Security & Risk

What is Enterprise Security Architecture about?

Enterprise Security Architecture (ESA) is about understanding the enterprise’s strategic direction and business objectives, and taking actions to mitigate risks. ESA practices provide a comprehensive and rigorous method for describing, modeling, and structuring the current and future state of an organization’s security ecosystem.

Implemented through projects and programs, the security strategy will deliver real results and achieve its goals in support of the business strategy, improving the chance of reaching those business goals effectively and efficiently by using a consistent, systematic, and structured approach.


It is an essential part of the relatively fast evolution of the digital economy, and is related to all aspects and layers of an enterprise: ranging from technological advancements, process innovations, awareness and training aimed at protecting enterprise assets against cyber attacks.

An ESA that is built as a result of a defined strategy simplifies the process of selecting the right capabilities, meeting both compliance and auditability requirements. For this reason, the possible misuses of systems must also be considered from the basis of a design (whether this is software, a new infrastructure, a process, a transformation or transition program or a project).

Top-down approach

A top-down ESA approach can be used to build a security architecture driven by risk optimization, while maximizing business value. It is best combined with a bottom-up approach. This enables the prioritization of security projects that have been identified as part of the architecture assessment.

Once the framework and capabilities for the security architecture have been developed and the gaps identified, an implementation plan (program) can be drawn up and executed, and priorities specified. This is usually a long-term effort, depending on the size, budget and maturity of the organization. It also requires continuous evaluation and adjustment in view of the rapid developments in the digital economy.

In a context where technology is critical to enable and support transformation initiatives and where it is a challenge to govern its complexity and fast changes, the primary purpose of an ESA is to:

  • ensure that business strategy and IT security are cohesively and continuously aligned in an agile way;
  • enable informed, risk-based decision making;
  • establish the context for the definition of security objectives and the selection of investment;
  • offer a common language to the organization, and act as the basis of the organization’s cybersecurity measures, for a holistic end-to-end view that links the business (product, legal, etc.) and technology.

What influences the ESA practice and determines its success?

While it is desirable to standardize and apply good practices from other organizations, each enterprise has its particularities, which are reflected in its ESA practice. For example, something important in a certain environment, may be less so in another.
It is thus important to analyze the context in which the ESA function operates, to identify the environmental factors that must be accounted for, and to under- stand how they will shape the ESA function.This helps to determine the objectives for security architecture.

The ESA does not always need to be installed by design, and can be developed progressively over time, enabling the organization to make a sound choice for a security architecture that matches its needs. Certain environmental factors inevitably shape the context in which the security architecture practice takes place.
And while the size of an organization may frequently reflect the size and maturity of its security architecture practice, other factors also play a major role.

Read all about it in our article '7 key points, that influence Enterprise Security Architecture, and determine its success'.

Read the article