In the piece I wrote in December ("What the Sony breach means for security in 2015"), I noted that while a good CISO is important; great security architects are critical. While a CISO may get the glory; security architects are what most organizations need.
About 95 percent of the firms in the U.S. are small-to-midsize businesses. These small firms with even smaller IT departments can't afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide security, privacy and risk management leadership. The bottom line is that good security design goes a very long way.
With that, I'd like to expand on the role of the cyber security architect.
So what exactly does a cyber security architect (CSA) do? An architect is defined as a person who plans, designs and oversees the construction of buildings. To practice architecture means to provide services in connection with the design and construction of buildings and the space within the site surrounding the buildings.
With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural guidance to apply a consistent set of information security principles, mechanisms and guidelines to ensure that the data, applications and devices are secure.
The CSA will know the firm's business and technology drivers, security risk management strategy, risk assessment philosophy and the various technology components of its IT infrastructure, and provide technical security leadership. A good CSA will be seen as the firm's trusted security adviser.
When designing a physical structure, the architect knows the component parts of the edifice, including electrical, plumbing, zoning laws, room size requirements, materials, and much more. The architect is not necessarily an expert in every area, but has the fundamental knowledge of all of them.
Similarly, an effective CSA will be a jack-of-all-trades in information security, and master of a few. Some of the areas in which the CSA needs to provide oversight are:
- Risk management
- Security engineering
- Secure coding and secure software development
- Access control and authentication
- Anti-malware protection
- Laws, standards and regulations
- Networks, routing, switching and network security
- Cryptography, encryption and key management
- Operating systems and system security
- Intrusion detection and change detection
- Incident response
- Policies and procedures
- Hacks, attacks and defense
- Business continuity planning (BCP) / disaster recovery planning (DRP)
- Physical security
Some of the responsibilities that a CSA will have include:
- Designing, reviewing and approving security configurations,
- Design and installation of security hardware and software such as VPN, firewalls, router, IDS, etc.
- Reviewing policies and procedures
Here's an example: A firm has created its environment around open source tools and frameworks, such as Groovy, Nginx, Git, Python, Atlassian, built on Amazon using their services such as AWS, RDS, ElastiCache, SES, Route 53 and more. It's the CSA who will be able to provide advice on how to securely use these technologies.
The CSA needs to be there to identify areas where things may go wrong. From the architecture, software coding, poor cryptographic selections, and more, the CSA needs to be the one who is asking the right questions.
Ben Tomhave, principal at Falcon's View Consulting, suggests that hiring a cyber security architect is a great starting point for SMBs, so long as the hiring organization provides them with the support and authority necessary to be effective. Most CSAs will need to balance the goal of designing and building the most secure environment possible against the costs and benefits, as well as helping to ensure that business, contractual and regulatory requirements are clearly understood and incorporated into all design decisions. A savvy CSA will help organizations optimize their security spend, limiting the number of tools and practices to those that maximize the desired risk management objectives without exposing the business to undue liability.
As for the cloud, a CSA is equally crucial. Cloud service providers have significant economic incentives to maintain levels of security that are often financially or politically unaffordable to other organizations. That gives a firm an incredible foundation to build on; but if they fail to design an architecture tuned for the cloud platform they will be deploying, the odds are high that they'll actually increase their security risk. Rich Mogull of Securosis notes that architecture is inarguably the most important factor when moving to the cloud.
He also notes that on the upside, as cloud providers continue to offer new features, firms can also take advantage of these for transformative security architectures. It's actually quite common to do things such as deploy throwaway servers with minimal network access and no SSH or other remote administrative access; leverage PaaS to wipe out common database exposures, and even use a cloud message queue and new deployment patterns to completely isolate sensitive application workers.
When it comes to the cloud, it's truly about the economics. The cloud provider wipes out the lower level, highly expensive security costs, which frees an organization to focus more on securing their applications. And that, for the most part, comes down to architecture.
Show me the architect
The Cisco annual security report states that modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country. That's the new reality every firm is dealing with. That means every firm, everywhere, needs a CSA.
Ben Rothke CISSP is a Senior eGRC Consultant with Nettitude, Inc. and the author of Computer Security: 20 Things Every Employee Should Know.