A Series of Articles on Security Architecture Practice in the Enterprise

I've been a Security Architect since 2000 and in IT since 1988, back before Ethernet and TCP/IP were the standards for computer communication. And over the years, I've seen all sorts of people call themselves Security Architects and organization have what they call a Security Architecture practice. The problem is that what the various organizations define as Security Architecture practices has varied and has been mis-aligned with what I would call "Risk Analysis".

So in 2018, I created a Reference Architecture Practice that allows a CISO or Chief Architect to have a view of what goes into creating an Architecture practice. It's important to understand that, like all solutions (and an Architecture practice, security or otherwise, is a solution to a problem) has 3 components:

1. People - Who are the roles, and what is the RACI associated with those roles?
2. Processes - Here's the big one for an Architecture practice. How do you do the various activities that a Security Architect does? And it's not just about the design phase.
3. Technology - when it comes to technology, we're not talking about the CyberSecurity technology that we are implementing. We're talking about the technology that the Architecture practice uses. For example, we all know Visio. That's a technology that an Architect uses. What else does a Security Architect use? The other aspect of Technology are deliverables. What are the deliverables that are provided from an Architecture practice? So Technology covers "things".
4. Governance - Please note I include a 4th pillar for solutions - Governance. I believe that all solutions also have a Governance component. Governance isn't a process. For example, a Policy is not a process. It's a mechanism that puts a stake in the ground that architecture works around. So what are the Governance mechanisms that are used in an Architecture practice?

Back in 2018, I interviewed 40 different CIOs and Chief Architects to understand what they were seeing with Architecture and what the issues were. What I heard were a number of issues, but the top 3 issues were:

• It's HARD to find good quality Architects
• It takes a VERY LONG TIME to get Architects on board
• Once onboard, the Architects weren't delivering the quality that was expected.

Basically, I was hearing that the industry was calling out for the emergence of an Architecture Firm. There aren't any. There are Recruiters that will body shop Contract Architects, but there wasn't an Architecture firm. The advantage of an Architecture Firm is that you get a 'Contract' Architect (I'll use the term Contract loosely) but you also get the standardized processes and templates as well as the support structures that an Architect needs. In short, you aren't just dependent on the person, but you get everything else that helps improve those 3 issues listed above.

For example, the fact that an Architect does deliver the quality that was expect may have just as much to do with the internal Architecture Practice as it has with the Architect. The fact that it takes so long to onboard an Architect deals with all the hunting for the Architect as well as the onboarding activities. But if the onboarding activities are already documents, the contacts are known, etc., then you can swap one Architect for another and your transition time is nothing.

When Covid allowed everyone to emerge from the isolation, my Architecture Firm took off. I gained a contract with SC Johnson for 4 people. I provided Alorica with 3 people. I won contracts with Manitoba Shared Health, SGI, Maximus, and others and, by August 2022, after 1.5 years, I was up to 10 people. And then the market collapsed.

Well, this last week, I've been hit with a deluge of work. I went from nothing 1 week ago to needing to staff up. But when I was talking with Architects for my new work, the issues that all CISOs, CIOs, and Chief Architects face when hiring Architects showed up. But I'm not worried about it because I have an Architecture Practice that surrounds those people with the support structure they need in order to deliver the needs my Clients need.

Oh, and I was asked to write another book! When it rains, it pours!

To that end, what I'm going to do is write a series of articles on the various components of an Architecture practice with the intent of helping Enterprises that are having trouble with their Contract Architects. I'd like them to understand how they can reinforce what they have in place with what I have seen working over the years and what works in my Firm. And, hopefully, by seeing these articles, maybe gain a little trust from organizations to make use of my people as their 'Contract' Architects rather than just out to the market.

Expect one or two articles a week for the next several months. Hopefully they will give you tangible mechanisms to integrate into your practice. And, if you'd like to have a conversation about how to do just that, let me know.

Hope this helps ...

-- Neil Rerup, ECSA International Ltd.