Security architecture: how to

When building a house you would not consider starting the planning, and certainly not the build itself, without the guidance of an architect. Throughout this process you would use a number of experts such as plumbers, electricians and carpenters.  If each individual expert was given a blank piece of paper to design and implement their aspect of the property with no collaboration with the other specialists and no architectural blueprint, then it’s likely the house would be difficult and costly to maintain, look unattractive and not be easy to live in.  It’s highly probable that the installation of such aspects would not be in time with each other, therefore causing problems at a later stage when, for example, the plastering has been completed before the wiring is complete.

This analogy can be applied  to security architecture, with many companies implementing different systems at different times with little consideration of how other experts will implement their ideas, often without realising they are doing it.  This, like the house build, will impact on the overarching effectiveness of the security strategy and will in turn impact employees, clients and the success of the company.

For both of the above, an understanding of the baseline requirements, how these may change in the future and overall framework is essential for a successful project. Over time, building regulations and practices have evolved to help the house building process and we see the same in the security domain; with industry standards being developed and shared to help overcome some of these challenges.

The approach I use when helping clients with their security architecture is outlined below.


I begin by understanding the business, gathering requirements and analysing risks. Defining current and target states leads to assessing the gaps between them and developing the roadmap that aims to close these gaps.

I prefer to start the security architecture development cycle from the top by defining security strategy and outlining how lower levels of the architecture support it, linking them to business objectives. But this approach is adjusted based on the specific needs.

Gather, assess and analyse business requirements

  • Business Strategy, Drivers, Goals and Objectives
  • Critical Success Factors, Motivations and Risks
  • Business Processes and Functions
  • Business People and Organisations
  • Business Locations and Time Dependencies
  • Budgets, Technical Issues and Other Constraints

Define the business

  • Vision ,Mission, Values
  • Business Goals and Objectives
  • Business Strategy

Analyse business risks

  • SWOT analysis
  • PESTLE analysis

Architecture development

  • Security strategy
  • Contextual Security Architecture
  • Conceptual Security Architecture
  • Security Services Design
  • Security Solution Design
  • Security Management Design

Gather, assess and analyse current state and define target state

  • Technology Infrastructure
  • Service and System Management
  • Security Policy and Practices
  • Management Processes

Perform gap assessment

  • Delta assessment between the as-is state and the desired target state
  • Highlight opportunities and areas for improvement (human factors, operations and technology)
  • Confirm the effectiveness of the current processes, the existing infrastructure framework and how well they meet policies/minimum security requirements

Implementation roadmap

  • Make recommendations that consider approaches to improve capability within people, process and technology
  • Highlighting risks with first priority items such as with the first priority being structure, staffing, setup, funding
  • Document finding and recommendations including any quick wins identified
  • Document the strategy and roadmap


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s