-
Size of the organization
The size of the organization is a typical factor that influences the security architecture. Smaller organizations might have a single person taking on multiple architecture roles, combining security with other architectural domains such as information and infrastructure architecture, or even combining the security architect role with roles outside architecture, including risk management, risk governance and security engineering, thus creating a large span of control.
Medium-sized organizations may have more people per architectural domain, thereby creating clearer borders of responsibility between each role and allowing the security architect to focus more on his core duties. As one might expect from large-scale organizations, which have more means at their disposal but also more obligations, each role may be fulfilled by several people, organized in dedicated teams of expertise.
-
Sector and industry
The sector or the industry in which the enterprise operates can directly affect the security architect’s role and contributions. Every business is subject to regulations, starting with the general laws at different political levels (local, regional, national and international) that apply to businesses, irrespective of their sizes. So, businesses need to take a systematic approach to compliance. When those rules relate to risk, compliance or security, the role of the security architect becomes more prevalent.
This is independent of the scale of the organization, such as in the case in the healthcare sector, in which companies are required to adhere to the same health regulations. Another example is enterprises that make security and safety their core activity: they must comply with a vast number of regulations and industry standards that apply to the targeted customers (e.g., ISO 27000 series, FIPS, etc.).
In one way or another, every enterprise deals with data and intellectual property, which deliver competitive advantage and must be protected. This gives more importance to the security architect.
-
Organization of the business
While it is expected that large organizations may have multiple lines of business and even multiple entities, small and medium-sized businesses also grow organically through external acquisitions, and can thus comprise a collection of lines of businesses and entities. Enterprises may let those entities operate in different manners: “stand-alone” (largely independent), “federated” (with a degree of alignment and a degree of freedom), or “integrated” (making them appear as acting as one entity).
These choices inevitably impact the enterprise architecture and thus also on the ESA, with different levels of IT and security standardization, and higher or lower margins of freedom and span of control for the security architect, etc.
-
Company culture
The company culture should not be seen as the static result of a business, but as a continuum that influences the next business choices, which then feed the company culture.
For example, enterprises setting high standards for themselves (whether for productivity, quality, innovation or ethics) must organize themselves to deliver on their promises. This leads to architecting the enterprise around those fundamental choices, thus also to shaping the role of the architect and of the security architect in particular, who might be highly present or totally absent, depending on the company’s culture.
-
Risk appetite
The enterprise’s risk appetite, whether it is “risk-averse” or a “risk-tolerant”, influences the agenda of the security architect. It is common to associate small enterprises with a high-risk appetite and large ones with a risk-averse profile. This is, however, not systematic and is also not necessarily a choice a business can make freely. Small businesses may be taking risks that are proportionally large for their size, but that are relatively small when put in another context. For example, a company taking out a large loan from a bank might be taking a sizable risk for itself; for the bank, however, the amount of credit might well be “invisible” in the vast sea of credits it has with other customers.
A business’s risk appetite is also shaped by the industry practices and the regulations inherent to the business, which may strictly constrain the freedom of the enterprise to take risks. The margins left by external business regulations can be such that the business is not allowed to take more risks than it might con- template. This is especially true for businesses concerned with health and safety regulations, for the financial sector regulated by a “prudential supervision” , or for the business engaged in running “critical infrastructure” .
The importance of the security architect’s roles can be correlated with the enterprise’s risk appetite. Risk-tolerant enterprises need to organize themselves to take those risks and then quickly respond to changes, and thus must factor corresponding capabilities in their enterprise architecture, including their security architecture.
-
Sourcing and vendor selection strategy
The security architect’s activities and duties are shaped by how the business chooses to select vendors and to source primary or secondary activities. In an enterprise that is heavily dependent on external providers and outsourced activities, the security architect’s role will be oriented towards specifying the security objectives, challenging the business partner, and assessing the quality of the evidence of the security implementation, but leaving the implementation choice to the business partner. It thus involves creating a coherent enterprise architecture by assembling the right puzzle of solutions and vendors.
On the other hand, in an enterprise that is building its own solutions, the security architect will tend to constrain the implementation choices of the engineering and development teams through policies, guidelines, standard solutions, etc., and sometimes through security code reviews or by writing security code himself in enterprises where security knowledge is scarce.
-
Innovation and self-disruption strategy
The company’s innovation and self-disruption strategy can be related to its risk appetite. It is nevertheless an independent facet of the enterprise. Innovating and disrupting oneself before being disrupted can be done with various levels of risk, or alternatively can be totally absent in conservative enterprises or enterprises choosing to keep the status quo. This will be reflected in the enterprise’s architecture and security aspects, and thereby in the security architect role.
Conservative enterprises typically have a stable security architecture, which can be an asset but which can also turn into a difficult legacy. It is an asset when iterative improvements tilt the security architecture towards high levels of standardization and integration, and make it possible to seize the resulting benefits and economies of scale. These organizations might also lean towards a web of legacy solutions that remain untouched due to the lack of a need to change, considering the risk of the heavy costs that can be incurred, in particular for sudden changes forced by external disruption.
In contrast, enterprises driven by innovation and self-disruption need an architecture with the flexibility to enable rapid and fundamental changes. This is partly done by projecting the security architecture into the future to identify early on where the enterprise might run into a steep change that requires an agile approach to set the change in motion over time, and to avoid building a big solution for a hypothetical future, which, as a moving target, will likely alter over time.