Global information security spending across all market segments reached approximately US$75 billion last year, and is projected to grow nearly 8% by 2019.1 To safeguard a return on this investment, many organisations are turning to security architecture.

Advocates claim many benefits, including cost efficiencies, improved alignment between business and IT, process refinements, enhanced capacity for change, and a basis upon which information risk management practices can be improved.

Detractors on the other hand, claim that security architecture can take too long, cost too much, frustrate senior managers, and limit flexibility and innovation.

Given this contradiction, how can organisations unlock and realise the potential value of security architecture?

The ISF report Security Architecture: Navigating complexity answers this important question. It demystifies security architecture and conveys six lessons uncovered by ISF research. It provides a flexible approach for developing and using security architecture that can be tailored to suit the diverse needs of organisations.

Organisations that better understand security architecture are using it to navigate the complexity inherent in today’s interconnected world. These organisations are unlocking value and providing a sound basis for protecting their business against ever-more sophisticated cyber security threats.

Navigating complexitySECURITY ARCHITECTURE

SECURITY ARCHITECTURE DEMYSTIFIED

To DEMYSTIFY much of the confusion surrounding architecture in general and security architecture in particular, the report describes how security architectures:

1 Provide multiple, different views of relevant information

2 Contain various architectural elements

3 Are often based on an established framework such as TOGAF and SABSA2

4 Can be adopted in a variety of ways through individual projects or systematically across the organisation

5 Are developed by people with a range of skills

6 Can develop progressively over time or by design as a result of a specific initiative

7 Can support change – improving security arrangements to better meet business needs

The report provides AN APPROACH for developing and using security architecture that applies the six lessons learned while complementing organisations’ existing approaches.

ISF research uncovered six LESSONS LEARNED:

1 Align security architecture to business priorities

2 Coordinate development and use of security architecture

3 Determine appropriate integration with enterprise architecture

4 Consider the organisational structure

5 Obtain the right balance of skills

6 Make security architecture understandable

Architecture is a practice that enables people to work effectively with large-scale, complex projects in a consistent, systematic and structured manner.

Terms and Definitions

PrinciplesSecurity Services

ProductsCatalogue

ReusableModels

Reference Library

ArchitecturalElements

BUSINESS NEEDS

SECURITY ARRANGEMENTS

CONCEPTUAL VIEWSdescribe security from a business

or organisational perspective

LOGICAL VIEWSdescribe security from process,

technology and people perspectives

PHYSICAL VIEWSdescribe IT

infrastructure

This approach for developing and using security architecture is based on ISF research and lessons learned:

STEP 1Establish objectives

STEP 2Determine approach

STEP 3Develop architecture

STEP 4Review and revise

Terms and Definitions

PrinciplesSecurity Services

ProductsCatalogue

ReusableModels

Reference Library

ArchitecturalElements

BUSINESS NEEDS

SECURITY ARRANGEMENTS

CONCEPTUAL VIEWSdescribe security from a business

or organisational perspective

LOGICAL VIEWSdescribe security from process,

technology and people perspectives

PHYSICAL VIEWSdescribe IT

infrastructure

This approach for developing and using security architecture is based on ISF research and lessons learned:

STEP 1Establish objectives

STEP 2Determine approach

STEP 3Develop architecture

STEP 4Review and revise

Terms and Definitions

PrinciplesSecurity Services

ProductsCatalogue

ReusableModels

Reference Library

ArchitecturalElements

BUSINESS NEEDS

SECURITY ARRANGEMENTS

CONCEPTUAL VIEWSdescribe security from a business

or organisational perspective

LOGICAL VIEWSdescribe security from process,

technology and people perspectives

PHYSICAL VIEWSdescribe IT

infrastructure

This approach for developing and using security architecture is based on ISF research and lessons learned:

STEP 1Establish objectives

STEP 2Determine approach

STEP 3Develop architecture

STEP 4Review and revise

A security architecture comprises layered views of various elements. Abstract concepts are translated into tangible change, such as the implementation of security arrangements to meet business needs.

Just as architecture provides a way for architects to convey complex information about the design and construction of buildings, security architecture can help the design and implementation of security solutions.

STEP 1: Establish objectives

1.1 Analyse business context

1.2 Identify how security architecture is currently used

1.3 Determine where security architecture can help

STEP 2: Determine approach

2.1 Describe the current state of the project or architecture

2.2 Describe the future state of the project or architecture

2.3 Determine what to create or update

STEP 3: Develop architecture STEP 4: Review and revise

3.1 Determine how to update architectural content

3.2 Develop new architectural content

3.3 Test new architectural content

3.4 Develop information security practitioner expertise and skills

3.5 Apply updates to security architecture

3.6 Set targets and define measures

4.1 Measure effectiveness

4.2 Report security improvements

4.3 Share architectural content with key stakeholders

4.4 Identify lessons learned from making changes to the security architecture

4.5 Update policy

4.6 Implement agreed actions

WHERE NEXT?

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

Reference: ISF 02 03 16 | Copyright © 2016 Information Security Forum Limited | Classification: Public, no restrictions

CONTACTFor further information contact:

Steve Durbin, Managing Director US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

Security Architecture: Navigating complexity helps ISF Members to unlock value and safeguard a return on their investment in information security. It does this by:

– demystifying much of the confusion that surrounds security architecture

– conveying six lessons uncovered by ISF research

– providing an approach for developing and using security architecture that applies the lessons learned while complementing organisations’ existing approaches.

Give careful consideration to the ISF resources in this report including The Standard of Good Practice for Information Security, Benchmark, IRAM2: The next generation of assessing information risk, Time to Grow: Using maturity models to create and protect value and Engaged Reporting: Fact and fortitude.

The ISF encourages collaboration on its research and tools. Members are invited to join the vibrant Process community on ISF Live (https://www.isflive.org/community/process) to share and discuss innovative approaches for unlocking and realising value from security architecture.

The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.

1 Gartner, “Forecast Analysis: Information Security, Worldwide”, first and third quarter 2015 update, http://www.gartner.com/newsroom/id/3135617 2 SABSA was previously known as the Sherwood Applied Business Security Architecture, available at: http://www.sabsa.org/,

and TOGAF 9.1, an Open Group Standard, available at: www.opengroup.org/togaf