Enterprise Security Architecture
Organisations are challenged in using a limited set of resources and budget to mitigate an evolving list of risks and threats. Building robust security architecture requires the ability to make informed, business-driven decisions on security investments to address the identified risks – a task easier said than done. So where do you start?
Cybersecurity is a fast-paced, complex and ever-changing industry. New advancements in technology, digitalisation initiatives, an evolving threat landscape, changing legislation, and a complex market of overlapping solutions are just some of the challenges in making new security investments. Adding to this is the inherent gap between technical and operational solutions and the business’ objectives themselves.
Organisations often find themselves following several frameworks and standards to identify deficiencies in their security program, and to help decide and prioritise on what security measures to invest in. Unfortunately this also often ends with too many technical controls and no clear way of prioritising them.
A robust security architecture starts with sound, informed decisions that are agreed upon from both the business and overall IT organisation. To get there, it’s becoming increasingly important to establish a common ground and a common language to make these prioritisations, and prepare for future threats and risks that currently are not on their radar.
This is where the mnemonic Enterprise Security Architecture (mESA) can help.
mnemonic Enterprise Security Architecture (mESA)
Built on more than 20 years of experience, mnemonic has developed and refined an Enterprise Security Architecture framework that binds business goals to technical controls, available technology, threat scenarios, and established frameworks.
The framework consolidates industry frameworks, methodologies and best practices across enterprise risk management, threat intelligence, security architecture and operations to create a single framework that bridges the gap between a business’ goals and how you can protect them.
mESA identifies where your organisation has security capability gaps and ensures that your budgets are spent where it minimises the risks that actually threaten your business goals. The framework bases its recommendations on a thorough understanding of your threat landscape and your business requirements; be it needs like cost reduction, flexibility, scalability, operability and usability.
By describing the relationship between your current technical and operational solutions, mESA helps create the common ground and language to enable our customers to make sound security investment decisions that are right for their unique organisation.
With guidance from mnemonic’s experts, customers can better prepare for technological advancements, changing legislation and the evolving threat landscape. Harnessing this knowledge, and together with years of experience working in complex environments, we help our clients design and apply security architecture initiatives to support their business goals.
The figure below details the core concepts we base the mnemonic Enterprise Security Architecture (mESA) framework on.
The figure illustrates a fundamental principle adopted from SABSA; two-way traceability:
- Traceability for completeness to the left: The top-down traceability allows every business requirement to be traced down to the technical controls, and ensures completeness in the Enterprise Security Architecture.
- Traceability for justification to the right: The bottom-up traceability, on the other hand, allows every single technical control to be traced back to the business requirements it supports, and ensures business justification for each technical control the organisation invests in.
This traceability makes it possible to identify gaps and risks in the Enterprise Security Architecture, and it provides a way of identifying elements that are not supporting the business requirements and therefor might be unnecessary. This way, the framework connects the business aspects and the technical elements, and helps us to optimise security investments.
Want to learn more about how the model works in practice? You can read more about our approach in our article Enterprise Security Architecture: Optimise your security investments in our Security Report 2021.