Who Owns Security Architecture After the Architect is Done?

Who Owns Security Architecture After the Architect is Done?

So you’ve invested in security architecture and your architect is fast closing on the end of their tenure with you. What will happen next?

Let’s talk about who replaces a security architect, and who takes on accountability for the changes.

Think you’ve skipped a step? Learn the basics of security architecture here.

Replacing your security architect – who’s in charge now?

You, or your people.

Once an architect is done, they leave. Your business should not need to hire someone new to be your ‘permanent’ security architect. Their job is to show you the way, and it’s then up to you to walk that path. Much like regular architecture, the architect will not build or repair your house for you.

That said, you may have to hire new staff for other types of work related to this process, but we’ll cover that below.

The point of security architecture is to improve the business

Theoretically, once the process is complete your organization should be able to run the transformation roadmap by itself.

So, going back to our question: it’s more likely that, once the roadmap is established and you’ve begun the transformation process, you’ll assign a variety of process owners based on their business units.

Who will become my process owners?

Probably business unit heads/HoDs or project managers – that kind of level in the business. You’re looking for individuals with management as a part of their role, as well as technical expertise in their area.

You might also establish an overarching authority to:

  • Hold ultimate accountability for the transformation.
  • Provide leadership while establishing new services and, perhaps, business units.
  • Guide business units to ensure their improvements align with the overall organizational strategy.

This would likely be a CISO or similar high-level, technology-specific business leader.

So will I need to hire any new people to complete the transformation process?

Only rarely.

Security architects will generally look to utilize the skills already present within a business. After all, like we said the goal is not to replace the security architect with a similar, permanent version, but to ensure that your existing business personnel (and processes) can run themselves moving forwards.

Any lack of a particular skill required for the business should be highlighted as a part of the gap analysis, and could create a career advancement/training opportunity for staff.

And if the gap analysis highlights a lack of expertise that can’t be trained in-house?

This is where you might look to hire externally, or find contractors to fill temporary gaps while in-house personnel upskill.

Again, these external hires would not replace the security architect’s role. They are individuals who come in to provide specific expertise in an area you lack, that the security architect highlighted as vital (i.e. a missing cybersecurity skill). 

Learn more: “Could better security architecture help prevent a major hack?

What is involved in handing security architecture from the architect to internal personnel?

Unless your business managers and directors are brand new to the company, chances are they will already have some experience with the architecture – they will have been heavily involved in its creation. So they’ll probably know about the organization’s needs, agreed business attributes and desired security controls. The handover process, therefore, will be light. 

Learn more: “How to turn business drivers into business attributes

Assuming someone is new, wasn’t involved, or needs a refresher, the handover process may involve workshops designed to go over what was learned, including:

  • The organization’s ‘as-is’ state.
  • The gaps found during the various analyses.
  • What you’re trying to achieve (based on the company’s business attributes, goals, mission).
  • Required new security controls.
  • Where these controls cross over with different jurisdictions relevant to the individual.

Will we need an architect again in future?

The point of modern security architecture is not to evolve once, wait for technology to move forwards, then do the whole thing again. The reality is it should set your business up to constantly evolve, constantly adapt, to be able to keep up – not fall behind.

Your business leaders, and CISO, must ensure this happens

As a part of the architecture process, your business heads will have been learning about the architecture process and the various steps that were involved. Ideally everyone owning a part of the transformation process, and especially the overarching authority (i.e. CISO) should know what went into:

  • Analysing the current state of the business.
  • Identifying risks.
  • Prioritizing those risks.
  • Plotting out desired changes.
  • Realising those changes with action.

Your policies, processes and training should all be updated to reflect these new skills, so you don’t lose the expertise when someone leaves.  Evolution must become the company’s culture.

What if we don’t achieve this level of adaptability? 

Your business will be at risk of falling behind within just a few years (technology moves fast, and cybercriminals even faster). That’ll mean you may need to do this all again – a needless expense.

Here’s a great goal to keep in mind:

Rewrite your policies and processes to include regular reviews that replicate the security architecture process from start to finish. Build these analyses into the fabric of your company, and the roles of each of your key managers.

This way, every year, two years, whenever you feel it’s right for your industry, you can go through top to bottom again, collaborate between business units, and find new risks. Then you can check your attributes are still relevant, and plot out new improvements based on changing priorities.

So, you’re saying we’ll never need a security architect again? In an ideal world, yes.

Of course, there may come such a significant change in your industry that it’s just too big for you to handle alone. COVID-19 is a great example. It was such a monumental up-ending of business norms that even with the best self-improvement processes, an organization could be easily forgiven for needing outside help.

In a situation like this, it may be pertinent to get a professional in again to check things over. Specifically, a security architect could in this situation focus more on updating the risk analysis and looking for new or hidden risks. Theoretically they shouldn’t need to completely re-innovate your company – just add a few new elements, like a software patch instead of installing a whole new system.

Need help? We’re here for you

All of this is easy on paper, but it’s another thing entirely to get it done right.

If you need help getting your company to a point where it can self analyze and self improve, we have the expertise to help. For more information on security architecture, download our free webinar “Transforming business through security architecture“.

Or, contact us today for a free maturity consultation.

Share :