“I think the most important part of the architecture process is risk, informed by data. Nowadays, it’s all about the data. We’ve moved beyond building strategies to protect a given server, or service. In reality, what you really need are strategies to protect the data.”
– Steve Orrin, Federal CTO at Intel Corporation

(IT) Risk Management

Risk management is a key part of most (if not all) of the numerous security frameworks, regulatory requirements, security architectural frameworks, guidance, and other practical security advice you will come across. Meaning, it is understood to be of such importance that it is near-universally…


In this series, we’ve discussed what security architecture is conceptually, describing and providing an introduction to some of the standards and frameworks that are involved in effecting it in an organization. The last topic that we will cover before we get into the “meat” of actually performing the work of the architect is that of the roles intersecting the architect’s work as well as an overview of the architecture processes that we will describe in depth and explain how to perform throughout the rest of our book.

First, we’ll walk through adjacent roles that the architect will need to work…


The last framework that we will look at is the Open Security Architecture (OSA). OSA is a community-driven effort to develop a model for security architecture. By community-driven, we mean that it is a set of individual elements contributed by whoever has the willingness and acumen to do so, with subsequent peer review by others in the broader community. One way to think about this is along the lines of an open source software project. In an open source project, interested parties contribute to the development of the final work, such as a server (for example, Apache), tool (for example…


Continuing our deeper dive into security architectures, this week we’ll cover the Open Enterprise Security Architecture (O-ESA) from the Open Group.

One of the areas where many more formal security architecture models struggle is in the capacity to handle change within the organization. Recognizing that change in the technology ecosystem is a complicating factor and needs to be specifically accounted for in enterprise architecture efforts, the now-defunct Network Application Consortium (NAC) created a model for security architecture that specifically accounts for (in fact, presupposes and in some senses relies upon) the fact that change is both inevitable and a natural…


“The value proposition of security architecture is simple. If you have a security architecture and you’re able to understand how that architecture enables and supports achieving the objectives that you want, it gives you, as the owner of those objectives, confidence that you’re really going to get them. If you do it with a methodology like SABSA, where you have traceability and measuring your security capabilities versus the risk exposure, then you can show with confidence that you are likely to obtain the result.” — Andrew S. Townley, Chief Executive Officer Archistry Incorporated

In our last post we discussed the…


Now that we’ve established why cybersecurity architecture matters and what the key roles and responsibilities are, let’s spend some time talking about the process that architects use. It’s important to recognize that much of the process will be unique and adapted to the organization employing it. The goals of the security architect, what they’re responsible for, and the role that they play within a given organization can vary depending on a few different factors: the organization itself, the scope and focus of the architect’s role, and so on. …


Sometimes all it takes to move forward is a little shift in perspective. The term “build security in” is so well-worn that it can be easy to forget what it really means. But by shifting our view of the term, we can apply it in a new light. To do that, I’ll enlist the help of on of my favorite thinkers, Aldous Huxley, author of Eyeless in Gaza and Brave New World. …


“There is another value in architecture in that it adds speed to a release process. Just like writing testing software in code slows down the first few releases but speeds up all the rest of them, so too does architecture make the first design iteration maybe take a little longer — but all future design work that leverages it will go more smoothly and more quickly.”
– Adam Shostack, President, Shostack & Associates

In our last post, we took a deeper look into how network architects can secure the stack. …


Now that we’ve laid the ground work for the baseline differences between application and network architecture, we can get a little deeper into what each kind of work entails. In this post, excerpted from our book, Practical Cybersecurity Architecture, we take a closer look at technical considerations for a network architect and how one can address security at all layers of the network stack. This is because security shouldn’t just apply to a subset of the network, it should apply to all levels.

One of the most powerful conceptual tools in the IT world is the networking stack. Most technology…


Table Mountain, Cape Town

Welcome to “My Cyber Why”! — a glimpse into the life and work of experts from around the world who have dedicated themselves to protecting cyberspace.

There’s no shortage of scary headlines about the latest hacks and malware releases. But what doesn’t make the headlines are the inspiring stories of the people who work every day to make the cyber world a safer place. These are their stories and cybersecurity is their passion.
In each episode guests answer four questions:

Who are you?
What do you do in cyber?
Why do you do it?
How can people get involved or learn more?

Today’s guest is Nobukhosi Dlamini. Nobukhosi lives in Cape Town, South Africa and is blazing a new path for cybersecurity…

Diana Kelley, SecurityCurve

SecurityCurve is an independent IT research and consulting company founded by Diana Kelley and Ed Moyle. https://www.securitycurve.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store