Business value of Enterprise Security Architecture
Download as PPTX, PDF0 likes281 views
The document discusses enterprise architecture - information security. It outlines benefits like reducing IT costs, driving standardization and risk mitigation, ensuring architecture is fit-for-future, and promoting innovation. It also discusses trends like increased identity theft and phishing during COVID-19, and approaches to address them like using AI and behavioral analytics. The security architecture operating model is described as embracing frameworks like COBIT and formally owning the security roadmap. Steps for a new enterprise architect to take are outlined, like analyzing the current and target architectures, socializing the value of EA, and establishing governance processes and metrics.
Business value of Enterprise Security Architecture
- 1. Enterprise Architecture - Information Security Insures & protects enterprises, their customers and facilitate Digital Transformation Ajay Kumar Uppal April 2020 1
- 2. Scope & Benefits Some of the Business Benefits of EA IT Cost and Complexity Reduction as EA rationalizes processes, & systems based on benchmarks, standards, experience and reference security architecture.. Drive further Standardization and Risk Mitigation to maintain consistent approach as opposed diverse/different/varied solutions for the same problem.Idea is to stop having exotic solutions to a common problem as these will increase security costs. Keeping the cybersecurity spend/costs optimal by ensuring re-use of existing tools, processes & chosen technologies all across units /countries with mindset of consistent quality & accruing savings from economies of scale. Ensure ‘Fit-for -Future’ architecture as opposed to fault-prone quick-fix (fit- for- purpose) & helps in earning trust of consumers/partners when it comes to introducing new channels. Work collaboratively with business heads and users to ensure all systems are compliant with regulations ( PCI:DSS, GDPR,ISO:27001, DPA etc) and there are no penalties, no fines, no bad/negative publicity that can result in reputational losses Produce ‘What if’ analysis, provide better & 360 deg visibility when it comes to impact analysis of change(s). Accurate impact analysis will help in managing showstoppers (like lack of security) during projects. Promotes innovation, creativity and transform Enterprise in secure manner by creating common insights and overviews of relationships and interdependencies to reduce miscommunication and misunderstandings. And take/make decisions with confidence. EA-InfoSec (Enterprise Architecture- Information Security) will ensure that Enterprise’s Cybersecurity is always business risk-based and compliance driven.. 2
- 3. Trends/Challenges & Approaches Cyber insurance will continue to grow as a valid alternative to mitigate loss 3 Trends/Challenges Approaches Business Continuity Planning & DR in wake of Covid-19 as social- distancing and work-from-home will become a new norm. Enterprise Security Architect in consultation with business to keep the runbook for BCP and DR ready for such(Covid-19) global events. As a fallout of Covid-19, Identity Thefts, Phishing attacks, Malspams and ransomware attacks are increasing and will definitely result in infected end-user / personal devices. Promote Analytics & AI to automate security processes and harness threat intelligence from multiple sources and Identify threats before they impact our users, networks, devices or/andr business Use of Agile / DevOps; to quickly deal with real-time changes in buying pattern of consumers/businesses as consumers are changing from 'in- branch'/ 'on-phone'/ ''agent' to online purchase through comparison portals; is making architecture complex & difficult to secure. Move from DevOps to DevSecOps mindset and incorporate threat policies /models, threat intelligence, code reviews, continuous monitoring, detection, protection, response and recovery mechanisms/ processes/ tools. Management overhead associated with incoming internet traffic, Cloud Security, Identity Access Management (IAM) and Data Loss Prevention (DLP) especially in hybrid landscapes comprising on-premise & cloud hosted systems . Leverage cloud automation solutions that address many common cloud security concerns, enable more stringent quality checks to identify vulnerabilities, automate deployment to unburden staff, Deception Technologies: Cybercriminals attempting to access legitimate user identities by introducing fake credentials into an organization's network. Behavioural Analytics/ AI: Using machine learning (M/L) to analyze user activities in order to predict whether or not an access attempt is indeed from the user. Risk management and privacy concerns in digital transformation are expected to drive additional security service spending through 2020 for more than 40% of organizations. Investment in CyberSecurity & fraud protection have become paramount and special focus should be on NIST, ITVA, Penetration Testing, Vaults, Security & Risk assessments to plug gaps.
- 4. Security Architecture Operating Model EAs will launch an enterprise-wide Architecture Review Board and also introduce a simple to follow Architecture Review / Exception Certificate.for all projects/programmes and initiative on the go and those being planned. Will participate/ engage with procurement teams to influence IT budgets/spends for cybersecurity products/services.. 4 Enterprise Architect -InfoSec Enterprise Architect - InfoSec Domain, Solution & Security Architects CEO, CTO, CISO, COO, EAs, Business, Users, Consumers & Partners COO Security DevSecOps In consultation with CISO, EA colleagues, EA-InfoSec will formally embrace one or mix of the cybersecurity frameworks like COBIT5, SABSA, ECF etc and utilise findings from NIST & other assessments. EA-InfoSec Will produce, own and maintain enterprise security roadmap for Enterprise. Will socialise, publish and enforce security architectural principles & guidelines and overcome friction from distributed ICT / Program Teams across various countries/units Will lead the Security SMEs job-family across Enterprise
- 5. Thanks…. and steps / thoughts going forward Cloud Computing: SaaS, PaaS, IaaS Mobility is increasing Convenience and Integration (User Configured) Business Analytics is Growing Social Media is Growing A key challenge for insurance sector is to adopt an appropriate sourcing and service delivery model able to adopt/adapt digital innovations while maintaining the security, integrity and efficiency of the estate 5 Engage/ Meet/ Analyse Stakeholders - EAs, CISO, COO, Service Delivery, PMs, Procurement Draw up organisation map, RACI and understand internal dynamics Study/research information to understand company’s business & ICT Strategy Determine time that I am expected to spend on strategic versus tactical subjects Connect plans explicitly to the organization’s strategic investment objectives, Create team by leveraging existing heads i.e. from job family of security architects/SMEs Finalise governance, frameworks and processes to provide structure to the EA practice . Develop understanding of AS-IS enterprise architecture with focus on Security. Leverage existing /conduct Maturity Assessment to determine areas of improvements Work on TO-BE architecture & 12-18 month Roadmap for aligning with company’s goals. Communicate/socialise the business value of EA to stakeholders to establish credibility Seek feedback on Roadmap and TO-BE architecture from peers i.e. EAs and select architects. Finalise and present Roadmap to COO, CISO and other senior stakeholders to seek buy-in. Define execution process, showing how we move from business strategy through the individual initiatives and projects that support it. Finalise portfolio of projects in consultation with business, other EAs, COO and CISO Evangelise the plan for deploying portfolio of projects to PMs, Solution/Domain Architects Act as point of escalation and also guide/coach project teams to ensure adherence to standards. Monitor progress of key/mission critical initiatives/projects Establish SMART metrics, KPIs, ARBs, CABs, to track the progress & performance of the EA practice This is what I want to do and achieve in first 100 days of joining
Editor's Notes
- #2: And how Enterprise Security Architecture that encompasses set of tools (products) and policies, principles and technology guidelines ( portfolio of services ) protects enterprises, you, me, colleagues, customers and their assets (i.e. devices, data, networks, DCs etc) but also how enterprise security architecture can accelerate your digital transformation initiatives—and implement them with confidence.
- #3: EA is all about ‘facilitating right things’ and making not-so-right-things’ difficult and avoiding ‘wrong things’. Every new process, new service, new systems or new channel that is not adding value to the business model or strategy, will be stopped. This reduces complexity significantly and with that increases stability and overall quality. Having more overviews and insights in dependencies and interrelationships will reduce costs. The less diverse an IT landscape is, and the fewer relationships or interfaces there, the less complex the IT landscape is. Lower complexity leads to higher availability, an improved way of working of the IT landscape and much fewer risks it will fail. EA creates common insights and overviews of relationships and interdependencies. This leads to reducing miscommunication and misunderstandings. And also more confidence in making a decision. Customer data confidentiality, integrity, systems availability, secure access control, encryption, data tokenisation / masking,, fraud detection/protection , identity theft protection etc. are all features that consumers, partners and eco-system appreciate and look into before doing business e.g buying insurance policy online or through agent or other channel. The fundamental lean redesign of chains of activities, complex services and products requires global and detailed insights and overviews. Architecture visualization can quickly provide information on the impact of change a redesign of a process, service or product has. When processes are improved, fewer mistakes are made, resources are used more efficient and effective and customers and clients immediately will experience the improvement.
- #4: Protecting enterprises from cyber-attacks has become insanely complex. New threats, new attackers, new regulations, new risks, and an ever-growing number of endpoint devices, networks, systems, clouds, end users and supply chain partners to protect—not to mention the upward spiral in cybersecurity products, solutions, services and vendors, coupled with an ever-decreasing supply of skilled security talent—just keeping pace is a daunting task.