting (and ideally enhancing) what matters most to those stakeholders in their own specific and unique context. Enterprise complexity dictates that what matters most is different things to different people in a wide range of environments:
- In an industrial or O.T. environment the context may be “Safety”
- In a social services environment the context may be “Wellbeing”
- In a manufacturing environment the context may be “Quality”
- In a critical national infrastructure environment the context may be “Resilience”
We can be “secure” only when the context, the inter-related conditions and setting within which security requirements, drivers and success factors have been properly considered and defined.
An Enterprise is “secure” when we deliver the right security properties, feelings and factual states, in the right combination, to the proper extent, within the risk appetite and culture defined by its unique context.
What is Security Architecture?
Security Architecture is the practice of defining and delivering the security properties of an Architecture in the context of that Architecture.
Security Architecture cannot exist independently of that Architecture: Information Security Architecture is the security properties of Information Architecture; Network Security Architecture is the security properties of Network Architecture; Application Security Architecture is the security properties of Application Architecture; and so on.
What is Enterprise Security Architecture?
Enterprise Security Architecture is the security properties of an Enterprise. It is also the practice of defining and delivering the security properties of an Enterprise in the complex context of that Enterprise such that no part of the Enterprise is considered independently of the other parts.
What is the role of an Enterprise Security Architect?
The Enterprise Security Architect provides the holistic perspective and framework within which solution specialists can deliver to best meet the contextualised needs and requirements of a specific Enterprise Context.
The Enterprise Security Architect ensures that solutions are delivered not (necessarily) because they are best practice, or comply with a standard, but because they are the RIGHT solutions, directly traceable to Enterprise context.
So what? What does Enterprise Security Architecture achieve?
Enterprise Security Architecture transforms the security conversation to ensure that security delivers business value in complex environments. Its role is to:
- Establish a Business-driven focus to ensure Security is always delivered in the context of the Business mission and objectives
- Define a repeatable approach to understand requirements and make meaningful decisions within the complexity of the modern Enterprise
- Inform the way the Security team approaches their work and frame the questions they ask
- Create a common structure, a common language, common principles, and a common means by which diverse specialists can collaborate, interact, and make decisions
- Integrate and align in a security context, the diverse Enterprise methods, frameworks, and standards, whatever they are, whatever they become