By John Linford, Security Portfolio Forum Director, The Open Group & Michelle Horrobin, Digital Portfolio Director, The Open Group
As has become evident in recent years and even months, modern organizations offer new products which are, more and more, dependent on digital components, and need to be secure to avoid falling victim to increasingly sophisticated and increasingly frequent cyber attacks. On top of having organizational,internal reasons for improving their security posture, these organizations also must keep up with increasing scrutiny and compliance requirements from governments and regulatory agencies, as well as customers and partners. Consequently, not only might a successful cyber attack leave an organization unable to operate,but it might also result in media backlash and fines and judgements for breaches and violations for the organization.
However, in the United States alone, there are 33.2 million small businesses[1], which account for 99.9% of all U.S. firms. Many small or medium-sized businesses (SMBs) have small or no teams to create and manage their security postures. These organizations in particular will find value in security standards that allow more rapid development of processes, policies, and best practices. Security standards – and standards in general – provide a rigorous framework based on the experience of industry,and they serve as a baseline for development of an organization’s own practices or to understand what is already in place.
Unfortunately, no such standard exists yet that provides a consistent, vendor-neutral blueprint for security architecture showing how capabilities and data interact and creating and designing technical defenses. SMBs, many local and even state/provincial governments, schools and universities, hospitals,and utilities providers struggle to maintain sufficient expertise and resources to maintain their current security position, let alone create new resources and oversee changes.
The lack of common documentation for discussion and debate means that conversations with industry peers, governmental authorities and regulators, as well as vendors are also much more difficult as there is no common baseline to discuss changes or improvements to an in-place security architecture. Moreover, within an organization,this lack of a common security architecture baseline means it can be challenging to handle expansions to an organization and the introduction of a new vendor product or tool offering.
So what is the solution? Those involved withThe Open Group Security Forumand The Open Group IT4IT™ Forumbelieve that it is a deliberate and concerted effort to develop a standardized Security Reference Architecture that provides an organization-neutral, generic solution pattern for security within an organization. This project team intends to design and implement a holistic security management blueprint/architecture for managing security,risk and compliance in a digital enterprise.
The resulting Security Reference Architecture will result from the evaluation and assessment of the current security management landscape, with the team identifying gaps, defining the target architecture, and developing a high-level implementation roadmap. The final Standard will provide an understanding of integrations of a security management and risk management system with other IT management processes and systems (e.g., DevOps toolchain).
This Security Reference Architecture will provide a baseline for conversations about current practices within an organization and improvements against this baseline. It will also allow better positioning for vendor or provider discussions,allowing improved understanding of where the tool or offering would fit within the existing security architecture and the required interactions.
As a Standard, organizations implementing the Security Reference Architecture will benefit from the reduced budget requirements from creating, implementing, and maintaining a unique security architecture. Moreover, these organizations will be able to improve prioritization of the security programs time and resources.
The primary audience for the Security Reference Architecture is two-fold. It is intended both for security architects tasked tocreate a security architecturefor their organization, allowing them to understand what a standard security architecture should cover and contain and for security architects who haveinherited a security architecture, allowing them to compare it to a standard version, to see if there are gaps or extraneous section. Many others will also find value from this Standard, including CISOs, CIOs, CROs, Security Engineers, Auditors, Organizational Risk Management, Risk Practitioners, Developers, Legal Teams,and Managed Service Providers & Security Consultants. Moreover, the Security Reference Architecture will be applicable across all sizes of organizations, though SMBs, state and local governments, and educational institutions are likely to find the most value.
The Security Reference Architecture is being developed by a joint team from The Open Group Security Forum and The Open Group IT4IT Forum,with the project hosted formally by the Security Forum. The Project Team has already identified a high-level mapping of capabilities and sub-capabilities within the reference architecture. They have also produced an initial set of descriptions for these capabilities and sub-capabilities.
The Project is actively seeking additional participants to help develop and refine these ideas. All Silver and Academic Members of the Security Forum and the IT4IT Forum as well as all Gold and Platinum Members of The Open Group are entitled and welcome to participate.
If you or someone in your organization wishes to learn more about joining the project or determining your eligibility to participate, please contact The Open Group Security Forum Director John Linford atj.linford@opengroup.org.