We often hear news about critical and negative events in the life of a business.
In our society, tragic events and tales of failure are more appealing than successes and the news reflects that. How many people know the latest details about COVID-19 today and how many know about the ITER project and its tremendous stakes?
The world of cybersecurity is no different: we often hear about intrusions and data leaks but hear no news about organizations that excel at self-defense. In our opinion, self-defence is all about security by design: Compliance, Security risk assessment, Security in Architecture and System Design. The purpose of A&SD is simple: Technically design products and services that are resilient to malicious acts.
Who is involved?
Two professions are deeply involved in the development of an organisation’s self-defence:
- Security Architects: are in charge of creating a comprehensive vision of security within a company, defining a defense-in-depth strategy and ensuring technical consistency in the security of products, services and the company itself.
- System Designers: are in charge of designing and implementing security functions of the products and services offered by a company and of detailing security implementation, configuration and test plans.
According to us, these jobs are currently at the forefront of cybersecurity and of business projects and we believe that organizations that rely on a “Security by design” approach based on A&SD principles and Risk analysis methods are those who excel the most.
Which risk analysis methods can be used?
The arrival of new, more formal risk analysis methods such as EBIOS RM, the understanding of cyber-attacks mechanics as formalised in MITRE ATT&CK and the variety of research projects on modeling of security in systems engineering, show an improved understanding of the Architecture and System Design domain as well as its increasing maturity.
We can see the first effects of this increasing maturity as CIOs put these professions at the center of their priorities and strategic business decisions. It is after all, the deployment of adequate technical solutions to protect against malicious acts that keep their companies out of the news.