05.31.11
Cybersecurity Requires Enterprise Architecture
[Cartoon]
The lack of having an Enterprise Architecture is now exposing organizations to cybersecurity threats. For years, organizations have opened themselves up to these threats. They have taken the quick approach to implementation of new applications and have built technical debt that now must be paid back.
One of the biggest areas of payment is to correct the problem of inadequate security. This problem is one of the most serious for most organizations. Not only is there the concern of providing continuous service to their customers, but also their private information could be exposed.
Solving the problem has become both a technical issue and an organizational issue. Systems can be breached and the lack of security-minded people are sometimes the cause of initial attacks. Systems built and constructed over the years often have their own unique approach to authentication. Attempted breaches may not even be recorded. People in an organization are even a greater threat. Certainly there are those that might provide information to fuel WikiLeaks, but simple steps to protect access credentials are often not followed.
Organizations form security units to assess and take actions on security. The thought here is simple. If there is a problem, hire experts to solve the problem. These experts will assess the entire organization, identify weaknesses, and recommend actions. The years of duct-tape solutions will be exposed and the plan to pay down the technical debt can begin.
Security units have some major problems. To establish consistent security controls for all systems, all of the systems must be modified. Since these modifications can take years to accomplish with enormous resources costs, the management will usually go for additional duct-tape solutions. The strategy is to patch the systems with the greatest exposure. They can get around to the other systems when they have a major upgrade or replacement.
Organizations that have been serious about their Enterprise Architecture already have a security unit. They have their own Enterprise Architects. These architects are as concerned about the systems as they are about the people who use the systems. Consistent security controls are always part of a sound Enterprise Architecture plan.
Although organizations with an Enterprise Architecture are way ahead of those that do not, there is a continuing effort needed to fight cybersecurity challenges. Most attacks occur at the infrastructure level. Invaders find ways to add code to running processes so they can extract traffic information. Fortunately, Enterprise Architects are also infrastructure architects.
Security of information and processes in most organizations has reached a level of concern that the value of having an Enterprise Architecture is more apparent. An, organization’s senior management can continue to build technical dept by pushing security off to a separate group or adopt an ongoing Enterprise Architecture program. The choice is one of having an organization applying duct-tape security solutions or having an organization applying Enterprise Architecture principles. Duct-tape solutions will only lead to higher costs and compromised risk mitigation. Enterprise Architecture will continually improve to maximize risk mitigation.
Enterprise Architects are well-aware of the continuing evolution of technology. They creatively look for technology convergence that can provide breakthroughs in thinking. We are at one of those convergent junctions today. What is about to happen will give non-professional information technologists control of their use of automation in their business. No longer will they simply peer through windows and see only what applications let them see. They will be able to go inside, see how things work, and control their automation. – Enterprise Architects Masters of the Unseen City
Closing the Business / IT gap.
