SlideShare a Scribd company logo

Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise

Download as PPTX, PDF
U
UBM_Design_Central

Building secure apps and systems requires upfront and close coordination among many groups. In this slidecast, George Hulme discusses how enterprise architects can drive that coordination and effect the required change that depends on it.

BusinessTechnologyNews & Politics
1 of 27
Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise Presented by
The Enterprise Architect is : Ideally Positioned to Help Improve IT Security. Security efforts need to help the business achieve its objectives while reducing risk, whether the enterprise wants to:  Launch a new Web site.  Create a database.  Build a collaboration platform.  Embrace mobility.  Move to Cloud computing. Presented by
Everything with which the Enterprise Architect is charged speaks directly to business alignment–across technologies, workflows and roles! Presented by
The Enterprise Architect’s Charges* Include: :  Supporting enterprise goals.  Helping build and support business processes.  Enhancing organizational structure and culture.  Designing sustainable IT systems and applications. *All of which must be done with security in mind. Presented by
Business Alignment Falters When ! Security is Bolted on, not Built in.  Despite the importance of IT security in keeping data and enterprise systems secure and ensuring that the enterprise operates within regulatory compliance requirements, the tendency is to add security onto systems after they‘ve been built.  Or worse, after they‘ve been deployed. Presented by
The High Cost of Failure !  Generally, it is much more difficult to add security to a system after it has been designed or once deployed than it is to build it right to begin with.  Worse yet, bolt-on approaches are more likely to lead to costly security failures, such as breaches: High Price of a Security Failure Cost of a data breach $214 per compromised record Average cost per data breach event $7.2 million Source: Ponemon Institute U.S. Cost of a Data Breach report, 2011 Presented by
Driving Coordination, Effecting Change  Building inherently secure applications and systems requires tight, open and upfront coordination among many groups.  Enterprise architects are in the position to drive that coordination and effect the required change that depends on it.  Because their work is so integral to business alignment−and to driving the agility the enterprise requires to deliver better business service–enterprise architects have a firm understanding of how systems are being deployed, as well as knowledge of the business objectives behind these systems. Presented by
Thus: :  The enterprise architect can drive value in aligning security teams, quality assurance teams, developers, the office of the CIO, and business managers and executives.  All those parties — in conjunction with the enterprise architect — must work together to ensure that the focus and resources necessary to maintain a secure IT posture are in place. Presented by
Still, This Won’t Be Easy . . . … This may be the first time all of these groups work together early in the solutions creation process. Expect tension. For instance:  Security teams may request certain controls that could seem onerous to others involved in the effort (including enterprise IT architects).  Developers may view security as a roadblock at times–and shun its input. Presented by
Taking the Lead, Breaking Bad Habits  59 percent of enterprise development teams are not following quality and security processes "rigorously" : when developing new software.  26 percent have few or no secure software development processes.  Only 48 percent claim to follow audit procedures rigorously.  More than 70 percent felt that there was insufficient security guidance for key technology models such as cloud, virtualization, mobile devices and mainframes. Presented by Source: Creative Intellect Consulting, “The State of Secure Application Lifecycle Management.” The report was based on a survey of software development, IT and information security professionals around the world.
―We‘d like to see organizations taking a multi-faceted ” approach to tackling the…security challenge. ‗Secure by Design and Practice‘ should be the call to action adopted by organizations to address the software security challenge more directly.‖ —Bola Rotibi, founder of Creative Intellect Consulting Presented by
Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise 1. Get executive sponsorship. 2. Foster a collaborative environment. 3. Pick, at first, easily attainable projects. Presented by 4. Evaluate security risks during planning & design. 5. Build security processes into workflow.
Step 1: Get Executive Sponsorship In order for enterprise architects to get security, operations and other teams to work cohesively together, it‘s helpful to insert executive leadership into the process, so they can set business objectives and expectations across teams. Should security processes or communications break down, executive leadership can reiterate those processes‘ importance to the business. Without such political cover, efforts can quickly fray and fall apart. Presented by
Step 1: Get Executive Sponsorship Setting the stage for the integration of security through the development process will change how new initiatives are built, and how the operations work together. Win political sponsorship to get started by:  Showing business leaders the threats against the company.  Demonstrating how integrating security into a product or application from the start can reduce risk.  Demonstrating areas where cost of securing systems can be reduced through integrating security processes with design. Presented by
Step 1: Get Executive Sponsorship This level of sponsorship should be easier today than it was just a few years ago, as security is reporting less often to the CIO‘s office and increasingly to the board of directors. That‘s a level of recognition for their work that can‘t be ignored by any other groups associated with a project: Presented by
Step 1: Get Executive Sponsorship The Changing Reporting Structure for CISOs/Equivalent Information Security Leaders Source: PricewaterhouseCoopers LLP: 2011 Global State of Information Security Survey * This calculation measures the difference between response levels over a three-year period from 2007 to 2010. Presented by
Step 2: Foster a Collaborative Environment, Starting with the Security Team Encourage information security‘s involvement as an enabler. Engage with the CISO‘s office as a consultative resource to evaluate the business risk of new initiatives and have the staff propose alternatives for reducing that risk. Presented by
Step 2: Foster a Collaborative Environment, Starting with the Security Team What would collaboration entail? Example: A new application is to be built. The enterprise architect can bring the security team into the picture during the design phase to evaluate access controls, secure architecture and deployment, and how such things as data encryption, digital certificates and other components could be built to optimize security and regulatory compliance for this effort and to apply to future efforts as part of a wider EA Presented by blueprint.
―Most organizations‘ enterprise IT architects find that they ” are constantly battling with the information security groups rather than truly consulting with them.‖ —CISO at regional healthcare provider. They translate IT security personnel’s natural caution as meaning that the group default is to just say no. Presented by
Step 3: Start with Easily Attainable Projects As this is probably the first time that groups ranging from security to development have collaborated from the start of a project, it‘s advisable that the initial project not be a major business initiative. An easy win, or a couple of easier wins, in the beginning will help teams to learn how to work together and get processes right, and build a foundation of credibility and trust. Presented by
Step 3: Start with Easily Attainable Projects Consider small-in-scope projects, such as a focused departmental initiative. Examples include helping a team build security into the initial design of:  A mobile application for a select group of field workers.  A new database for emerging market customers.  A new e-commerce application dedicated to a particular segment of B-to-B clients. Presented by
―Whenever trying to effect organizational change, it's ” always smart to start smaller, perfect those processes, and then apply them more broadly over time.‖ — Pete Lindstrom, Research Director at the market research firm Spire Security. Presented by
Step 4: Evaluate Risks During Planning & Design Enterprise architects should focus on ensuring that the group lets the security team do what it does best: find and evaluate risk. If it's a database front-end being deployed on tablets, as a simple example, have the security team do the vetting and report back to the enterprise architect and the team for remediation. Presented by
Step 4: Evaluate Risks During Planning & Design To rank risks and develop ways to mitigate them, ask the following questions: ?  How might the deployment of new technologies potentially introduce vulnerabilities and compromise workloads?  How is the data being collected and/or access classified?  What job roles are permitted access?  What credentials will be used for authentication?  Has the application code had a security review?  What industry or government regulations come into play? Presented by
Step 5: Build Security Processes Into Workflow  Over time, the practice of designing security into new initiatives will become part of the organizational fabric.  Security, operations and the enterprise architect‘s office will learn how to work effectively together.  Processes will be put into place that will improve the overall IT security of the organization.  Checkpoints will be put into place so that the risk posture of new initiatives can be evaluated as they move from design through production.  After a few successes and lessons learned, the processes and Presented by procedures put into place can be used throughout the organization on all new initiatives.
In Conclusion: : Security coordination driven from the enterprise architect will:  Help align security with business objectives.  Secure new initiatives more cost-effectively.  Develop successful security processes that can be replicated throughout the organization.  Lead to a decline in the risk of data breaches.  Lead to an increase in regulatory compliance. Presented by
The End-State: : ―I firmly believe that having an enterprise architect who is a partner of the information security group (and vice versa) removes a number of barriers to the design and deployment of new solutions and allows them to be delivered quickly within policy guidelines and with acceptable levels of risk.‖ —Enterprise architect, global engineering company Presented by

Recommended

I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
Raghuraman Ramamurthy
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
IT Network marcus evans
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Cloud Scars: Lessons from the Enterprise Pioneers
Cloud Scars: Lessons from the Enterprise PioneersCloud Scars: Lessons from the Enterprise Pioneers
Cloud Scars: Lessons from the Enterprise Pioneers
Dave Roberts
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
Arun Gopinath
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
Steven_Jackson
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 

Recommended

I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
Raghuraman Ramamurthy
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
IT Network marcus evans
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Cloud Scars: Lessons from the Enterprise Pioneers
Cloud Scars: Lessons from the Enterprise PioneersCloud Scars: Lessons from the Enterprise Pioneers
Cloud Scars: Lessons from the Enterprise Pioneers
Dave Roberts
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
Arun Gopinath
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
Steven_Jackson
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 
Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow
Enterprise Management Associates
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations Fail
Rita Barry
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
Enterprise Management Associates
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
Patricia M Watson
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
Mighty Guides, Inc.
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Mighty Guides, Inc.
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
GFI Software
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
Oep light
Oep lightOep light
Oep light
7change
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
infra-si
 
infosec-it
infosec-itinfosec-it
infosec-it
Michael Trofi Jr. CISSP, CISM, CGEIT
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
Kaali Dass PMP, PhD.
 
Leading Enterprise Wide Projects
Leading Enterprise Wide ProjectsLeading Enterprise Wide Projects
Leading Enterprise Wide Projects
Kaali Dass PMP, PhD.
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
Mighty Guides, Inc.
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 

More Related Content

What's hot

Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow
Enterprise Management Associates
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations Fail
Rita Barry
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
Enterprise Management Associates
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
Patricia M Watson
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
Mighty Guides, Inc.
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Mighty Guides, Inc.
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
GFI Software
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
Oep light
Oep lightOep light
Oep light
7change
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
infra-si
 
infosec-it
infosec-itinfosec-it
infosec-it
Michael Trofi Jr. CISSP, CISM, CGEIT
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
Kaali Dass PMP, PhD.
 
Leading Enterprise Wide Projects
Leading Enterprise Wide ProjectsLeading Enterprise Wide Projects
Leading Enterprise Wide Projects
Kaali Dass PMP, PhD.
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
Mighty Guides, Inc.
 

What's hot (17)

Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations Fail
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Oep light
Oep lightOep light
Oep light
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
 
infosec-it
infosec-itinfosec-it
infosec-it
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
 
Leading Enterprise Wide Projects
Leading Enterprise Wide ProjectsLeading Enterprise Wide Projects
Leading Enterprise Wide Projects
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
 

Similar to Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise

Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
accenture
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
elinoraudley582231
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
RapidValue
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up
EMC
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
Orlando Trajano
 
111.pptx
111.pptx111.pptx
111.pptx
JESUNPK
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid it
Avancercorp
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
 

Similar to Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise (20)

Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
 
111.pptx
111.pptx111.pptx
111.pptx
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid it
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 

Recently uploaded

Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
Corey Perlman, Social Media Speaker and Consultant
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdfHOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
46adnanshahzad
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
Stephen Cashman
 
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
APCO
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
jeffkluth1
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
SEOSMMEARTH
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
SabaaSudozai
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Neil Horowitz
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
Adnet Communications
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
taqyea
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
NZSG
 
Income Tax exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IACIncome Tax exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IAC
CA Dr. Prithvi Ranjan Parhi
 
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
Aleksey Savkin
 
How to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM SoftwareHow to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM Software
SalesTown
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
sssourabhsharma
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 

Recently uploaded (20)

Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdfHOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
 
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
 
Income Tax exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IACIncome Tax exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IAC
 
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
 
How to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM SoftwareHow to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM Software
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 

Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise

  • 1. Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise Presented by
  • 2. The Enterprise Architect is : Ideally Positioned to Help Improve IT Security. Security efforts need to help the business achieve its objectives while reducing risk, whether the enterprise wants to:  Launch a new Web site.  Create a database.  Build a collaboration platform.  Embrace mobility.  Move to Cloud computing. Presented by
  • 3. Everything with which the Enterprise Architect is charged speaks directly to business alignment–across technologies, workflows and roles! Presented by
  • 4. The Enterprise Architect’s Charges* Include: :  Supporting enterprise goals.  Helping build and support business processes.  Enhancing organizational structure and culture.  Designing sustainable IT systems and applications. *All of which must be done with security in mind. Presented by
  • 5. Business Alignment Falters When ! Security is Bolted on, not Built in.  Despite the importance of IT security in keeping data and enterprise systems secure and ensuring that the enterprise operates within regulatory compliance requirements, the tendency is to add security onto systems after they‘ve been built.  Or worse, after they‘ve been deployed. Presented by
  • 6. The High Cost of Failure !  Generally, it is much more difficult to add security to a system after it has been designed or once deployed than it is to build it right to begin with.  Worse yet, bolt-on approaches are more likely to lead to costly security failures, such as breaches: High Price of a Security Failure Cost of a data breach $214 per compromised record Average cost per data breach event $7.2 million Source: Ponemon Institute U.S. Cost of a Data Breach report, 2011 Presented by
  • 7. Driving Coordination, Effecting Change  Building inherently secure applications and systems requires tight, open and upfront coordination among many groups.  Enterprise architects are in the position to drive that coordination and effect the required change that depends on it.  Because their work is so integral to business alignment−and to driving the agility the enterprise requires to deliver better business service–enterprise architects have a firm understanding of how systems are being deployed, as well as knowledge of the business objectives behind these systems. Presented by
  • 8. Thus: :  The enterprise architect can drive value in aligning security teams, quality assurance teams, developers, the office of the CIO, and business managers and executives.  All those parties — in conjunction with the enterprise architect — must work together to ensure that the focus and resources necessary to maintain a secure IT posture are in place. Presented by
  • 9. Still, This Won’t Be Easy . . . … This may be the first time all of these groups work together early in the solutions creation process. Expect tension. For instance:  Security teams may request certain controls that could seem onerous to others involved in the effort (including enterprise IT architects).  Developers may view security as a roadblock at times–and shun its input. Presented by
  • 10. Taking the Lead, Breaking Bad Habits  59 percent of enterprise development teams are not following quality and security processes "rigorously" : when developing new software.  26 percent have few or no secure software development processes.  Only 48 percent claim to follow audit procedures rigorously.  More than 70 percent felt that there was insufficient security guidance for key technology models such as cloud, virtualization, mobile devices and mainframes. Presented by Source: Creative Intellect Consulting, “The State of Secure Application Lifecycle Management.” The report was based on a survey of software development, IT and information security professionals around the world.
  • 11. ―We‘d like to see organizations taking a multi-faceted ” approach to tackling the…security challenge. ‗Secure by Design and Practice‘ should be the call to action adopted by organizations to address the software security challenge more directly.‖ —Bola Rotibi, founder of Creative Intellect Consulting Presented by
  • 12. Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise 1. Get executive sponsorship. 2. Foster a collaborative environment. 3. Pick, at first, easily attainable projects. Presented by 4. Evaluate security risks during planning & design. 5. Build security processes into workflow.
  • 13. Step 1: Get Executive Sponsorship In order for enterprise architects to get security, operations and other teams to work cohesively together, it‘s helpful to insert executive leadership into the process, so they can set business objectives and expectations across teams. Should security processes or communications break down, executive leadership can reiterate those processes‘ importance to the business. Without such political cover, efforts can quickly fray and fall apart. Presented by
  • 14. Step 1: Get Executive Sponsorship Setting the stage for the integration of security through the development process will change how new initiatives are built, and how the operations work together. Win political sponsorship to get started by:  Showing business leaders the threats against the company.  Demonstrating how integrating security into a product or application from the start can reduce risk.  Demonstrating areas where cost of securing systems can be reduced through integrating security processes with design. Presented by
  • 15. Step 1: Get Executive Sponsorship This level of sponsorship should be easier today than it was just a few years ago, as security is reporting less often to the CIO‘s office and increasingly to the board of directors. That‘s a level of recognition for their work that can‘t be ignored by any other groups associated with a project: Presented by
  • 16. Step 1: Get Executive Sponsorship The Changing Reporting Structure for CISOs/Equivalent Information Security Leaders Source: PricewaterhouseCoopers LLP: 2011 Global State of Information Security Survey * This calculation measures the difference between response levels over a three-year period from 2007 to 2010. Presented by
  • 17. Step 2: Foster a Collaborative Environment, Starting with the Security Team Encourage information security‘s involvement as an enabler. Engage with the CISO‘s office as a consultative resource to evaluate the business risk of new initiatives and have the staff propose alternatives for reducing that risk. Presented by
  • 18. Step 2: Foster a Collaborative Environment, Starting with the Security Team What would collaboration entail? Example: A new application is to be built. The enterprise architect can bring the security team into the picture during the design phase to evaluate access controls, secure architecture and deployment, and how such things as data encryption, digital certificates and other components could be built to optimize security and regulatory compliance for this effort and to apply to future efforts as part of a wider EA Presented by blueprint.
  • 19. ―Most organizations‘ enterprise IT architects find that they ” are constantly battling with the information security groups rather than truly consulting with them.‖ —CISO at regional healthcare provider. They translate IT security personnel’s natural caution as meaning that the group default is to just say no. Presented by
  • 20. Step 3: Start with Easily Attainable Projects As this is probably the first time that groups ranging from security to development have collaborated from the start of a project, it‘s advisable that the initial project not be a major business initiative. An easy win, or a couple of easier wins, in the beginning will help teams to learn how to work together and get processes right, and build a foundation of credibility and trust. Presented by
  • 21. Step 3: Start with Easily Attainable Projects Consider small-in-scope projects, such as a focused departmental initiative. Examples include helping a team build security into the initial design of:  A mobile application for a select group of field workers.  A new database for emerging market customers.  A new e-commerce application dedicated to a particular segment of B-to-B clients. Presented by
  • 22. ―Whenever trying to effect organizational change, it's ” always smart to start smaller, perfect those processes, and then apply them more broadly over time.‖ — Pete Lindstrom, Research Director at the market research firm Spire Security. Presented by
  • 23. Step 4: Evaluate Risks During Planning & Design Enterprise architects should focus on ensuring that the group lets the security team do what it does best: find and evaluate risk. If it's a database front-end being deployed on tablets, as a simple example, have the security team do the vetting and report back to the enterprise architect and the team for remediation. Presented by
  • 24. Step 4: Evaluate Risks During Planning & Design To rank risks and develop ways to mitigate them, ask the following questions: ?  How might the deployment of new technologies potentially introduce vulnerabilities and compromise workloads?  How is the data being collected and/or access classified?  What job roles are permitted access?  What credentials will be used for authentication?  Has the application code had a security review?  What industry or government regulations come into play? Presented by
  • 25. Step 5: Build Security Processes Into Workflow  Over time, the practice of designing security into new initiatives will become part of the organizational fabric.  Security, operations and the enterprise architect‘s office will learn how to work effectively together.  Processes will be put into place that will improve the overall IT security of the organization.  Checkpoints will be put into place so that the risk posture of new initiatives can be evaluated as they move from design through production.  After a few successes and lessons learned, the processes and Presented by procedures put into place can be used throughout the organization on all new initiatives.
  • 26. In Conclusion: : Security coordination driven from the enterprise architect will:  Help align security with business objectives.  Secure new initiatives more cost-effectively.  Develop successful security processes that can be replicated throughout the organization.  Lead to a decline in the risk of data breaches.  Lead to an increase in regulatory compliance. Presented by
  • 27. The End-State: : ―I firmly believe that having an enterprise architect who is a partner of the information security group (and vice versa) removes a number of barriers to the design and deployment of new solutions and allows them to be delivered quickly within policy guidelines and with acceptable levels of risk.‖ —Enterprise architect, global engineering company Presented by