When do you need a Security Architect?
In the expanding tech world of today, a security architect is often overlooked or seen as a luxury. You can certainly begin a technical project without a security architect. However, the next question you ask yourself should be:
“Do I really want to risk the business?”
A security architect’s main role is to ensure the security of design and development at the beginning of the project. Too often security architects are brought in at the end stages, after a project has been planned and funded, only to have project managers find, that the design and development have missed crucial security controls and are now open for threats and vulnerabilities. Having this discovery so late into your project will cause many setbacks, not only time but financial as well. Engaging a security architect in the beginning phases of design and development will ensure that your project will be securely implemented and that all threats and vulnerabilities will be discovered and mitigated at the proper time.
The need for a security architect is often overlooked, many organizations feel this is not needed or considered to be a luxury, it is more beneficial for your organization to work with a security architect at the beginning of your project to ensure all measures are taken to keep your project secure. In a recent scenario we encountered, it was discovered that engineers and a project manager were engaged in a 3-month technical project without the knowledge or participation of a security architect. While things were running as smoothly as possible, the time came for implementation and our security architect team was called for a security review and approval. We determined that a crucial step had been missed in the beginning and there was a concern for a potential breach had this project been fully implemented. Due to this vulnerability, the team requested that the whole design and development start from the beginning in order to determine where and how to mitigate the vulnerability. Once the vulnerability was detected and mitigated, engineering and program management were able to move forward with the project and with the approval of the security architect team.
The determined risk in this scenario was that the project missed a crucial deadline, there were also financial implications, and a high-level team was brought back to the beginning of this project to revise all work that was previously performed.
As Security Architects, it is our responsibility to intervene whenever necessary and possible in order to avoid a situation such as this which can put an organization at risk.