Costs of data loss and theft can be in the millions, covering direct business losses, loss of intellectual property and business intelligence, audit and regulatory fines, compliance remediation costs and significantly — the loss of customer trust, reputation and brand equity.

The Australian Competition and Consumer Commission reported a loss of around $63 million from cyber-crime and scams in 2010. Ponemon institute reported in a 2010 study that 19 Australian companies lost between 3,200 and 65,000 individual records from data breach incidents, with an average organisation cost per breach of $2 million. Not only the amounts involved, but also the fact that products and services nowadays are data, suggest that data security is not technology issue. The data security is a core business issue.

Many of our clients recognise the value of spending money on data security up-front rather than dealing with the fallout caused by security breaches, such as significant financial loss or impact on reputation through the media. Our approach to security is enterprise security architecture, a business-outcome-focused and risk-driven approach to securing business capabilities, data assets, applications and platforms. It is an architectural approach, which allows one to establish traceability from business drivers and business objectives through products and services to data, applications and platforms. It allows one to select controls in a risk-driven manner, build secure architectures supporting the business outcomes and transform a traditional security organisation into an effective and efficient business and risk-driven security organisation. Our clients understand that business-outcome-focused and risk-driven architectural approach to enterprise security allows them not only to address the breaches but also leverage business opportunities and facilitate ROI estimations for security. Most importantly, our approach leverages existing security frameworks and industry standards, such as TOGAF, COBIT 5, ISO/IEC 27001/2, ITIL v3 Security Service Management. The use of proven best practices and standards gives confidence to our clients, but also reduces costs of regulatory remediation.

Below are the top five concerns that we address in client engagements:

1. Lack of an over-arching enterprise security architecture framework. There is a consensus that enterprise security architecture is a methodology for addressing security concerns at every and each architecture domain (business, data, application and technology) and layer of abstraction (contextual, conceptual, logical, physical and implementation). However, the practical experience shows that the existing enterprise architecture and security architecture frameworks are not quite there yet.

2. A need to transform the security organisation. Information security has been traditionally dealt at the information security management, operational security and solution design level, resulting in lack of alignment with both business and IT and operational imbalance. Our approach to resolving this issue is what we call “architecting a security organisation”. We define the security capabilities starting at the governance level through architecture and planning to build, delivery and monitoring. We position the security capabilities as a subset of the business reference model to give understanding of how they fit within the organisational units, business functions and processes.

3. Enterprise-wide regulatory and internal compliance. The increasing number and scope of regulatory requirements can affect the products and service delivery. At Enterprise Architects, we use enterprise architecture to resolve conflicts between business objectives, internal compliance requirements and regulatory and legislative requirements. Gaining clarity around what these are, what are their conflicts and how are they affecting the core business capabilities facilitates business decision making.

4. A need for business-outcome-focused and risk-driven security reference architectures. In our enterprise security architecture framework, risk and business objectives are the key drivers for the selection of security controls. As this is a top-down approach, it ensures that all policies and controls are identified and owned.

5. Data privacy concerns in relation to emerging trends and technologies, such as cloud, BYOD and mobility security. The key challenge here is not around infrastructure architecture and design, but around gaining clarity and resolving conflicts in relation to data privacy requirements, threat and vulnerability vectors and business objectives. The architectural approach to security allows one to gain clarity around the aforementioned, at the business, data and infrastructure security level.

Author: Dr. Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Ana Kukec presented at the Open Group “Enterprise Transformation” Conference in Sydney on the topic of enterprise security architecture. Here are the presentation slides.

The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.

Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.

Key takeaways:

  1. Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
  2. Security strategic planning
  3. Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
  4. Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture