I truly don’t know where to begin.
No, really. I don’t.
In the last 3 weeks, I’ve heard so many well-meaning but violently misguided takes on security architecture by otherwise intelligent people that, well…it actually left me a little stunned.
Let’s get the definition out of the way first. If “architecture” is “the complex or carefully designed structure of something” – to pick a simple version – then “security architecture” must be “the complex or carefully designed structure of security.”
But then, we get into the whole debate of what “security” actually means—which is also kinda funny since the reason nobody can define THAT is because it’s the “whatever it takes to make you confident that you’ll get what you want.”
…and that, my friend, is where we go so far beyond the apple cart we’re talking about hard cider.
Unpacking, in reverse order, security in the form of ye-old-tyme High School football cheer:
What do we want?
…to get what we want!
What do we want?
…a bunch of stuff the business wants to do that we don’t really understand!
What do we WANT?
WE want to help THE BUSINESS get what THEY want (whatever that is)!
Ok, so let’s change it up slightly:
Security architecture is “the complex or carefully designed structures intended to enable the organization to achieve its objectives.”
Now, let’s look at the “complex or carefully designed” bit.
What does that really mean?
Well, it’s complex because it’s a system of capabilities operating within the complex system of the organization it’s trying to protect as that organization operates within the complex system of the world around it.
So not one…not two…but THREE levels of complexity:
- the people, processes and technical security controls
- the people, processes and technology that both define the organization and give it life every day
- the external environment with which the organization interacts every day so it can provide some kind of value a “customer” cares about that enables them to solve a problem.
And that means “security” operates across, in and around all three of those, because each one has its own set of goals and objectives that need someone to run interference for them so that they have the best chance possible of being achieved.
Now, we unpack the “carefully designed structures” part.
What kind of structures are we talking about?
Well, first there are the different types of risks that might occur to get in the way of any one objective. We need to find them, classify them and put them in a box with a label made of masking tape and smeared sharpie ink.
Second there are the set of interconnections and relationships between the people who want those objectives; everyone that works for those people to help them make it happen; and the set of interconnections and relationships between those “hands” reaching through the organizational wall that touch the customers who keep the whole thing running.
Third there are the set of capabilities that enable, protect and ensure those interconnections and relationships are created, actually work the way they’re intended, report how well they’re working to the people that depend on them (on both ends, mind you…)
And a fourth type (and we’ll stop here) is the carefully designed structures that make sense of all those other carefully designed structures so that you can communicate to people that you have their back and they now have the best chance you can give them that they will get what they want.
Complex? You bet.
Technical? About 10%
Here’s something that might help.
Think about where you live…your house or your apartment. Now think about what your house, apartment or whatever actually does for you.
It gives you a place to eat. It gives you a place to cook. It gives you a place to sleep. It gives you a place to surf the Interwebs. And it gives you a place to poop (which might actually be one and the same as the latter…from time to time…).
And there’s a bunch of stuff that has to exist so you can eat, cook, sleep, surf and poop.
But those things aren’t the “architecture” of your place of residence.
The number and location of the bathrooms. Whether you can get to the bedroom in the dark after your midnight wee. How far away the sink is from the stove. Whether your neighbors can see you standing naked in front of the kitchen sink.
THAT, my friend, is the “architecture” we’re talking about.
Not the wires. Not the plumbing. Not the fridge. Not the stove. None of it.
“Architecture” is the way everything in your abode is organized to support the way you live.
And if you’re talking about “security architecture” you’re talking about why where you poop isn’t right next to where you eat or where you cook.
They’re separated so you don’t have to worry about dropping your eggs in the toilet.
They’re carefully designed so you can not have to worry about “architecture” and get on with your life.
They’re complex, because those decisions require careful consideration of the specific trade offs, assumptions and requirements that make a house different from a car…or an airplane and it ultimately delivers all those wonderful and clever technical gizmos it takes to work.
It should blend into the woodwork so you don’t realize it’s there.
And because of that, it should help you keep the organization safe.
Today, tomorrow and independently of whatever brand of tap and toilet you like most.
So how closely does your definition of security architecture reflect “the complex or carefully designed structures intended to enable the organization to achieve its objectives?”
How independent of individuals, tools or technology is it?
If it isn’t, the let’s get working together to fix it.
Start here: https://archistry.com/go/SecurityLeader
Andrew S. Townley
Archistry Chief Executive