Over the years, as a security consultant or as an auditor or security assessors, I have assessed or helped more than 50 unique businesses span from Europe, East Africa, to New Zealand, I can certainly say that at least 80% of these organisation do not have a documented business security architecture!!!
You may ask what is the business security archicture? how does it look like? is a Information Security Policy not a business security architecture? what about the Cyber Security Strategy? by simple definition according to (https://www.oxfordlearnersdictionaries.com/definition/english/architecture) architecture can be defined as follows
- The art or practice of designing and constructing buildings.
- the complex or carefully designed structure of something.
- (computing) the design and structure of a computer system and
- ISO/IEC 42010:2007 defines “architecture” as: “The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.”
- In TOGAF, “architecture” has two meanings depending upon the context:
- A formal description of a system, or a detailed plan of the system at component level to guide its implementation.
- The structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time
6. According to SABSA , business security architecture is …
In my view putting all these definitions in context, an organisation will need to have a security architecture so that they have solid foundation of security that is align with business objectives and capability to piece together different components of security programs such as policies, technologies and other security controls. It has to be noted you can not build a house on shaky beach sand foundation as this will lead to unstable house with likelihood to crumple to pieces sometimes in the future. Same stance, should be adopted when build security programs that are based on well-designed business security architecture.
From security point of view, having a well designed and documented security architecture, in future will help to alleviate problems such as have to add on security solutions just for the sake of having a shiny appliance without realising what protection it provides for the business.
Whilst by default most organisations don’t have documented business security architecture, I would say it is not too late to start now, as you will find out you have already doing about 50% to 70% of what is required, why don’t you finishing piecing the pieces together to make that 100%? and don’t forget to document it.