This course, Secure Systems Architecture, used one of a handful of models available for crafting a systems security architecture. Some alternatives include TOGAF, The Open Group Architectural Framework, and RMF, or Risk Management Framework. Other frameworks shared by the Enterprise Architecture Center of Excellence including the DODAF, ZODAF, and Zachman Framework (Enterprise Architecture Center of Excellence, n.d.). However, these alternative frameworks do not have as dedicated of a focus on translating business drivers into a security architecture. Instead, they focus on risk, cybersecurity, architecture, etc., and though valuable in their own right, for these purposes they fail to address what I consider one of the modern failings of the cybersecurity profession, cramming cyber security tools down executives throats. That failing is encompassed by many cybersecurity professionals inability to consider business drivers and goals when looking at integrating cybersecurity into systems architecture.
Many times I've worked with technology professionals in one meeting, and the senior management in another meeting and the two parties fail to understand the others' motivations, goals, and needs. The technology group often has a solution they feel will meet the needs but don't consider the business aspects such as risk appetite or provide business leaders with the information required and alternatives to make well informed decisions. The result of this miscommunication is that technical people feel business is too "cheap" and business leaders feel the cybersecurity and technology guys are overpriced and a cost-center only. Having worked through this course and digging into the business drivers, motivations, and goals and firmly entrenching these into the security architecture has allowed me to see an even better approach to providing the information our business leaders need, and the ability to convey what information is required from the technology personnel.
Properly utilized, technology personnel can pursue technology which enables business goals and opens up additional revenue possibilities and turn cybersecurity and information technology operations into a revenue generator rather than a cost center. I've pursued this approach to great success already and am slowly sharing knowledge with my organization and companies with which I consult to enable business, lower risk to acceptable levels, and create systems which meet needs and exceed expectations. This is always a positive outcome for any interactions in business and governance.
References
Many times I've worked with technology professionals in one meeting, and the senior management in another meeting and the two parties fail to understand the others' motivations, goals, and needs. The technology group often has a solution they feel will meet the needs but don't consider the business aspects such as risk appetite or provide business leaders with the information required and alternatives to make well informed decisions. The result of this miscommunication is that technical people feel business is too "cheap" and business leaders feel the cybersecurity and technology guys are overpriced and a cost-center only. Having worked through this course and digging into the business drivers, motivations, and goals and firmly entrenching these into the security architecture has allowed me to see an even better approach to providing the information our business leaders need, and the ability to convey what information is required from the technology personnel.
Properly utilized, technology personnel can pursue technology which enables business goals and opens up additional revenue possibilities and turn cybersecurity and information technology operations into a revenue generator rather than a cost center. I've pursued this approach to great success already and am slowly sharing knowledge with my organization and companies with which I consult to enable business, lower risk to acceptable levels, and create systems which meet needs and exceed expectations. This is always a positive outcome for any interactions in business and governance.
References
- Enterprise Architecture Center of Excellence. (n.d.). Framework - Enterprise Architecture Center of Excellence. Retrieved June 29, 2019, from https://www.eacoe.org/ea-framework
- The Open Group (2008) TOGAF Version 9. Van Haren Publishing, 1 nov. 2008. p. 73