2. Agenda
Strategy and Planning
Risk and Opportunity
Business Context and Requirements
Architectural Strategies
Internet of Things / Everything
Cloud
Bi-Modal
Digitisation / Disruptors
Bring Your Own Identity (BYOID)
Choose Your Own Device (CYOD)
3.
4. Strategy and Planning
Does Enterprise Architecture Drive the Strategy?
Source: Enterprise Architecture as a Strategy
Source: TOGAF Capability Framework
Source: FEAF Source: Gartner
5. Architecture Supports Strategy
Every morning in Africa, a Gazelle wakes up . It
knows it must run faster than the fastest lion…….
or it will be killed.
Business View – Survival Strategy
When the sun comes up in Africa, it doesn’t matter what shape you are:
If you want to survive, what matters is that you’d better be running!
Every morning in Africa, a Lion wakes up.
It knows it must run faster than the
slowest Gazelle …….
or it will die of starvation.
Is it better to be a Lion or a Gazelle?
6. Strategy and Planning
Security in Context?
The Business
Prevention
Department
Security is Complex to Define
Security Does not
exist in Isolation
SECURE’ has no
intrinsic meaning
To much
emphasis on
Technology
Silo Approach to
Security
7. Strategy and Planning
Enterprise Security Architecture?
Layered
Framework
Integrated System Approach
Security meets
the Needs of
Business
8. Strategy and Planning
Feature Advantages Chairman / Board View
Business-Driven Value-Assured Protects shareholder value
Risk Focused Prioritised and Proportional Optimizes shareholder risk & aligns with
risk appetite
Comprehensive Scalable Scope Addresses all shareholder concerns
Modular Agility Enables flexibility to meet dynamic
market & economic conditions
Open Source Free use, Standard Guarantees perpetuity of return on
investment
Auditable Demonstrates Compliance Demonstrates compliance to regulators
& external auditors
Transparent Two Way Traceability Supports market transparency &
disclosure
Enterprise Security Architecture Framework?
9. Strategy and Planning
Feature Advantages CEO View
Business-Driven Value-Assured Protects corporate reputation
Risk Focused Prioritised and Proportional Meets corporate governance
requirements
Comprehensive Scalable Scope Meets enterprise-wide requirements
Modular Agility Enables fast time to market with
business solutions
Open Source Free use, Standard Provides assurance through industry
standard
Auditable Demonstrates Compliance Ensures a smooth & successful external
& regulatory audit process
Transparent Two Way Traceability Provides a clear view of expenditure and
value returned
Enterprise Security Architecture Framework?
10. Strategy and Planning
Feature Advantages CFO View
Business-Driven Value-Assured Ensures efficient return on investment
Risk Focused Prioritised and Proportional Improves predictability & consistency
Comprehensive Scalable Scope Supports scalable, granular budgeting
Modular Agility Facilitates effective management of
capital & operational costs
Open Source Free use, Standard Eliminates expensive & on-going license
fees
Auditable Demonstrates Compliance Minimizes cost of management time
dealing with audit processes
Transparent Two Way Traceability Enables full audit ability for
effectiveness of expenditure
Enterprise Security Architecture Framework?
11. Strategy and Planning
Feature Advantages COO View
Business-Driven Value-Assured Focuses on performance management
Risk Focused Prioritised and Proportional Enables process improvement
Comprehensive Scalable Scope Provides end-to-end process coverage
Modular Agility Integrates legacy and future
environments
Open Source Free use, Standard Simplifies recruitment and training
Auditable Demonstrates Compliance Minimises adverse effect of audit
findings on performance targets
Transparent Two Way Traceability Measures efficiency & effectiveness of
processes & resources
Enterprise Security Architecture Framework?
12. Strategy and Planning
Feature Advantages CRO View
Business-Driven Value-Assured Enables flexible fit with industry
regulations
Risk Focused Prioritised and Proportional Supports enterprise risk & opportunity
management
Comprehensive Scalable Scope Enables a fully-integrated risk
management strategy
Modular Agility Enables incrementally increasing
maturity
Open Source Free use, Standard Provides global acceptability for auditors
& regulators
Auditable Demonstrates Compliance Ensures that compliance risk is effectively
managed
Transparent Two Way Traceability Demonstrates current state, desired state
of compliance levels
Enterprise Security Architecture Framework?
13. Strategy and Planning
Feature Advantages CIO View
Business-Driven Value-Assured Enables a digital information-age
business
Risk Focused Prioritised and Proportional Identifies information exploitation
opportunities
Comprehensive Scalable Scope Sustains through-life information
architecture
Modular Agility Enables technology-neutral information
management strategies
Open Source Free use, Standard Provides a future-proof framework for
information management
Auditable Demonstrates Compliance Facilitates smooth & successful audits of
systems & processes
Transparent Two Way Traceability Encourages fully integrated people-
process-technology solutions
Enterprise Security Architecture Framework?
14. Strategy and Planning
Feature Advantages CISO View
Business-Driven Value-Assured Facilitates alignment of security
strategy with business goals
Risk Focused Prioritised and Proportional Facilitates prioritization of security
and risk-control solutions
Comprehensive Scalable Scope Ensures all business security &
control concerns are addressed
Modular Agility Enables a project-focused approach
to security development
Open Source Free use, Standard Provides a sustainable framework for
security integration
Auditable Demonstrates Compliance Supports security, risk & opportunity
review processes
Transparent Two Way Traceability Provides traceability of business-
aligned security implementations
Enterprise Security Architecture Framework?
15. Strategy and Planning
Feature Advantages CTO / Architect View
Business-Driven Value-Assured Leverages the full power of information
technology
Risk Focused Prioritised and Proportional Manages information system risk
Comprehensive Scalable Scope Applies at any project size or level of
complexity
Modular Agility Provides a holistic and integrated
architectural approach
Open Source Free use, Standard Avoids vendor-dependence and lock-in
Auditable Demonstrates Compliance Improves relationship and interactions
with auditors & reviewers
Transparent Two Way Traceability Verifies justification and completeness
of technical solutions
Enterprise Security Architecture Framework?
21. Risk and Opportunity
Regulatory Drivers for Operational Risk Management
BASEL II, SOX, Corporate Governance, PCI, HIPAA
ISO 31000 – Improved planning through provision of
information for decision-making
Risk Management
Strategic, operational and business imperative
Risk Analysis Measures Risk Elements
Valuing assets, Identifying threats, Quantifying business impacts,
Identifying vulnerabilities
Issues with Threat-driven Approach
Technical threats are not well understood by stakeholders
Impact-based Approach
Provides a good view of business criticality
Operational Risk – SABSA Approach
Business enablement is achieved through excellence in operational
processes, people and technical systems
24. Business Context and Requirements
Business-Driven means never losing site of the
organisation’s goals, objectives, success factors and
targets.
Ensuring that the security strategy demonstrably
supports, enhances and protects this.
Contextual Architecture Layer
Full Set of Requirements, including conflicts in
Business Strategy, Risks & Priorities
Conceptual Architecture Layer
Resolve these conflicts by delivering an appropriate,
measurable security strategy
Business Driven Architecture
25. Business Context and Requirements
Each Organisations Business Needs are Unique
Meaningful traceability is enabled by credible
abstraction from business context (assets, goals &
objectives) to a business security context
Business Driven Architecture
26. Business Context and Requirements
An Attribute is a conceptual abstraction of a
real business requirement (the goals,
objectives, drivers, targets, and assets
confirmed as part of the business contextual
architecture)
The Attributes Profiling technique enables
any unique set of business requirements to be
engineered as a standardised and re-usable
set of specifications
The Attributes are modeled into a normalised
language that articulates requirements and
measures performance in a way that is
instinctive to all stakeholders
Defining Business Attributes
27. Business Context and Requirements
Attributes can be tangible or intangible
Each attribute requires a meaningful name and detailed
definition customised specifically for a particular organisation
Each attribute requires a measurement approach and metric to
be defined during the SABSA Strategy & Planning phase to set
performance targets for security
Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview
or facilitated workshop
The performance targets are then used as the basis for reporting
and/or SLAs in the SABSA Manage & Measure phase
Powerful requirements engineering technique
Populates the vital ‘missing link’ between business
requirements and technology / process design
Attributes Profiling Rules & Features
32. Architectural Strategies
Define the Business Drivers for the Industry
Driver
#
Business Drivers
BD1
Protecting the reputation of the Organization, ensuring that it is
perceived as competent in its sector
BD2
Providing support to the claims made by the Organization about its
competence to carry out its intended functions
BD3
Protecting the trust that exists in business relationships and
propagating that trust across remote electronic business
communications links and distributed information systems
BD4
Maintaining the confidence of other key parties in their
relationships with the Organization
BD5
Maintaining the operational capability of the Organization’s
systems
BD6
Maintaining the continuity of service delivery, including the ability
to meet the requirements of service level agreements where these
exist
BD7
Maintaining the accuracy of information
BD8
Maintaining the ability to govern
BD9
Preventing losses through financial fraud
BD33
Ensuring that security services can be extended to all user locations, to all
interface types and across all network types that will be used to support
delivery
BD34
Maximize the economic advantage of the Enterprise Security
Architecture
BD35
Security services to be supported through electronic communications,
without the need for physical transfer of documents or storage media.
BD36
System security solutions should as far as possible comply with internal
and external standards and best practices
BD37
The Security Architecture should be independent of any specific vendor
or product, and should be capable of supporting multiple products from
multiple vendors
BD38
The Security Architecture must remain compatible with new technical
solutions as these evolve and become available, and with new business
requirements as these emerge, with a minimum of redesign
BD39
The Security Architecture must be able to be adapted to counter new
threats and vulnerabilities as they are discovered
BD40
Ensure that the required internal and external cultural shift is achieved
to support the Security Architecture
BD41
Ensuring accurate information is available when needed
BD42
Minimise the risk of loss of key customer relationships
BD43
Minimize the risk of excessive loading on insurance premiums due to
negligence on the
Organization’s behalf or lack of due diligence
33. Architectural Strategies
Define the Business Attributes for the Industry
Business
Attributes
User Attributes
Management
Attributes
Risk Management
Attributes
Legal/Regulatory
Attributes
Technical
Strategy
Attributes
Operational
Attributes
Business Strategy
Attributes
Business Attribute Business Attribute Definition Suggested Measurement Approach Metric Type
User Attributes
Accessible Information to which the user is entitled
to gain access should be easily found and
accessed by that user.
Search tree depth necessary to find the information Soft
Accurate
The information provided to users
should be accurate within a range that
has been preagreed upon as being
applicable to the service being delivered.
Acceptance testing on key data to demonstrate
compliance with design rules
Hard
Anonymous
For certain specialized types of service,
the anonymity of the user should be
protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
Business Attribute integrated with Measurements for the Industry
34. Architectural Strategies
Integrate the Business Drivers and Business Attributes for the Industry
Business Attribute integrated with Measurements for the Industry
Business
Attribute
Business
Driver
Business Attribute Definition Measurement Approach Metric Performance
Target
User Attributes
Accessible 5 Information to which the user is entitled to gain
access should be easily found and accessed by that
user.
Search tree depth necessary to find the information Soft
Accurate 7 The information provided to users should be accurate
within a range that has been preagreed upon as being
applicable to the service being delivered.
Acceptance testing on key data to demonstrate
compliance with design rules
Hard
Anonymous 4 For certain specialized types of service, the
anonymity of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
42. Architectural Strategies
Bring Your Own Identity (BYOID)
Security Risk? or
Business Advantage?
What is the
Business Value?
Is it part of the
Corporate Strategy?
Loss of Control vs
Cost
All Enterprise Architectures refer to the Strategy and how it will be driving this Strategy within the organisation
The Legacy of Security within the Organisation
Requires a ESA that can cater for different views from a CXO perspective
The IoT comprises an ecosystem that includes things, communication, applications and data analysis
As IoT use grows, ensuring IoT device authentication is crucial. A lack of authentication standards for most IoT devices has led to highly customized authentication methods in the industry.
Data Sovereignty – Are you allowed to store your data outside of the country – what laws allow / deny this?
Data Protection – Data Privacy, Data Location, Data Management and Protection, Tenancy
Digital business is the creation of new business designs that not only connect people and businesses, but also connect people and businesses with things to
drive revenue and efficiency. Digital business helps to eliminate barriers that now exist among industry segments, while creating new value chains and
business opportunities that traditional businesses cannot offer.
Maintaining effective security starts with knowing what effect you need to achieve. This means you need to start by focusing on risk. Through risk assessment and risk management practices we can identify the critical outcomes for the enterprise and transform those outcomes into security tactics.
Identity and Access Management – accessing anything from anywhere