The Politics of Architecture
Blogger: Dan Blum
Bob Blakley and I recently sequestered ourselves for an entire day to work on revisions of two Burton Group security framework documents which had aged into the archive:
- A Systematic, Comprehensive Approach to Information Security
- Risk Management Concepts and Frameworks
The systematic, comprehensive security framework comprises business risk management, security objectives, security posture, business processes, security technology, lifecycles and contexts. We use it to remind ourselves that security projects must always be holistic endeavors; it is the framework that guides us.
Afterwards, I visited a number of large organizations and talked with them about various subjects Burton Group covers, including security programs. It struck me, as it always does, that defining security architecture or strategy is always a lot easier than actually making it happen!
One of the people we visited was a security manager at a large financial institution. He says that his CISO organization has created a new security strategy and identity management architecture to cover various business units and outsource partners throughout their global environment. “This is a new initiative for us,” he said, “The first strategy is being approved, and others will be brought in to cover additional domains.”
The security manager went on to say that the challenge was not only to create architecture but to communicate and enforce it. He calls this “the politics of architecture” and notes it is particularly difficult in a global, outsourced environment where multiple technical architectures must be received and reviewed from sub-contractors. Internally to the organization, it will be critical to manage expectations, set up success metrics, and show some real progress by the end of the year. The security manager struck me as a very intelligent, buoyant and optimistic person – someone who thrives on chaos.
Continuing to make the rounds of companies that are interested in Burton Group, I later visited the Head of Information Security at another large global organization. He radiates an air of crisp competence and organization. He is living the life of the CISO as we describe in our report Security Governance for the Enterprise. The subsidiaries and business units share a corporate culture of independence and autonomy, but they track to a baseline set of controls chosen from ISO 270001, as does the IT services organization. Reports are rolled up into a dashboard for management consumption. Clearly, the company understands about accountability and metrics, things that we’ve emphasized in other documents. One weakness, he admitted, was that the reports are self-assessments and only lightly spot checked by internal audit.
Whether we are talking about the politics of architecture on the grand scale of the information security program for a Global 2000 company or on the smaller scale of an identity management project, the challenge is clear: how to traverse from theory to practice? Burton Group has a lot of good ideas already published, but we’ll be mindful of this issue as we plan more coverage and work to prepare for our Catalyst conference Successful Security: Getting Proactive track. Hope to see you there!
Comments