Welcome!

@DXWorldExpo Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Zakia Bouachraoui, Carmen Gonzalez

Blog Feed Post

Enterprise Architecture: The Key to Cybersecurity

post thumbnail

When I first discuss security in our Licensed ZapThink Architect (LZA) SOA course, I ask the class the following question: if a building had 20 exterior doors, and you locked 19 of them, would you be 95% secure? The answer to this 20-doors problem, of course, is absolutely not – you’d be 0% secure, since the bad guys are generally smart enough to find the unlocked door.

While the 20-doors problem serves to illustrate how important it is to secure your Services as part of a comprehensive enterprise IT strategy, the same lesson applies to enterprise Cybersecurity in general: applying inconsistent security policies across an organization leads to weaknesses hackers are only too happy to exploit. However, when we’re talking about the entire enterprise, the Cybersecurity challenge is vastly more complex than simply securing all your software interfaces. Adequate security involves people, process, information, as well as technology. Getting Cybersecurity right, therefore, depends upon Enterprise Architecture.

Understanding the Enterprise Context for Cybersecurity

A fundamental axiom of security is that we can never drive risk to zero. In other words, perfect security is infinitely expensive. We must therefore understand our tolerance for risk and our budget for addressing security, and ensure these two factors are in balance across the organization. Fundamentally, it is essential to build threats into your business model, and do so consistently.

Credit card companies, for example, realize that despite their best efforts, there will always be a certain amount of fraud. True, they spend money to actively combat such fraud, but not as much as they could. Instead, they balance the budget for fighting such crime with the money lost through fraud in order to determine the acceptable level of risk.

In many organizations, however, the tolerance for risk and the budget for security are not in balance – or to be more precise, the balance is different in different departments or contexts across the enterprise. Part of this problem is due to the lottery fallacy, which we recently discussed in the context of Big Data. People tend to place an inordinate emphasis on improbable events. This fallacy frequently occurs in the context of risk, which is why we’re more worried about airplane crashes than car accidents, even though car crashes are far, far more likely.

But the lottery fallacy isn’t the only problem. Politics is a much greater issue. Department heads have their own ideas about tolerable risk in their fiefdoms, and the risk tolerance for one division may be very different from another. Furthermore, in most organizations, certain departments are responsible for security while others are not. Now department heads have a much more difficult time evaluating their level of risk and calculating their budget for security, as it’s someone else’s budget and supposedly someone else’s problem.

The solution to these challenges is the effective use of Enterprise Architecture. You must think like an insurance company: undertake an objective analysis of the known risks and calculate the average cost of threats over all the activities in your organization. Just as an insurance company must be able to set their premiums high enough to cover losses on average, you must set your security budget high enough to cover your threats. Of course, sometimes a particular threat costs more than you expect, just as a catastrophic loss may cost more than a lifetime of premiums for the affected insurance customer. But the average still generally works out to your advantage.

With risk comes reward, but not all risks have the same promise of reward. In other words, some bets are better than others. Properly applied, EA can inform the organization about which bets have better expected returns than others, so that the organization can place its bets more rationally by distributing the risk across the organization in a fact-based manner.

Cybersecurity: Dealing with Change

Even organizations with robust EA efforts typically don’t leverage architecture to drive their Cybersecurity strategies. The reason for this lack are diverse, and often include political and competence issues, but the most fundamental reason is because traditional EA doesn’t deal well with change. Cybersecurity is an inherently dynamic challenge: hackers keep inventing new attacks, new technologies continually introduce new vulnerabilities, and the interrelationship among the various trends in IT are increasingly convoluted, as we illustrate on our new ZapThink 2020 poster.

In contrast, the Agile Architecture approach I champion in my book, The Agile Architecture Revolution, calls for EA that focuses on change by explicitly working at the “meta” level: instead of simply architecting the things themselves, focus on architecting how those things change. For example, instead of focusing on the processes in the organization, architect the meta-processes: processes for how processes change. Similarly, the role of software development isn’t simply to build to requirements. Instead, the focus should be on building systems that respond to changing requirements, what my book calls the meta-requirement of business agility.

So too with architecting for security. The focus shouldn’t be on threats, but rather on how those threats might change. At the technology level, this focus on change shifts the focus from a static “locked door” approach to security to the immune system metaphor I discussed last year. But there’s more to architecting for security than the technology. At the organizational level, effective EA will help resolve shadow IT issues which can lead to unmanaged security threats as an example. At the process level, EA will address social engineering challenges like phishing attacks. Securing your technology without applying a comprehensive, best practice approach to organizational and process security is tantamount to leaving some of your doors unlocked.

The ZapThink Take

Remember the scene from Apollo 13, where the Flight Director goes around the room, asking each division leader for a go/no-go decision? Essentially, every division leader was a stakeholder in all important decisions, and any one of them had the ability to nix any idea with a thumbs-down. The thinking behind this approach was one of risk mitigation: only if there be a unanimous thumbs-up can the organization make a critical decision to take action.

Just so in the enterprise. Your Enterprise Architecture should require the security team to be part of the planning for all systems (both human and technology) across the organization. Without EA, security tends to be an afterthought. Instead, security must be a stakeholder in all critical decisions across the enterprise.

EA should also have a seat at the table, of course. By giving your Enterprise Architects the ability to offer thumbs-up or thumbs-down opinions on critical decisions, you are essentially saying that you mandate EA. And without such a mandate, architects find themselves in the proverbial ivory tower, creating artifacts and standards that the rank and file consider optional – which is a recipe for disaster. There’s no surer way to increase your Cybersecurity risk than to treat Enterprise Architecture as anything but absolutely necessary to the proper functioning of your organization.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is a leading IT industry analyst, Forbes contributor, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Onalytica’s list of top Digital Transformation influencers for 2018 and #15 on Jax’s list of top DevOps influencers for 2017, the only person to appear on both lists.

As founder and president of Agile Digital Transformation analyst firm Intellyx, he advises, writes, and speaks on a diverse set of topics, including digital transformation, artificial intelligence, cloud computing, devops, big data/analytics, cybersecurity, blockchain/bitcoin/cryptocurrency, no-code/low-code platforms and tools, organizational transformation, internet of things, enterprise architecture, SD-WAN/SDX, mainframes, hybrid IT, and legacy transformation, among other topics.

Mr. Bloomberg’s articles in Forbes are often viewed by more than 100,000 readers. During his career, he has published over 1,200 articles (over 200 for Forbes alone), spoken at over 400 conferences and webinars, and he has been quoted in the press and blogosphere over 2,000 times.

Mr. Bloomberg is the author or coauthor of four books: The Agile Architecture Revolution (Wiley, 2013), Service Orient or Be Doomed! How Service Orientation Will Change Your Business (Wiley, 2006), XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996). His next book, Agile Digital Transformation, is due within the next year.

At SOA-focused industry analyst firm ZapThink from 2001 to 2013, Mr. Bloomberg created and delivered the Licensed ZapThink Architect (LZA) Service-Oriented Architecture (SOA) course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, which was acquired by Dovel Technologies in 2011.

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting), and several software and web development positions.

DXWorldEXPO Digital Transformation Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Enterprises are striving to become digital businesses for differentiated innovation and customer-centricity. Traditionally, they focused on digitizing processes and paper workflow. To be a disruptor and compete against new players, they need to gain insight into business data and innovate at scale. Cloud and cognitive technologies can help them leverage hidden data in SAP/ERP systems to fuel their businesses to accelerate digital transformation success.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Cloud is the motor for innovation and digital transformation. CIOs will run 25% of total application workloads in the cloud by the end of 2018, based on recent Morgan Stanley report. Having the right enterprise cloud strategy in place, often in a multi cloud environment, also helps companies become a more intelligent business. Companies that master this path have something in common: they create a culture of continuous innovation. In his presentation, Dilipkumar will outline the latest resear...
Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, and innovation. But in order to get to that collaboration rainbow, you need the cloud! In this presentation, we'll cover three areas: First - the rainbow of benefits from cloud collaboration. There are many different reasons why more and more companies and institutions are moving to the cloud. Benefits include: cost savings (reducing on-prem infrastructure, reducing data center foot print, redu...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...