Should Security Architecture remain different from other Architecture disciplines? In my journeys, I have actually come to observe that many organizations separate out security architecture from other architectures. Does this make good sense? Large companies frequently have governance practices such as an Architecture Review Board (ARB) yet postpone the system quality characteristic of security to another entity. Does this ask the concern of whether security experts should have a seat on Architecture Review Boards?
Different architecture "frameworks" likewise exhibit a comparable level of thinking. Security has its own architecture structure called SABSA (Sherwood Applied Organisation Security Architecture) that appears to move independent of TOGAF, Zachmman, etc. So, if I am an EA using one of the more popular "structures" that remain disconnected from the world of security, does that make it easier for me to forget that a secure ecosystem might also be a desirable company outcome?
Should we think that having a culture of separation where security feels they require to own all thing security is goodness? What if we might review our thinking on security architecture. Would we conclude:
- Security is a part of whatever and not the responsibility of any single organizational entity?
- Security Architecture in its historical meaning is the same as QA/QC however concentrated on a specific type of error/bug?
- If we wanted to "construct security in" as part of our SDLC, that security practitioners should be consulting as part of that SDLC and not solely focused on functional considerations?
We have a knowledge crisis when it concerns security architecture as part of enterprise solutioning. Care to think how numerous solution designers when recording their option reference bolt-on security technologies to please the requirements of ARB checklists instead of integrating security throughout the whole architecture?
Are we bold enough to acknowledge that both Enterprise Architecture and Info Security are in the company of handling danger yet they never ever appear merged in their thinking, approach, solutioning, governance, etc? Details security professionals have a "task to protect" yet a lot of their recommendations often overstate threat and boost costs to the enterprise.
I have actually been noodling the best ways to assist information security specialists to think more like enterprise architects and to not just consider their task to secure but likewise accept the notion of providing better business-outcome driven security architecture. I would like to know your ideas on this subject ...
Source: Channel365 Architecture & Design