Security architecture is the bedrock of best business practices relating to an organization's cyber risk. With these frameworks, leaders are able to secure their people and assets, improve the effectiveness of their systems, and align the ongoing security of the organization to its objectives and stated risk appetite.
But understanding the importance of security architecture is one thing - implementing it is another. So how do you implement a security architecture framework? In this article we break the transformation process down into three phases, and use a fictional case study - a pizzeria - to show you, in a simplified way, what it could look like.
To be successful, security architecture must be aligned to the company's needs in terms of its key drivers and risks. This forms the why of security architecture, and helps us build a framework that makes the most of the opportunities present to the company while mitigating its unique threats.
First, let's go over the components of planning our architecture, then we'll look at our pizzeria and apply the lessons.
This is the first and most important step in this entire article. Everything we do from here on out must be traceable back to our core business drivers and objectives, thus ensuring that the security architecture we put together meets the needs of the organization.
So what are business drivers?
These are key inputs that drive the operational and financial results of the business. They are, in essence, what your business relies upon to ensure it can continue, often associated with revenue or costs. To use some examples, in the SABSA framework's Appendix 2 we see drivers that include protecting the reputation of the organization, preventing losses through financial fraud, and minimizing the risk of loss of key customer relationships.
How to identify your business drivers
With our objectives and attributes outlined, the next step is to map out our business attributes. Attributes are traits or features of the business which are linked to its drivers and can be clearly defined. They help us to prioritize business requirements and security drivers, and can be weighted based on their priority (more on this shortly).
Again, you can use SABSA to help you if you aren't sure where to start. Appendix A lists a number of attribute examples, although many will not apply to your organization given their more general nature.
How to identify your business attributes
Now we must identify dependencies within our attributes
Attributes rarely stand alone. Typically, one attribute may impact another, potentially from a different business unit. So the next step is to look again at the attributes across your organization and figure out which traits depend on each other, which are related, and then define those dependencies.
For example, the attribute "fast", which relates to our delivery service, is going to be impacted by the attribute "available", relating to the products in our warehouse.
Finally, it's important to understand our priorities
It's important that, throughout this process, you identify, understand and note down your priorities. What are your most important objectives and business drivers, and which business attributes could have the most impact on the business? What faces the greatest risk, or drives the most revenue?
Security architecture takes time. Patching over the red flags in your organization, putting in place new processes or services, could take a while (depending on your scope and budget), so understanding your priorities gives you a place to start.
Matko's Pizzeria has opened in the heart of Munich, owned by the titular restaurateur Matko Blazevic.
A pizzeria might not have much need for security architecture, but we can use this simple example to relate the concepts we have discussed above to real-world contexts. That said, we will only skim the surface of Matko's business to use it as an example - a real enterprise will have many more drivers and attributes than we are going to discuss below.
Mapping out Matko's Pizzeria
Matko notes that 'reducing waste' is a key driver because reducing these costs will be a quick win to get more revenue. From an attributes perspective, a lack of 'fresh' ingredients impacts his reputation and therefore potential for foot traffic. His other drivers are still important, but knowing his priorities will help in the later stages.
With our key metrics defined, we understand how our attributes are inherently linked to our objectives - such as increasing revenue - and we've identified priorities across business units. This gives us a starting place to begin analyzing our threats and putting in place control strategies to mitigate those threats.
A threat analysis helps us to identify the biggest threats to our business attributes, which increase their risk and, thus, impact. It allows us to go back through each individual attribute and analyze it either quantitatively or qualitatively to note the threat, impact and the likelihood of the event even happening in the first place.
Matko identified two attributes, defined them, and mapped out their risk. Now we can go back through them and look at what potential events pose a threat to those attributes, and therefore increase the likelihood that their risk will be realized.
We already know that 'Fresh' is a more important attribute as it relates to Matko's key driver of 'reduce waste' and 'increase foot traffic'. Examining each of the threats to this attribute and scoring them out of 10 in both impact and likelihood, he determines that insects are his greatest threat - noting that they are both likely and can have catastrophic consequences, putting their score above the remaining list. The other threats either have less impact (i.e. temporary power outages) or low likelihood (natural disasters).
The next step is to go back through these threats for each individual attribute and determine how we can control them - either stopping them outright or simply mitigating the risk. Knowing our risk appetite is key here, too, so we understand the degree to which we are willing to take on risks that we cannot eliminate.
Read more: Do you know your cyber risk appetite?
SABSA has a number of control strategy examples, but most companies develop their own strategies as well - given no organization is alike, and SABSA provides only general guidance.
While Matko's Pizzeria will have to put in place control strategies for all of its threats across its attributes, Matko decides to start with insects due to their high threat score.
He holds a workshop with key staff members to utilize their experience and then consults with some third parties for advice and quotes. With this information, he outlines these strategies as critical to controlling the risk of insects:
The final phase of implementing security architecture is the implementation itself. At this point we have identified our objectives, drivers, attributes, risks and threats. We also have control strategies in place that we're confident will mitigate these threats, and therefore reduce the risk to the business. The third step is to look for security services that will help us implement our plan.
After all the groundwork laid above, this next phase is relatively simple. It involves looking through our list of control strategies and working out what it will actually take to realize them. You may find that you have some of the resources already available in-house, although it's likely you will also need some degree of new service as well.
We should note, we're using 'service' here as a general term. It may not mean a service as such. It could also mean new processes, such as a communications policy, or cyber training for staff members.
Finally, we need to ensure that there are individuals accountable for this new plan's success. Each of our business units should have a clear head - a spokesperson, if you will - that our security architect can communicate with, and who will champion new initiatives to the rest of the team in their unit.
Having a champion is an important part of change management, as this person will be heavily involved in promoting new concepts and training staff. It also reduces any confusion over 'who does what' in the unit, so mission-critical activities occur on time rather than becoming stuck between individuals.
Matko realizes he's not a handyman, nor does he have time to completely sanitize the restaurant as much as he needs to. He identifies, therefore, that cleaners and a maintenance service are necessary for his insect control strategy. He also implements a 52-week planner to help schedule deep cleans and maintenance checks, so he can plan disruptive activities around customer peak seasons, and communicate this all with staff.
He places his head chef Sofia in charge of the kitchen business unit and food storage so she is accountable for her areas, while Francesco the maître d' is placed in charge of the plan in the front of house.
With this approach, Matko ensures his restaurant is covering all of its bases regarding the threat of insects and he has ensured there is a clear hierarchy (and therefore, clear accountability) within the business to improve communication. Matko can focus on achieving his goals and implementing strategies for his other threats.
Matko's Pizzeria makes the security architecture process seem simple, but every organization is different and it's not always easy to know where to start and how to proceed, even with the best instructions.
That's where we come in. To learn more about how to implement security architecture from a real security architect, watch our webinar here.
Or, to speak with someone now, contact us anytime for a free consultation about your needs.