CISOs rely heavily on the security architect to assemble a security ecosystem that delivers operational efficiencies while ensuring their vast—and expanding—infrastructure is protected. Research that Fortinet conducted finds that security architects report to C-suite executives—predominantly the CISO—in over two-thirds of organizations. And while a minority of organizations remain without a dedicated security architecture role (configuring it as a shared responsibility for the CISO, CTO, et al.), the report finds doing so typically increases risk exposure. Indeed, the report finds that those organizations where the security architect role is a part-time/shared function are 70% more likely to have experienced six or more malicious intrusions.
But, as the role becomes more strategic and important, so does its level of difficulty and complexity. This is certainly supported by some of the findings we uncovered in a skills gap analysis of the security architect role (see report “CISOs Seek Security Architects Who Are More Strategic and Possess Soft Skills,” Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Demographics, Fortinet, July 23, 2019).
Organizations with dedicated, full-time security architects have a much lower risk of experiencing malicious intrusions than those that do not.
Following is a quick overview of the most prevalent challenges facing the security architect today:
As a starting point, fragmented security architectures have become the norm due to a rapidly expanding attack surface and threats that are immensely more difficult to protect against. In response to the expanding attack surface where new cloud applications and services, Internet-of-Things (IoT) devices, mobile devices, and access points proliferate, enterprises have implemented point security products to cover the security gaps. As new security gaps appear, enterprises insert another point security product to cover the hole. This results in architectural fragmentation, a serious problem for many organizations where an average of 75 different security products exist.
This fragmentation obfuscates visibility and creates silos that consume valuable time on the part of security and network operations teams. Misconfiguration and architectural silos can have wide-ranging ramifications and affect multiple aspects of security operations—from how threat intelligence is aggregated and used to how network access is managed for devices, applications, and users.
Figure 1. How security architects measure their success.
To address these issues, CISOs require security architects who can put the different pieces of the security infrastructure together into a coherent whole—an undertaking that is not easy. Enterprises require a security architecture that not only integrates all the different elements of today’s security infrastructure but also accommodates future requirements.
Rapid growth in Shadow IT and managed-business IT exacerbates the complexities for security leaders charged in protecting critical infrastructure and data. The latest “CIO Survey” by Harvey Nash/KPMG reveals that more than one-tenth of enterprise technology spend is outside of the IT department. And while a little more than one-third prohibit managed-business IT, that means nearly two-thirds admitting they allow managed-business IT projects, with 11% revealing they actually encourage it.
So, what does this mean for the CISO, and more notably, the security architect? Managed-business IT requires a security architecture that covers the expansive attack surface—from the enterprise campus to the network edge. Having security elements that reside on their own islands and do not integrate with the whole can create serious risks. In the case of managed-business IT solutions, CISOs need security processes and architectures with a coverage model that is agile, enabling them to bring these into a consolidated security infrastructure framework.
Compliance requirements are another factor prompting organizations to reevaluate their security architectures. There are different types of compliance mandates facing the CISO—from government regulations such as the European Union’s General Data Protection Regulation (GDPR), to industry regulations such as the Payment Card Industry Data Security Standard (PCI-DSS), to security standards such as those from the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Each of these requires ongoing reporting and auditing to demonstrate compliance. These capabilities must be built into a security architecture, or the processes for doing so can become extremely onerous. And the option of noncompliance, with fines and penalties often reaching into the millions of dollars, is a non sequitur—as it often leads to bankruptcy for smaller organizations and serious financial impact for those with the financial wherewithal to cover.
The number of security alerts security teams typically receive on a daily basis is far beyond the number they can manage manually. Research shows that security teams can investigate only 4% of the alerts they receive. Many security operations teams are not even certain where to start. Manual log aggregation and reconciliation simply cannot handle the complexity and volume. This results in detection, prevention, and response times that are reactive, which exposes organizations to heightened risk. Research published earlier this year by Scalar Security reveals that over half of security professionals admit their security response processes are manual. This elongates incident response times, which simultaneously increases the detrimental magnitude of a successful intrusion.
Security architects are a critical linchpin when it comes to organizational success in managing risk and achieving optimal value from security investments.
What is most important in this regard is that the financial impact of an intrusion goes up the longer intrusions are left undiscovered. Without the right security architecture in place, organizations are hamstrung when it comes to quickly identifying intrusions as well as remediating them upon their identification. Herein, CISOs rely on the security architect to make sense of the disparate systems and create efficiencies. But without an integrated, cohesive architectural approach, this is a herculean task given the realities of most enterprise network infrastructures.
According to a recent Fortinet study, 84% of organizations have adopted some form of DevOps, with nearly one-third (30%) deploying DevOps principles enterprisewide. Agility and speed are top priorities for them. Unfortunately, at the same time, they introduce security vulnerabilities. For example, misconfigurations are a serious problem for DevOps—vulnerabilities that can be exploited by cyber criminals to gain access to critical data and systems.
When the above is coupled with the fact that 7 out of 10 organizations will move DevOps security underneath their CISO this year, it is not a huge surprise that security architects listed it more often as a top-three priority than any other security challenge. Extending visibility and centralizing policy management across disparate DevOps environments requires an integrated and even automated architectural approach; traditional security approaches will not work for DevOps environments.
According to the Fortinet report, over one-third (37%) of security architects cite DevOps security as one of their top-three success measurements for this year, which made it the foremost priority for the security architect this year.
Recognizing the importance of the security architect in protecting the enterprise, ensuring compliance, and seeking to delimit strategic recommendations for security architects and their CISOs, Fortinet conducted a survey of security architects across various industries. In doing so, we pinpointed key challenges facing security architects today:
Bad actors are embracing new technologies such as artificial intelligence (AI), which enables them to increase the volume and velocity of their attacks but also develop and deploy unknown/zero-day exploits. Up to 40% of all threat traffic is comprised by unknown and zero-day attacks and over three-quarters of successful attacks. The execution of these attacks—from exfiltration of data to manipulation and disruption of operations—happens in minutes versus days or weeks.
Traditional signature-based security approaches leave organizations at serious risk of unknown and zero-day exploits. Security architects are confident in their ability to protect against known threats, with 8 out of 10 believing that they have visibility and control. But unknown threats are keeping them up at night, 58% indicating they are stretched when it comes to defending against attacks that employ unknown or zero-day exploits and 44% believing they are too reactive in risk management.
Nearly two-thirds of security architects (69%) report working with fragmented architectures, and 18% say their networks are built completely of point products and have zero integration. This disconnected architecture reduces the effectiveness of overall network security by creating information silos and blind spots. Staff resources are consumed by manual workflows and administration, which creates an opportunity for errors, increases risk, and leads to frequent security incidents that pull resources from strategic priorities as they embrace an all-hands-on-deck approach to problem-solving.
Figure 3. Architectural fragmentation due to point product solutions.
Given the high levels of fragmentation, it logically follows that difficulty in implementing all the various disparate security products is the number one issue security architects face (45%). Each of these requires different training and knowledge to configure and manage. This is especially challenging in a tight cybersecurity labor market where upwards of 3 million positions are unfilled on a given day. Putting aside the labor shortage, security leaders are discovering that infinite budgets do not exist. Thus, even if the right headcount exists, it is almost impossible to allocate adequate budget to cover the cost for labor and training. In response, CISOs want their security architects to design security architectures that orchestrate and automate as many workflows as possible. This helps minimize challenges that arise when implementing new solutions.
Hackers are more successful and effective than ever before, as evidenced by a 43% year-over-year increase in successful data exfiltration attacks. Prevention is also becoming more difficult as the sophistication of attacks takes on new levels through the use of Malware-as-a-Service (MaaS), artificial intelligence (AI), machine learning (ML), and other advanced technologies. Pre-intrusion detection and prevention is the top concern cited by 42% of security architects. But they cannot adequately address this concern manually or by using existing fragmented architectures.
When asked to rank the top effects of security complexity, cybersecurity risk management is by far the top concern. Nearly half of security architects (44%) indicate that complexity makes it more difficult to manage risk. Without access to immediate and accurate information, the security architect is unable to determine which issues should have the highest priority, implement remediation actions in real time, or fix configuration errors to manage and mitigate risk.
In addition to diving into the challenges facing security architects, the study also compared the practices of top-tier security architects (those with no intrusions over the past 12 months) with those in the bottom tier (organizations with more than six intrusions over the past 12 months). Commonalities among top-tier performers include transparency, measurement, executive visibility, and proactivity. Key takeaways include:
Leading security architects are comfortable in their ability to protect against known threats, yet they are very concerned about unknown exploits and zero-day threats. In response, top-tier security architects are 3x more likely to proactively focus their attention on undetected intrusions. This makes a lot of sense considering the findings that we discussed above.
Security and compliance are high on the list of priorities for CEOs and the boards of directors who not only demand results but also need to understand how their security investments affect the bottom line. Top-tier security architects measure and report cost reductions 3x more frequently than bottom-tier architects. One outcome of doing so is that security architects are 21% more likely to receive an increase in security budgets than bottom-tier peers.
Nearly one-quarter of top-tier security experts have purchased an end-to-end security system (22%), while an additional 22% have purchased some integrated solutions. Conversely, only 7% of bottom-tier security architects have an end-to-end system, and only 13% have some integrated solutions.
Top-tier security architects are 67% more likely to measure vulnerabilities found and blocked. They use this metric to understand the efficacy of their security strategies and are held responsible for designing and implementing a security architecture that enables the CISO to produce dashboards that demonstrate the value of the security investment and track risk. If the flip side is examined, the extrapolation is that bottom-tier security architects likely lack the ability to identify vulnerabilities and track their remediation.
Figure 4. Security architects who report the fewest intrusions and breaches adhere to specific architectural principles.
The most successful security architects report to the CISO rather than other executives within the organization—33% more likely in the case of the Fortinet study. This reporting structure makes sense considering the CISO is charged with understanding their organization’s risk tolerance, designing a security architecture and implementing security tools that satisfy risk requirements, and measuring and reporting risk to executive management and boards of directors. When the security architect reports to someone else, it makes this charter immensely more difficult.
IoT devices are growing rapidly as organizations tap them for business intelligence and improved operational efficiencies. Yet, they also expand the attack surface and—with many being headless—present significant security risks. Putting the right security architecture in place is critical in order to ensure these devices are all known and moreover protected. Thus, it comes as no big surprise that top-tier security architects are 30% more likely to have IoT security on their list of priorities.
The role of the security architect has never been more important than it is today. A security architecture that extends across the entire attack surface, integrates all the different security elements, and automates security workflows and threat intelligence is a requisite for CISOs seeking to secure their users, devices, applications, and systems. Doing so enables CISOs to ensure digital innovation does not create vulnerabilities that cyber criminals can exploit. It also allows CISOs to get more out of overstretched network and security staff by transforming manual, time-consuming log pulls and threat-intelligence aggregation and reconciliation into automated, real-time processes that improve operational efficiencies while bolstering risk management.
The Fortinet report also pinpoints the ingredients needed for a security architect to succeed—namely, the six above traits. One of the takeaways from the report’s findings is that security architects are much more than tactical technologists. This is corroborated in a separate skills-gap study conducted by Fortinet that found CISOs seek security architects who possess business acumen and the soft skills needed to work cross-functionally and to address business objectives in how the security architectural vision is modeled.