3 Considerations When Building Your Security Architecture
In this article
Introduction
This year has marked one of the most challenging for chief information security officers (CISOs). COVID-19 has expanded the attack surface in ways no one could have foreseen. And while securing a flood of remote connections presents difficulties, it also provides an opportunity for CISOs to reexamine their security architectures.
The C-suite and board are starting to understand that security policies and controls have a direct impact on the ability of organizations to respond to business disruption.
My colleague Todd Neilson describes how CISOs can manage risk based on business goals, the first step to any successful cybersecurity program.
But what comes next?
After CISOs understand where the business holds the most risk, they need to build a bridge between mitigating that risk and daily defense. This is where security architecture comes in.
Here, we'll explore some considerations that will help create a security architecture that delivers business value, enables security operations and can adapt when the threat landscape takes unexpected turns.
Logical architecture and stakeholder buy-in
Those of us who got our start in the IT weeds love learning about and implementing technical solutions. So it makes sense that security organizations often jump to a technical security architecture before making sure they have done their due diligence by creating a logical security architecture.
While a technical architecture is all about security products, a logical architecture focuses on mapping security policies to business functions. This requires getting buy-in from not just technology leaders but also business unit leaders who could be impacted by new security policies.
Network segmentation is a perfect example. Segmentation is an architectural team sport. If stakeholders and their reports are not bought in at the beginning, your IT team can find every decision they make along the way questioned and every action scrutinized. Progress will proceed at a snail's pace, or worse, come to a stop.
At some point, stakeholders need to be involved in every security project. When they come late to the game, you risk having to redo work and reinvest in tools. I saw a global array of firewalls removed within two years of implementation because the technical solution didn't match stakeholders' business requirements.
Spend the necessary time on a logical architecture and get stakeholder buy-in early. Keeping your projects aligned to the business will pay dividends as you move forward.
Agile solutions for an unpredictable threat landscape
The new, massively expanded attack surface is here to stay.
While some knowledge workers have already returned or will return to the office, a Gartner HR survey revealed 41 percent of employees will likely work remotely at least some of the time after the pandemic.
Even with workers returning to the office, a greater emphasis is being placed on keeping workers and corporate data securely connected as part of business continuity planning.
It's important to look at architectures that can adapt quickly to an unstable attack surface. This means looking at cloud architectures, specifically secure access services edge (SASE) architectures.
SASE architectures are distributed and delivered in the cloud. Subscribers can spin up a full security stack in a few hours, including common remote access security controls such as firewall, data loss prevention, cloud access security broker, zero trust access, secure web gateway, domain name system (DNS) protection and decryption. These architectures solve for many identity, access and data security challenges by weaving authentication into traffic going directly from users to internal or software-as-a-service (SaaS) applications.
CISOs should start exploring these types of architectures to keep pace with the unpredictable threat landscape.
Embrace SecDevOps
Successful security architectures don't just align to the business, they empower security operations. This means building automation into your security architecture whenever possible. The more you automate, the less security operations has to operate.
SecDevOps (security development operations) is a way to build security into service delivery, allowing teams to put repetitive tasks related to security configuration or reconfiguration on autopilot.
Before onboarding agile, modern technology solutions, CISOs should make sure their teams are committed to automating those solutions.
One of the biggest barriers to security automation isn't the technology but rather figuring out where to start. Getting to a starting point requires prioritizing the processes that cause the most bottlenecks to security service delivery.
Here, I would recommend CISOs look at value-stream mapping. Value-stream mapping is a visual exercise that helps align workflows to business outcomes and identifies issues related to performance and quality.
From there, you'll want to explore which technology solutions have integrations built in and which will need custom programming. Invest in solutions that work well together. Then, fill in any automation gaps with strategic programming.
Conclusion
Technology is only one aspect of security architecture. If CISOs consider all the components, they can build architectures that enable the business, empower security operations and adapt to an unpredictable threat landscape.
By obtaining stakeholder buy-in early, exploring modern solutions and then committing to automating those solutions, CISOs will be well positioned to as they implement holistic cybersecurity programs.