Monday, April 19, 2010

Lessons from Enterprise Architects.

I think all security professionals could learn a lesson or three from enterprise architects.

By becoming the stick more often than the carrot, we've become little more than cost centres and barriers to business, which means we get bypassed.

A proven alignment with business strategy generates more revenue and spending on an entire enterprise environment than alignment with risk management. Has anyone bothered to ask why is that?

Don't get me wrong, I think an understanding of risk is crucial to understanding what it is the business is racing when it chooses to accept a risk or apply mitigating controls that do not adequately address the root case. But I do think focusing on shared objectives and business/IT alignment would help our cause a lot more often.

On the subject of risk, I was chatting to my manager today about why I hate risk management.This post of Richard Bejtlich just reminded me of it, in a way. We build our entire discipline around the art of risk management (and it is more art than science because we really do lack any data to make truly informed decisions). We advise people against entire decisions which could bring numerous benefits to the table (taking security out of the equation for a moment) with little more than unsubstantiated opinion, and we wonder why security rarely gets the budgets (or respect) it deserves.

On a related note, I recently saw a video on TOGAF 9 (an IT architecture framework). This video is very long (90min) but as someone still new to IT architecture frameworks, I found it amazing. No, seriously - it was amazing. Craig Martin's eloquence, depth of subject matter expertise and his ability to clearly articulate issues I've encountered in my travels and how EA has solutions - or at least the tools - to deal with them, literally floored me. I've shown this video to at least one other co-worker who was similarly impressed.

Seriously - if you work in information security, you need to start paying attention to enterprise architects. There are definite lessons to learn.

- J.


Christian said...

The FAIR risk analysis method made me like risk assessments again :)

Jarrod said...

Thanks for that. I hadn't heard of FAIR before. It looks nice(R) than other forms of risk management (at least it is infosec specific) but it still looks like arcane guesswork. I will probably post on some practises I've found that works well with estimating risk. Have you had much use of FAIR yourself? I may give it a crack if I at least have some anecdotal evidence it works. :D

Christian said...

It certainly is good and I have used it quite a bit at work. Like most methodologies in this space I find the key is to work in a collaborative way. FAIR makes it harder to make an "artistic" risk assessment, and provides a really good way to add rigour to the process. Talking about probabilites not possibilities, breaking down likelihood into threat events and loss events, and making you have to talk about probable loss not just worst-case, which sec people usually focus on.

Definitely think it's worth a look!