By Mike Paye, VP of Research and Development at Netwrix
Global spending on cybersecurity is on the rise as organisations face ever more sophisticated attacks on a daily basis and up their spending to stay safe. This trend is affecting cloud security as well, with a recent Netwrix survey revealing that 49 per cent of organisations claimed their budget for cloud security has increased in 2022.
Prior to implementing any specific solutions or procedures, it is crucial to define the core security principals that form the enterprise information security architecture (EISA). To ensure EISA reflects both current and future business needs, organisations must consider both their digital systems and personnel teams, along with their associated roles and functions.
The core components of EISA
Ahead of the development process, it is vital to recognise the key layers of an effective and successful EISA. Firstly, the business context is necessary to define the enterprise informational use cases and how this specific data affects the achievement of organisational goals. This conceptual layer is the element which can provide information regarding risk attributes and the enterprise profile.
Another key element is the clear identification of pathways between applications, procedures, information, and services. Knowledge of how all these elements interact with each other helps to develop an architecture that will not interfere with critical business processes. Lastly, a conclusion should be drawn on what is needed to reduce existing vulnerabilities and maintain the appropriate level of cybersecurity procedures into the future – being sure to specify details of the devices, software, processes, and additional components that are required.
How to develop an effective EISA
EISA development starts with examining the existing level of cybersecurity. What security standards and processes the organisation is currently following and what security gaps do they leave? Identifying these points can make it easier to later analyse cybersecurity weaknesses and determine how they can be resolved. After assessing the organisation’s current cybersecurity status, the next step is to set new security goals – taking business priorities into account. Both the technical and strategical contexts help narrow down the areas of future focus.
As soon as all the preliminary work is done, it is time to consult with a verified framework that can guide an organisation to the actual improvement of the foundational cybersecurity layers such as data, identities, and infrastructure. The Open Group Architecture Framework (TOGAF), the Sherwood Applied Business Security Architecture (SABSA), the Federal Enterprise Architecture Framework (FEAF), the Zachman Framework, and the COBIT 5 framework have proven to be trustworthy sources of current best practices, so there is no need to start from scratch.
Next is determining how the EISA will be integrated into the existing IT environment and dividing the tasks between the in-house and vendors’ development teams. Assessment of internal resources, the available level of expertise, and state of the market should help inform this decision.
Finally, organisations must be sure to revise the security architecture regularly. To address the constantly evolving threat landscape, EISA should be tested and reviewed on a regular and ongoing basis.
Communication is the main challenge when developing an EISA
There is no one size fits all approach when it comes to developing a successful EISA, however, there are several common challenges to lookout for throughout the integration process.
Lack of understanding and communication across departments, teams, users, and stakeholders should be addressed in the early stages of the process. Communicating clearly across the organisation about why it is important to prioritise IT security best practices, along with the intended goals of the EISA, is essential in mitigating emerging risks and sustaining higher IT security standards.
Negative or failed past experiences can cause concern and a degree of hesitancy amongst stakeholders towards newer initiatives such as, for example, the possible ineffectiveness of upcoming IT investments into new cybersecurity measures. To avoid this, it is important to manage expectations by providing information about the costs and return on investment (ROI) of any new data protection software.
However, this can be difficult to accurately calculate, and with other factors including lack of funding, it will not be easy to convince stakeholders who may already be sceptical. Therefore, an effective EISA plan must address these concerns at a comprehensive level.
The benefits of an effective EISA
Having a well thought out EISA development plan serves as an invaluable tool for planning new cybersecurity measures throughout all levels of the organisation. A thoroughly planned EISA can also provide the information – which could otherwise be unavailable – needed to help make the best choices when it comes to managing the technology lifecycle and solutions to utilise throughout the IT environment. Equally as important, it is a critical tool for organisations needing to follow compliance regulations enforced by current industry standards and legal requirements.
Enterprise security is different from the traditional understanding of cybersecurity – as organisations with complex infrastructures need effective management, regular assessments, and strong security policies in order to avoid major cybersecurity incidents. Both security architecture and enterprise strategy go hand in hand when it comes to improving business-wide privacy and cybersecurity effectiveness. Without a comprehensive and detailed EISA plan, the entire organisation, its digital infrastructure, and business continuity can be put in jeopardy of a cyberattack.