I think all security professionals could learn a lesson or three from enterprise architects.
By becoming the stick more often than the carrot, we've become little more than cost centres and barriers to business, which means we get bypassed.
A proven alignment with business strategy generates more revenue and spending on an entire enterprise environment than alignment with risk management. Has anyone bothered to ask why is that?
Don't get me wrong, I think an understanding of risk is crucial to understanding what it is the business is racing when it chooses to accept a risk or apply mitigating controls that do not adequately address the root case. But I do think focusing on shared objectives and business/IT alignment would help our cause a lot more often.
On the subject of risk, I was chatting to my manager today about why I hate risk management.This post of Richard Bejtlich just reminded me of it, in a way. We build our entire discipline around the art of risk management (and it is more art than science because we really do lack any data to make truly informed decisions). We advise people against entire decisions which could bring numerous benefits to the table (taking security out of the equation for a moment) with little more than unsubstantiated opinion, and we wonder why security rarely gets the budgets (or respect) it deserves.
On a related note, I recently saw a video on TOGAF 9 (an IT architecture framework). This video is very long (90min) but as someone still new to IT architecture frameworks, I found it amazing. No, seriously - it was amazing. Craig Martin's eloquence, depth of subject matter expertise and his ability to clearly articulate issues I've encountered in my travels and how EA has solutions - or at least the tools - to deal with them, literally floored me. I've shown this video to at least one other co-worker who was similarly impressed.
Seriously - if you work in information security, you need to start paying attention to enterprise architects. There are definite lessons to learn.