Digital Transformation is the process of using technology to create new or modify existing business processes, products, and customer experiences. It can bring many benefits such as increased efficiency, innovation, and competitiveness. However, it also introduces new challenges and risks for security.
Security Architecture is the design and implementation of security controls and solutions that protect an organization’s assets, data, and users from cyber threats. It aligns with the business objectives and requirements, as well as the regulatory and compliance standards. Security architecture is not a one-time project, but a continuous process that adapts to the changing needs and threats of the organization.
See how easy that was?
Far too often in my working experience, I have encountered situations where people are talking past each other. One of the best explanations I’ve found for why this occurs is from the work of Judith Glaser in her book, Conversational Intelligence: How Great Leaders Build Trust and Get Extraordinary Results. One takeaway—people tend to carry on monologues, not dialogues. This is in part due to biology, and the hormone release (e.g. dopamine, cortisol) that occurs during fight or flight response.
One of the key aspects of security architecture is establishing a clear taxonomy that ensures that everyone has the same understanding of the terms they use. This facilitates a better connection between the signal and reception of communication. A taxonomy is a system of classification that defines concepts, categories, relationships, and rules. A common language for security can help avoid confusion, ambiguity, inconsistency, and misunderstanding among different stakeholders such as business units, IT teams, security teams, vendors, customers, regulators, etc.
One disturbing social trend that I see recently is the notion of a person (often celebrities) using the phrase “your truth”. Although this certainly benefits selfish endeavors such as personal brands (thanks Oprah), it comes at the cost of our shared society in which there is only one “the truth”. An article on The Atlantic titled, The Difference Between Speaking ‘Your Truth’ and ‘The Truth’ does a good job at unpacking this. I find it relevant to the topic of this post, as it cuts to the heart of the matter…there is only one reality, and thus one truth, and we must share it otherwise we are just a collective bunch of monologues.
Security architecture is cross-cutting and permeates all abstraction layers of EA. Furthermore, it is multi-domain and thus prone to interpretation by many individuals with different backgrounds and focus. A clear taxonomy aligns our collaboration, decision-making, governance, measurement, and reporting of security issues and solutions into a mutual dialogue. It can help identify gaps or overlaps in security coverage and responsibilities. It can also help align security strategies with business goals and outcomes.
A real-world example of what goes wrong when people talk past each other and don’t realize it is the SolarWinds breach that occurred in 2020. This was one of the largest and most sophisticated cyberattacks in history that compromised several government agencies and private companies through a malicious update of a widely used network management software.
One of the factors that contributed to this breach was the lack of clarity on who was responsible for securing what part of the IT infrastructure. The software vendor assumed that its customers were responsible for patching their systems regularly. The customers assumed that the vendor was responsible for ensuring its software was secure. The result was a massive blind spot that allowed attackers to exploit vulnerabilities for months without detection.
By including taxonomy in the best practices for security architecture in digital transformation, organizations can achieve greater business flexibility, improved customer experience, and reduced technical debt. They can also reduce their exposure to cyber risks and enhance their resilience against cyber threats.
Kevin,
I enjoyed reading about the human experience and how it can contribute to some of the shortcomings we have in terms of security architecture. I agree that we are often driven by our perceptions of ourselves and the world around us, which leaves a lot of room for blind spots in areas outside of that world. I think this is a great argument for the benefits that an objective taxonomy (or architecture) can provide, as it seeks to find what you called “the truth”.
Do you think it is even possible to define and understand “the truth”? It seems like no matter how much we try, the definition we have of “the truth” will always be a compilation of information acquired from people’s individual truths. We will always be missing something! In any event, it’s in our best interests — especially when it comes to security — to try and get as close as possible.
Neat write up, thanks for sharing!
Thanks for the comment! Truth is objective reality, which in my opinion is a pursuit…perhaps the most important. There’s no such thing as “individual truth”; it’s unfortunate that it’s become trendy to suggest otherwise. There is however individual perception, emotion, imagination…
https://en.m.wikipedia.org/wiki/Objectivity_(philosophy)#:~:text=In%20philosophy%2C%20objectivity%20is%20the,mind%20of%20a%20sentient%20being.