Monthly Archives: October 2017

Topic 5 – Security architecture

Alike but Not Alike…

Leave a comment

If my memory serves me correctly, we touched on the concept of there being many synonymous terms in enterprise architecture and in technology in general. I need to do a better job at this myself, but I’ve seen “company” be used for “organization” and “organization” be used for “enterprise” and even a rotation of all three. There is a relation between the three terms but they all mean something different.

In Rob McMillan and Tom Scholtz’s article, Security Governance, Management and Operations Are Not the Same, they aim to clear up confusion and clarify that although the three terms are related, they do not mean the same thing. Security within an organization can be complex within itself, therefore making sure that there is a clear understanding of terms and their definitions is important. McMillan and Scholtz describe security governance, security management, and security operations as the following:

Security Governance

Security governance takes a high level view. It ensures that the strategy of the business is clearly defined and that the security measures needed can adequately accommodate the business strategy.

Security Management

Security management is the mid level view. It actually entails building and running the security program that was decided on and making sure that security measures continue to align with the overall business strategy.

Security Operations 

Security operations is the ground level view. It involves the actual execution of the security-related processes on a day-to-day basis.

Having a clear understanding of these three terms will help to avoid confusion, avoid dysfunction, and  attempt to security a little easier to understand.

Hopefully.

Source:

McMillan, R., & Scholtz, T. (2013, January 23). Security Governance, Management and Operations Are Not the Same. Retrieved October 20, 2017, from https://www.gartner.com/doc/2313217/security-governance-management-operations-

Topic 5 – Security architecture

So…What’s the Game Plan?

Leave a comment

I’m a firm believer that strategy is important in everything that you do and especially important in business. If you have no vision for where you are going, then how are you going to get there? Not only is it important to develop a strategy for your business, but it is also important to make sure that all areas of your business are aligned to that strategy. In Tom Scholtz’s article, Post-Dr. No: Developing a Strategy for Business-Aligned Information Security, he speaks on the effectiveness of aligned information security practices. Since there is no single right answer or path to aligning strategy, Scholtz reviews six areas of a business that are relevant to improving the alignment between information security and the business: culture, planning, processes, communication, competencies, and technology. I found the below to be rather interesting:

Culture

It is common to see businesses where most employees are removed from the idea that there are potential security risks to the business. Therefore, in efforts to align information security initiatives and the business, a risk-aware company culture needs to be developed. To integrate more security-awareness within the business, consistent communication on the importance of information security and trainings on how to combat security threats is necessary. At my previous organization, we would often get spam-like emails as a test to see how we would react and deter the threat.

Processes

Not only is it important to have strategies but it is also important to have processes in place to support those strategies. Employing a strategic process, such as a security management system, will allow for the security team to continuously and proactively assess, develop, and implement security solutions as required by the business instead of trying to implement a one-size-fits-all security approach.

Finding ways to align across these crucial areas of the business, will help in achieving a mature and optimized information security practice.

Ok! Break! (That’s how it goes, right?)

Source:

Scholtz, T. (2012, March 12). Post-Dr. No: Developing a Strategy for Business-Aligned Information Security. Retrieved October 20, 2017, from https://www.gartner.com/doc/1948217/postdr-developing-strategy-businessaligned-information

Topic 5 – Security architecture

The Cloud… Risky Business

Leave a comment

“That is why I am passionate about architecture, because architecture and principles are the foundation of everything we do in the industry and everything that we have to do as a technology provider to make it real for customers.” – Chris Young, CEO of McAfee.

In Warwick Ashford’s ComputerWeekly.com article, Endpoint, cloud, people key to future cyber security, says McAfee, he summarizes the key points that CEO of McAfee, Chris Young addressed at the MPOWER Cybersecurity Summit in Las Vegas. Young touched on several areas in which today’s businesses will have to evolve in order to be more secure and to prepare for the future cyber security attacks that are bound to come. The overall article was very interesting and it was exciting to see that he touched on points that related to this week’s readings.

Security Operations

No longer can businesses put off developing security operations; they will be come a mandate. Additionally, security operations will have to move in the direction of being automated and orchestrated.

Security Management

Instead of security management trying to manage multiple silos across the business, management will have to be a heterogenous environment.

Overall, in Chris Young’s speech, he emphasized that businesses need to have more architectural investment and focus on security, specifically cyber security. Businesses need to strengthen their threat defense lifecycle and increase inter-operability between different defense, visibility and response tools in order to prepare for where cyber attacks and advanced threats will manifest themselves: endpoints, applications, and data residing in the cloud.

Source:

Ashford, W. (2017, October 19). Endpoint, cloud, people key to future cyber security, says McAfee. Retrieved October 22, 2017, from http://www.computerweekly.com/news/450428511/Endpoint-cloud-people-key-to-future-cyber-security-says-McAfee