In security, we have lots and lots of architects. From network to cloud, databases to API, and even code, architects are rife in every corner of the space. However, one role often seems conspicuously absent from the list: the CISO.
It seems CISOs, the general owners of security programs, are never considered architects. They may have been architects in the past, or they may even still be acting as architects for part of their organization, but the view of a CISO as an architect and designer of the security platform for an enterprise seems to be a bridge too far for some. This perspective needs to change.
The CISO must embrace a new role as a “Cyber Architect”—not just of security but of business resilience.
So, let’s talk about putting a bit more power behind the architect title and discuss this concept of the “Cyber Architect.”
Redefining the Cyber Architect’s Role
A quick search of the term “Cyber Architect” yields:
This result proves my point. A Cybersecurity or Cyber Security Architect is how the market currently looks at the role. But we know cybersecurity has crossed more boundaries now than just CISSPs, or firewalls, IDS/IPS, NAC, ISO and COBIT.
As recently proven by major system outages across the globe, cybersecurity has become rightfully entangled with most business systems and processes across an organization. So, is a CISO still just responsible for being the Chief Information and Security Officer? I don’t believe we can continue that fallacy after seeing the impacts of breaches, outages, and even legal action taken just this year.
This leads us back to the Cyber Architect. Remove “security” from the title and talk about cyber as the endemic component of business operations and health that it currently is, and as an architect let’s talk about what we need to move, change, or design in the new role.
From Security Practitioner to Business Strategist
A Cyber Architect needs to be able to communicate across the business (or enterprise) with different areas responsible for health and profitability. They must communicate effectively across the organization, engaging with leaders in production, logistics, finance, and more, remaining mindful of the company’s needs, strengths, and weaknesses, not just at a technical level but also at an operational level.
For example, while a public-facing website might be more susceptible to outside attacks, an internal order fulfillment system could be far more critical to the company’s profitability. A Cyber Architect is someone who understands this nuance and can articulate the value of securing different systems based on their impact on business continuity. The company can withstand having a website defacement issue, or having an online product catalog go down for a day, to a week or so. Because it is the order fulfillment and delivery that keeps the company solvent, and that system can be run in a couple of different ways.
A cyber architect can understand, describe, and communicate the value of systems, and the need for system and business redundancy, to the organization, and most importantly the executives and board.
The CISO as a City Planner
To illustrate this new role, let’s use an analogy of an architect. Traditionally, an architect is a designer of a home or a building. They are responsible for not only the outside appearance of the building but of also for key design elements internal to the building. Similarly, a CISO has historically focused on building a secure infrastructure for their organization. But today, that’s not enough.
We need to think bigger. We need to take the architect concept and instead of focusing on an individual building and instead turn attention to multiple buildings, zoning, or city planning. A Cyber Architect is no longer solely responsible for a building but an area and ensuring that traffic still flows even if a street is limited, or a building closed. In cybersecurity terms, this means the CISO must oversee a broad ecosystem of technologies and strategies, ensuring that the organization can continue to operate effectively even in the face of disruptions.
This shift requires a broader perspective and deeper engagement with business leaders. A Cyber Architect must understand not just technical vulnerabilities, but business dependencies, financial implications, and legal considerations. They must craft and communicate the story of cybersecurity in a way that resonates across the entire organization—from technical teams to the executive board.
Aligning Cybersecurity with Business Outcomes
Turning this back away from analogies, a Cyber Architect can craft the story of the importance of cybersecurity to the business and can inject the importance of not only protection but resilience across the business. Thinking, planning, and talking more widely around the business and in more business terms will help a CISO in their communication and effectiveness for the organization. Review of not only your enterprise’s annual report for designated “big bets” or long-term projects of importance but also reports from companies in, or tangential to, your enterprise to craft security messages and value using the terms the board understands.
This is just one example of an area to gather vernacular to help expand understanding and influence. There are many other areas of communication or project planning that can be used to foster a more coordinated message and plan guided by the Cyber Architect for the improvement of the security posture and resilience of their organization.
Building a Stronger, More Resilient Organization
The importance is thinking and communicating not in terms of projects, but what is the outcome of a singular, or group of projects to the business. The ability to re-enforce, or review the foundations of security within an enterprise becomes much easier when the language, or story, and be turned into a construction, or renovation that if just added on could crack other structures, or be overlapping easements, property lines, etc.
An outcome that needs additional foundational support doesn’t mean a major change or blocker for the organization, it just means that the architect needs to be involved to communicate and collaborate with different stakeholders and areas to make a final recommendation and action plan. A cyber action plan that can become a multiplier for not just the security and resilience of an organization against an outside attack, but also redundancy and resilience against system failures or issues.
We will have more to say from different experts across our organization to discuss the Cyber Architect concept and how we see this as a positive change and view for the industry.
↑
Share