Security systems can no longer be based on identical products that are to be implemented in different contexts. They should be architectural structures by design, and thus specifically developed to suit the needs of a company or organisation. ‘If you think about the development of an application, security by design is about ensuring that security is taken into account at all stages’, explains Benoît Moreau, Enterprise Architect IT Risk & Security at ING Belgium.
‘Designing security systems is also about guaranteeing that you can explain how the security works. So-called security by obscurity, meaning that something is secured because no one actually understands its functioning, is something we absolutely aim to avoid.’
Paradigm shift
The goals of security architecture often aggregate in three categories called the CIA triad: Confidentiality, Integrity and Availability. ‘We aim to turn security architecture into a competitive advantage’, explains Moreau. This understanding has clearly given rise to a paradigm shift in recent years. ‘We see that more and more companies are finally getting rid of the idea that security is blocking their business. They see their security architecture as a means to create new business.’
In other words, this paradigm shift fundamentally changed how security architecture is being appraised. ‘I often make the comparison with the brakes of a car. These were not only created to slow down your vehicle but were primarily invented to allow the driver to go faster than before. So, translated into a business context, developing better brakes is a security investment that leads to better business results.’
Discussions are improving
In this vision, the Enterprise Security Architecture can be tailored to the specific structure of an entire company. However, this does not necessarily mean that security architects have to start from scratch when developing new security systems. Benoît Moreau: ‘We don’t have to reinvent the wheel every time. On top of the common standards we use, we can learn from big tech companies and reuse their innovations in our own specific contexts. This improves the overall security levels.’
Sharing experiences and expertise among cyber professionals is part of their culture. ‘For example, it is common practice for security algorithms to be made public’, says Moreau. ‘We share the modus operandi between different players in the same sector. This definitely is a big advantage in heavily regulated sectors, where regulators expect a formal demonstration of the security. It also helps to reduce the cost of security.’
Despite this unequivocal importance and the increasing level of awareness, the job of the enterprise security architect is often misunderstood and confused with other security-related jobs. ‘This is why the Enterprise Security Architecture Focus Group of the Cyber Security Coalition is currently working on a position paper that will explain the role and the benefits for the company’, concludes Benoît Moreau.