Behind the Scenes of Implementing Security Architecture

Implementing security architecture takes time and cross-team collaboration.

Security architecture is the bedrock of best business practices relating to an organization’s cyber risk. With these frameworks, leaders are able to secure their people and assets, improve the effectiveness of their systems, and align the ongoing security of the organization to its objectives and stated risk appetite.

But understanding the importance of security architecture is one thing – implementing it is another. So how do you implement a security architecture framework? In this article we break the transformation process down into three phases, and use a fictional case study – a pizzeria – to show you, in a simplified way, what it could look like.

Define: Planning a security architecture framework that meets business needs

To be successful, security architecture must be aligned to the company’s needs in terms of its key drivers and risks. This forms the why of security architecture, and helps us build a framework that makes the most of the opportunities present to the company while mitigating its unique threats.

First, let’s go over the components of planning our architecture, then we’ll look at our pizzeria and apply the lessons.

Identifying your business drivers

This is the first and most important step in this entire article. Everything we do from here on out must be traceable back to our core business drivers and objectives, thus ensuring that the security architecture we put together meets the needs of the organization.

So what are business drivers?

These are key inputs that drive the operational and financial results of the business. They are, in essence, what your business relies upon to ensure it can continue, often associated with revenue or costs. To use some examples, in the SABSA framework’s Appendix 2 we see drivers that include protecting the reputation of the organization, preventing losses through financial fraud, and minimizing the risk of loss of key customer relationships.

Read more: What is security architecture, and what do you need to know?

How to identify your business drivers

1. Identify objectives: Start by writing down the core objectives of your organization. What are you trying to achieve? What needs to happen for you to realize success?
2. Determine inputs: Now determine the factors that drive or impact those objectives. SABSA Appendix 2 can aid you, but these are generalized drivers and may not be well suited to your unique requirements.
3. Map it all out: Write this all down. Note down every core objective and their corresponding drivers. We’ll come back to this later to add to it.

Identifying your business attributes

With our objectives and attributes outlined, the next step is to map out our business attributes. Attributes are traits or features of the business which are linked to its drivers and can be clearly defined. They help us to prioritize business requirements and security drivers, and can be weighted based on their priority (more on this shortly).

Again, you can use SABSA to help you if you aren’t sure where to start. Appendix A lists a number of attribute examples, although many will not apply to your organization given their more general nature.  

How to identify your business attributes

1. Create a taxonomy of your business units: What are the different parts of the business? Map these out.
2. Note down attributes: For each business unit, identify the key attributes you feel are important to its success. You will need to involve stakeholders from each unit, running meetings and workshops to brainstorm ideas.
3. Define what each attribute means: Note down a clear definition of each attribute for each unit, so there can be no mistaking what the trait means to your organization. For example, the attribute “accessible” may mean something different to our pizzeria below as it would to a telecommunications company. In addition, you must also consider:
4. How do we measure these attributes?
5. What risk do these attributes pose to the business if there were to be a failure in that area?

Now we must identify dependencies within our attributes

Attributes rarely stand alone. Typically, one attribute may impact another, potentially from a different business unit. So the next step is to look again at the attributes across your organization and figure out which traits depend on each other, which are related, and then define those dependencies.

For example, the attribute “fast”, which relates to our delivery service, is going to be impacted by the attribute “available”, relating to the products in our warehouse.
Finally, it’s important to understand our priorities

It’s important that, throughout this process, you identify, understand and note down your priorities. What are your most important objectives and business drivers, and which business attributes could have the most impact on the business? What faces the greatest risk, or drives the most revenue?

Security architecture takes time. Patching over the red flags in your organization, putting in place new processes or services, could take a while (depending on your scope and budget), so understanding your priorities gives you a place to start.

A case study: Matko’s Pizzeria defines its drivers and attributes

Matko’s Pizzeria has opened in the heart of Munich, owned by the titular restaurateur Matko Blazevic.

A pizzeria might not have much need for security architecture, but we can use this simple example to relate the concepts we have discussed above to real-world contexts. That said, we will only skim the surface of Matko’s business to use it as an example – a real enterprise will have many more drivers and attributes than we are going to discuss below.

Mapping out Matko’s Pizzeria

• Core objectives: Grow revenue, increase foot traffic, reduce spoilage and waste, build reputation.
• Business drivers: Size of restaurant and location, number of meals served per day, number of dishes on the menu, branding and logo design, prices, likability/effectiveness of staff, reputation of business online/word of mouth.
• Business units: Front of house, kitchen, storage, back office.
• Business attributes:
• Fresh: Ingredients are stored in conditions that reduce the likelihood of spoilage. Measured in amount of food wasted before it can be used.
• Consistent: Goods are consistent quality, people get what they expect. Measured in customer feedback and sales figures.             

Matko notes that ‘reducing waste’ is a key driver because reducing these costs will be a quick win to get more revenue. From an attributes perspective, a lack of ‘fresh’ ingredients impacts his reputation and therefore potential for foot traffic. His other drivers are still important, but knowing his priorities will help in the later stages.

Create: Building a framework to meet your threats

With our key metrics defined, we understand how our attributes are inherently linked to our objectives – such as increasing revenue – and we’ve identified priorities across business units. This gives us a starting place to begin analyzing our threats and putting in place control strategies to mitigate those threats.

Identifying threats and their impact with a threat analysis

A threat analysis helps us to identify the biggest threats to our business attributes, which increase their risk and, thus, impact. It allows us to go back through each individual attribute and analyze it either quantitatively or qualitatively to note the threat, impact and the likelihood of the event even happening in the first place.

• Quantitative analysis: This is the most effective way to measure threats. To quantitatively analyze your organization, you will need key figures from across the business. These could include costs per day/hour, cost of losing a customer, of a shut down, cost of equipment, etc. By examining these, we can see – in real monetary values – what the threats are to our different units, and rank them.
• Qualitative analysis: This is a backup option for when hard figures aren’t available. A qualitative analysis is where you go through each attribute and try to ‘score’ threats on a scale out of 10 based on both the impact and likelihood – so each threat gets two scores. After, you can multiply one figure by the other to spit out a final combined score, which you can then use to rank one threat against another. SABSA provides examples of these, too.

Matko’s Pizzeria analyses its threats

Matko identified two attributes, defined them, and mapped out their risk. Now we can go back through them and look at what potential events pose a threat to those attributes, and therefore increase the likelihood that their risk will be realized.

• Fresh: Threats include power outage to fridge, natural event (i.e. flooding), insects getting into storage areas.
• Consistent: Threats include supply shortages in important ingredients, chef that knows the best recipes quits or retires (i.e. skills deficit), equipment malfunction, power outages/natural events destroying parts of the kitchen.

We already know that ‘Fresh’ is a more important attribute as it relates to Matko’s key driver of ‘reduce waste’ and ‘increase foot traffic’. Examining each of the threats to this attribute and scoring them out of 10 in both impact and likelihood, he determines that insects are his greatest threat – noting that they are both likely and can have catastrophic consequences, putting their score above the remaining list. The other threats either have less impact (i.e. temporary power outages) or low likelihood (natural disasters).

Mitigating threats with control strategies

The next step is to go back through these threats for each individual attribute and determine how we can control them – either stopping them outright or simply mitigating the risk. Knowing our risk appetite is key here, too, so we understand the degree to which we are willing to take on risks that we cannot eliminate.

Read more: Do you know your cyber risk appetite?

SABSA has a number of control strategy examples, but most companies develop their own strategies as well – given no organization is alike, and SABSA provides only general guidance.

Matko plans how to mitigate the threat of insects

While Matko’s Pizzeria will have to put in place control strategies for all of its threats across its attributes, Matko decides to start with insects due to their high threat score. 

He holds a workshop with key staff members to utilize their experience and then consults with some third parties for advice and quotes. With this information, he outlines these strategies as critical to controlling the risk of insects:

• Regularly scheduled cleaning of the restaurant, kitchen and storage facilities (remove accumulation of food debris).
• Plan equipment downtime to keep hard-to-clean equipment sanitary.
• Keep insects out at windows and doors.
• Perform preventative maintenance to keep the external perimeter healthy and secure.

Manage: Implementing your security architecture framework

The final phase of implementing security architecture is the implementation itself. At this point we have identified our objectives, drivers, attributes, risks and threats. We also have control strategies in place that we’re confident will mitigate these threats, and therefore reduce the risk to the business. The third step is to look for security services that will help us implement our plan.

Identifying key security services

After all the groundwork laid above, this next phase is relatively simple. It involves looking through our list of control strategies and working out what it will actually take to realize them. You may find that you have some of the resources already available in-house, although it’s likely you will also need some degree of new service as well.

We should note, we’re using ‘service’ here as a general term. It may not mean a service as such. It could also mean new processes, such as a communications policy, or cyber training for staff members.

Ensure there is accountability

Finally, we need to ensure that there are individuals accountable for this new plan’s success. Each of our business units should have a clear head – a spokesperson, if you will – that our security architect can communicate with, and who will champion new initiatives to the rest of the team in their unit.

Having a champion is an important part of change management, as this person will be heavily involved in promoting new concepts and training staff. It also reduces any confusion over ‘who does what’ in the unit, so mission-critical activities occur on time rather than becoming stuck between individuals.

Matko’s Pizzeria implements its plan

Matko realizes he’s not a handyman, nor does he have time to completely sanitize the restaurant as much as he needs to. He identifies, therefore, that cleaners and a maintenance service are necessary for his insect control strategy. He also implements a 52-week planner to help schedule deep cleans and maintenance checks, so he can plan disruptive activities around customer peak seasons, and communicate this all with staff.

He places his head chef Sofia in charge of the kitchen business unit and food storage so she is accountable for her areas, while Francesco the maître d’ is placed in charge of the plan in the front of house.

With this approach, Matko ensures his restaurant is covering all of its bases regarding the threat of insects and he has ensured there is a clear hierarchy (and therefore, clear accountability) within the business to improve communication. Matko can focus on achieving his goals and implementing strategies for his other threats.

Need help? We’re here for you

Matko’s Pizzeria makes the security architecture process seem simple, but every organization is different and it’s not always easy to know where to start and how to proceed, even with the best instructions.

That’s where we come in. To learn more about how to implement security architecture from a real security architect, watch our webinar here.

Or, to speak with someone now, contact us anytime for a free consultation about your needs.