For the last year, my partner Ed Moyle and I have been writing a book that we wish we’d had when we were starting out in our careers. A practical, no-nonsense guide to security architecture. As experienced technical architects, we know the value of a strategic plan. One way we learned that value, was the hard way, seeing things go wrong when a plan wasn’t as detailed as it needed to be or didn’t take stakeholder needs and legacy constraints into account. That’s why we wanted to share our lessons learned and lessons from some of the most advanced practitioners working the field today.
Cybersecurity is quickly becoming a “make or break” topic area for most businesses. We all can cite numerous examples of headlines describing security issues, notifications from companies or online services that we use, and (in some cases) even breaches that have impacted organizations that we’ve worked for. We all know the stories of vulnerable software, scammed users, accidental misconfiguration of hardware or software, and numerous other events that can have potentially disastrous consequences for us as individuals and the organizations that we work for.
To avert situations such as these, organizations are placing increasing importance on cybersecurity. They are making it a higher priority and investing in it accordingly. But how can an organization know if they are investing in the right places? Resources are finite, which means that they need to be selective about what security measures they implement and where they apply their limited security budgets. How can organizations know when they have enough security? How do they know that they’ve attained their security goals when the steps they take are dependent on factors unique to them: what the organization does, how they do it, who’s involved, and why? Everything from culture, to business context, to governing regulation, to geography, to industry can play a role here.
Cybersecurity architecture is one way to systematically, holistically, and repeatably answer these questions. Much as a software architect creates a vision for how to achieve a user’s goals in software or a network engineer creates a vision for how to achieve the performance and reliability targets for network communications, the cybersecurity architect works to create a vision for cybersecurity. This can be for an application, fora network, for a process, for a business unit, or for an entire organization.
Practical Cybersecurity Architecture takes a practitioners look at the nuts and bolts of defining, documenting, validating, and ultimately delivering an architectural vision. It draws on existing standards and frameworks for cybersecurity architecture, outlining where (and more importantly how) they can be applied to the architecture process in your organization. The book does this by walking through the architecture process step by step, discussing why each step provides the value it does and how to use it to maximum benefit, and provides tips, gotchas, and techniques from numerous working architects in the field to supplement our own perspective.
The book is primarily for cybersecurity practitioners: both those getting started as security architects and those already following a systematic architecture process that want to deepen and enhance their practice. For the novice, we walk through the fundamental skills and techniques used in the architecture process. For more experiences architects, we supplement the basics with the voices of experience from leading architecture specialists currently in the field to help readers think about challenges in a new way or adapt strategies that have been successful for others into their own toolkit.
Over the next few weeks I’ll be sharing highlights from our book that we think are most valuable for practitioners. Thanks for being on this journey with us.