Share this article on:
In an increasingly interconnected and digital world, the importance of robust enterprise security architecture (ESA) to promote a strong security posture, drive efficiencies, and capitalise on opportunities made available through rapid technology developments cannot be overstated.
ESA represents a strategic and holistic approach to securing what matters most to organisations. It encompasses people, process, and technology controls. While there are multiple facets to ESA – including governance, architecture and acquisition principles, design reviews and approval processes – this article will explore one of the more pressing issues facing organisations: tool sprawl and unrealised value from investments in technologies.
In response to the rising cyber threats, organisations have invested significantly in the acquisition of security tools and technologies. However, they still continue to struggle to contain cyber threats and are not realising adequate value from their investments. Due to the lack of a strategic approach, organisations get stuck with a lot of point solutions that aren’t optimised, nor do they integrate with each other, creating challenges on the visibility, monitoring, and orchestration fronts.
Furthermore, it is not uncommon to see control areas with several overlapping technologies while other areas are largely not covered. A lot of organisations also stumble to get started on their ESA journey and get stuck with fancy diagrams and pictures with little to show in terms of tangible outcomes.
Adoption of the 3C approach for ESA can allow organisations to pragmatically unlock value from their investments and make progress. The 3Cs of the approach refer to coverage, configuration, and clarity.
1. Coverage
Everything starts with visibility and coverage. To enable the right coverage, organisations must first develop an understanding of the critical assets that matter the most to them. These assets align with the key business processes, services, and products that are material to the existence of the organisation. The critical assets or “crown jewels” view needs to be developed by working closely with business stakeholders. After all, cyber security exists to enable the business and is fundamentally a risk management exercise. Risk management cannot be adequately performed without an understanding of assets and the consequent impacts on them if threats are realised by exploiting vulnerabilities. Therefore, a register of key information assets and systems is vital. It does not have to be perfect but needs to have a reasonable degree of accuracy.
Another key input towards the 3C approach adoption is to develop an inventory of all the security tools and technologies that are present in the environment. These aren’t just tools operated by the security team but should include any tools that perform security-related functions such as identity and access management, database and endpoint protection, application security, etc.
Now, it is foundational that these security tools and technologies must have coverage over these assets. For example, does the web application firewall that filters malicious web traffic cover the key internet-facing systems, such as customer payment portals, banking applications, or e-commerce websites? Coverage is a key attribute to ensuring that investments in tools are actually protecting what must be protected.
2. Configuration
This category focuses on the effectiveness of security tools and technologies and comprises the following areas.
3. Clarity
It is imperative that every security control and technology has clarity of responsibilities and supportability regarding their implementation and ongoing management. For example, which team(s) are responsible for network security tools? What is the role of the security team in this area? Is it to provide governance and rules while the network team actually implement them and supports the tools, or does the security team own end-to-end management of network tools? This clarity is essential to realising value from investments. This includes establishing roles and responsibilities with managed services providers and ensuring there is in-house expertise to ensure service providers are delivering value and meeting the established agreements. In the absence of clarity of control ownership, responsibilities and supportability at an operational level, configurations aren’t managed, services are not optimised, and the effectiveness of tools is significantly lowered.
Applying the 3C approach to your ESA, combined with good governance processes and architecture principles, will enable building an effective foundation for improving the security posture along with operational efficiencies and value optimisation.
Chirag Joshi is the founder and chief executive of 7 Rules Cyber.