What Is Cybersecurity Architecture?

Let’s face it – cybersecurity can be a scary, stress-inducing proposition. And it’s no wonder. Cybersecurity in modern business is high stakes. We’ve all seen headlines about data breaches, attacks, and even accidental exposures impacting some of the largest companies (not to mention governments) in the world. The truth is, if you do security wrong, you open yourself up to being attacked by numerous potential adversaries, such as cybercriminals, hacktivists, nation-states, or any number of other parties. Even if you do everything perfectly, circumstances can still put you at risk anyway. It’s a challenging field – and it can be difficult to get it right.

We want to be clear right from the start that this book is not about a new security architecture framework or a new set of competing architectural methods to what already exists, and it’s not a reference book. These already exist and provide plenty of value to those actively using them. In fact, one might argue that the single biggest limiting factor to the discipline itself is the fact that more people aren’t actively using, or have detailed knowledge of, that excellent source material.

Therefore, rather than contributing to that problem by muddying the waters or adding competing foundational material, we intend to demonstrate clearly how to do the work, which means we intend this book to read more like a playbook designed to build muscle memory.

Think about the difference between reading a book on ballistic physics versus working with a pitching coach. The physics book will almost certainly lead you to a deeper understanding of the mechanics, forces, and mathematics of a baseball in flight than you could ever possibly derive from working with a coach. Yet, even with the deepest understanding of the physics, you probably won’t pitch a no-hitter for the Yankees. That is, you won’t do so unless and until you also build the requisite muscle memory, put in the time to practice and hone your technique, and work with those who can help you improve. However, knowledge of the underlying physics can inform (to great effect) the value derived from working with a coach as those principles can help you hone your technique and realize even greater potential.

Therefore, our intention with this book is for it to act as a sort of training guide for those looking to build their skills in the cybersecurity architecture discipline: either because they are in a new architectural role and want to build the necessary practical skills, or because they’re an existing practitioner who wants to improve. We will do this by building on the theoretical models, drawing from them, and incorporating them to lay out specific, practical steps that can be followed by anyone willing to do the work. We will focus on one set of steps and techniques – those that have worked for us – and supplement those with techniques that we’ve gathered from practitioners throughout the industry in architectural roles (either on a large or small scale).

Note that this book also isn’t a catalog of security controls. We have purposefully refrained from listing in detail the hundreds – if not thousands – of possible controls, security techniques, technical countermeasures, and other specific technologies that you might choose to adopt as implementation strategies. Consider, by analogy, a primer on the techniques of cooking. Would such a book dedicate hundreds of pages to descriptions of every possible ingredient that a home cook or professional chef might encounter throughout their career? No. Such an exercise would make for boring reading (in fact, it would serve as a distraction from the book’s utility), would rapidly become outdated, and would serve little purpose as that material is available through numerous other avenues. Instead, we’ve chosen to focus on the techniques and principles of architecture, leaving detailed descriptions of specific technical strategies to the numerous standards and guidance that already exist.

Throughout this book, we’ll introduce you to many practitioners and provide their viewpoints, their philosophy, their advice about processes, where they’ve been successful, and where they’ve made mistakes. We’ve tried to assemble those who have different perspectives on the discipline of architecture: some from large companies, some from small companies, some heavily invested in formal architectural models and frameworks (in a few cases, those who’ve authored them), and those that espouse less formal processes. The one thing these professionals all have in common is they’ve all been successful as security architects. Through interviews with these individuals, we’ve attempted to capture their viewpoints, the nuances of their techniques, and what they feel is most important. As we do this, you may notice that some of the perspectives differ from each other – in some cases, their advice differs from our approach. This is to be expected. We hope that by presenting all these viewpoints to you, they will help you better synthesize and integrate the concepts, provide you with alternative approaches if the way we’ve done things isn’t the way that’s most comfortable for you, and provide a window into the many different strategies that you can use to achieve your security architecture goals.

Important note

As this is the second edition of this book, note that the titles provided for those we’ve interviewed reflect their titles at the point in time when we conducted the interview (or interviews) with them.

These short, pointed anecdotes from security architects in the field are intended to provide real-life data and feedback: what worked, what didn’t, what the downstream impacts were as a result of a particular course of action, and so on. It won’t always be the case that your results will exactly mirror what happened in someone else’s experience (since contexts such as industry, organizational factors, regulatory environment, and numerous other elements can play a role), but seeing the cause and effect along with some description of the circumstances can still provide value.

So, to get the most value out of this book, we suggest that you follow along with us. You will still derive value from just reading the words and learning the concepts. However, we believe you will derive even more value if you seek to apply them – as they are presented to you and while they are still fresh in your mind – to your job. If you’ve never done architecture before, try to develop and implement a plan, working side by side with us as you do so. If you’re an existing practitioner, try these techniques as a supplement to your own.

Keeping in mind this philosophy, it’s natural to be anxious to move directly into the practical steps of building a security architecture. Before we can get into the nitty-gritty, though, there are a few things we need to level set. This first chapter is intended to cover these prerequisites. We believe that understanding the why of cybersecurity architecture (that is, why do it in the first place?) is perhaps the most valuable thing you can learn in this book or any other.

This first chapter is almost entirely focused on two things. The first is making sure you understand why cybersecurity architecture exists in the first place (that is, the value it provides, and how and why it helps organizations reach their security goals). The second is teeing up some of the background information necessary for us to leap right into Chapter 2, Architecture – The Core of Solution Building. This chapter covers the following topics:

• Understanding the need for cybersecurity
• What is cybersecurity architecture?
• Architecture, security standards, and frameworks
• Architecture roles and processes