Security Experts:

Answering the Call for an Architectural Approach to Security

Most of us are familiar with the adage: “the best defense is a good offense.” It’s used when talking about sports, military strategy, and business – and it holds true for cybersecurity as well. But the reality is that with respect to cybersecurity, organizations have traditionally taken a defensive tact only.

The best of breed approach has ruled the day and now many organizations have a patchwork of product platforms from various security companies. A firewall from company A, intrusion detection/prevention from company B, endpoint protection from company C, and the list goes on and on. The challenge is that these disparate solutions can’t and don’t work together and have to be managed independently. Depending on an organization’s needs, security teams are grappling with anywhere from five to as many as 50 different security vendors and solutions that can’t keep up as business models shift, the attack surface expands, and threats evolve. In other words, they’re experiencing a security effectiveness gap, where the security capability each new product adds is overshadowed by the additional complexity it piles on.

To close this gap enterprises are now re-thinking the way they purchase and deploy security technologies. New research from ESG found that 62 percent of security professionals surveyed are actively consolidating their cybersecurity vendors and 82 percent are using an architectural approach to guide this consolidation – integrating multiple individual products and platforms. But to get the operational efficiencies and better protection they seek, they need to do it the right way.

Just as an offensive player’s job in football or soccer is to advance the ball down the field towards the goal, when you play offense as a security professional your job is to advance the objectives of the business securely for continued success. So how do you go about developing a security architecture that moves your business forward? Focusing on one-off technical considerations exclusively gets in the way of creating an effective enterprise security architecture that aligns with and advances business initiatives. You need to go on the offensive using business strategy to shape your cybersecurity strategy.

Involving the right people. It starts by getting the right people involved. Executive sponsorship and a mandate from the Board or executive leadership makes an enterprise security architecture a business imperative and sets up the core team with the autonomy and resources to succeed. Because you can’t secure what you don’t see, both the network and security teams must be represented so that they can work together to devise a roadmap that will simplify security as the business shifts and the threat landscape evolves. Representatives from other areas of the business need a voice as well to ensure that ultimately you develop a holistic enterprise security architecture that recognizes that security is everyone’s concern and responsibility.

Grounded in business strategy. With the right team in place, you now need to ensure you clearly understand the business strategy – where the business wants to go and how it will get there. You need answers to questions like: What are the key initiatives? What areas of the business are affected and in what way? How will success be measured? These answers will drive the security discussion and shift the focus from stopping the bad guys to using security to help drive business success. This information will also help you determine the security metrics and reporting that executive management will find most meaningful.

Adapting and managing operations. With an understanding of where the business wants to go, you can now consider the operations that must be managed to help you get there. When it comes to security intelligence, do you have total visibility from the endpoint to the network to the cloud and across users, devices, vulnerabilities, applications, files, and virtual environments? Without visibility you can’t effectively segment networks or enforce access policies, for example. You also need to understand your company’s risk profile to better manage risk and know what type of information should be reported to the board. Security assurance operations will also vary depending on factors like the regulatory environment you operate in as well as third parties you work with including vendors, partners, and customers. Can you manage these areas securely and maintain availability without putting operations at risk?

Better informed technology decisions. Only when you understand the strategic and operational aspects of the business can you move on to technology considerations and accurately assess the security of your systems, network, and applications. The following scenario illustrates why.

The security team at a financial services firm needs a clearer understanding of whether their cybersecurity program meets industry standards, is consistently applied, and is measured and reported effectively to executive leadership. The team could talk to industry peers, do their own research, and decide to adopt some of the practices and newest security technologies they heard about at the last security conference they attended. But without knowing the objectives of the business, that approach could waste scarce resources and not provide the desired outcomes.

Instead, by starting with understanding the business strategy they learn that the executive team is planning significant merger and acquisition (M&A) activity to diversify into other industries and geographies. With this insight, they can determine how operations like compliance, identity and access management, and application development need to change. They can then go on the offensive, developing an enterprise architecture roadmap to address the gaps between their current security model and a target model that will support rapid innovation and flexibility to support M&A. As the business continues to evolve the security model can too with an open architecture that evolves with the business.

If you’re among the majority taking an architectural approach to consolidate security vendors then remember, your best defense is a good offense.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.