Chapter 1: What is Cybersecurity Architecture?
Let's face it, cybersecurity can be a scary, stress-inducing proposition. And it's no wonder. Cybersecurity in modern business is high stakes. We've all seen headlines about data breaches, attacks, even accidental exposures impacting some of the largest companies (not to mention governments) in the world. The truth is, if you do security wrong, you open yourself up to attack. In fact, even if you do everything perfectly, circumstances can still put you at risk anyway. It's a challenging field – and it can be difficult to get right.
We want to be clear right from the start that this book is not about a new security architecture framework, a new set of competing architectural methods to what already exists, and it's not a reference book. These all already exist and provide plenty of value to those actively using them. In fact, we might argue that the single biggest limiting factor to the discipline itself is the fact that more people aren't actively using, or have detailed knowledge of, that excellent source material.
Therefore, rather than contributing to that problem by muddying the waters or adding competing foundational material, our intent is to demonstrate clearly how to do the work. Meaning our intent is that this book reads more like a playbook designed to build muscle memory.
Think about the difference between reading a book on ballistic physics versus working with a pitching coach. The physics book will almost certainly lead you to a deeper understanding of the mechanics, forces, and mathematics of a baseball in flight than you could ever possibly derive from working with a coach. Yet, even with the deepest understanding of the physics, you probably won't pitch a no-hitter for the Yankees. That is, you won't do so unless and until you also build the requisite muscle memory, put in the time to practice and hone your technique, and work with those who can help you improve. However, knowledge of the underlying physics can inform (to great effect) the value derived from working with a coach as those principles can help you hone your technique and realize even greater potential.
Our intention with this book, therefore, is to act as a sort of training guide for those looking to build the skills of cybersecurity architecture, either because they are in a new architectural role and they want to build the necessary practical skills, or because they're an existing practitioner who wants to improve. We do this by building on the theoretical models, drawing from them, and incorporating them to lay out specific, practical steps that can be followed by anyone willing to do the work. We are focusing here on one set of steps and techniques – those that have worked for us – and supplementing that with techniques that we've gathered from practitioners throughout the industry in architectural roles (either on a large or small scale).
Nor is this book a catalog of security controls. We have purposefully refrained from listing out in detail the hundreds – if not thousands – of possible controls, security techniques, technical countermeasures, and other specific technologies that you might choose to adopt as implementation strategies. Consider, by analogy, a primer on the techniques of cooking. Would such a book dedicate hundreds of pages to descriptions of every possible ingredient that the home cook or professional chef might encounter throughout their career? No. Such an exercise would make for boring reading (in fact, it would serve as a distraction from the book's utility), would rapidly become outdated, and would serve little purpose as that material is available through numerous other avenues. Instead, we've chosen to focus on the techniques and principles of architecture, leaving the detailed descriptions of specific technical strategies to the numerous standards and guidance that already exist.
Throughout the course of this book, we'll introduce you to a number of practitioners and provide their viewpoints, their philosophy, their advice about processes, where they've been successful, and where they've made mistakes. We've tried to assemble those who have different perspectives on the discipline of architecture: some from large companies, some from small, some heavily invested in formal architectural models and frameworks (in a few cases, those who've actually authored them), and those that espouse less formal processes. The one thing these professionals all have in common is they've all been successful as security architects.
As we do this, you may notice that some of the perspectives differ from each other – in some cases, their advice differs from our approach. This is to be expected. We hope that by presenting all the viewpoints to you, they will help you better synthesize and integrate the concepts, provide you with alternative approaches if the way we've done it isn't the way that's most comfortable, and provide a window into the many different strategies that you can use to achieve your security architecture goals.
So, to get the most value out of this book, we suggest that you follow along with us. You will still derive value from just reading the words and learning the concepts. However, we believe you will derive even more value if you seek to apply them – as they are presented to you so they are still fresh in your mind – to your job. If you've never done architecture before, try to develop and implement a plan, working side by side with us as you do so. If you're an existing practitioner, try these techniques as a supplement to your own.
Keeping in mind this philosophy, it's natural to be anxious to move directly into the practical steps of building a security architecture. Before we can get into the "nitty-gritty" though, there are a few things we need to level set. This first chapter is intended to cover these prerequisites. We believe that understanding the why of cybersecurity architecture (that is, why do it in the first place?) is perhaps the most valuable thing you can learn in this book or any other.
This first chapter then is almost entirely focused on two things. First, making sure you understand why cybersecurity architecture exists in the first place (that is, the value it provides, and how and why it helps organizations reach their security goals). Second, teeing up some of the background information necessary for us to leap right into Chapter 2, The Core of Solution Building. This chapter covers the following:
- Understanding the need for cybersecurity
- What is cybersecurity architecture?
- Architecture, security standards, and frameworks
- Architecture roles and processes