The CSA needs to be there to identify areas where things may go wrong. From the architecture, software coding, poor cryptographic selections, and more, the CSA needs to be the one who is asking the right questions.
Ben Tomhave, principal at Falcon's View Consulting, suggests that hiring a cyber security architect is a great starting point for SMBs, so long as the hiring organization provides them with the support and authority necessary to be effective. Most CSAs will need to balance the goal of designing and building the most secure environment possible against the costs and benefits, as well as helping to ensure that business, contractual and regulatory requirements are clearly understood and incorporated into all design decisions. A savvy CSA will help organizations optimize their security spend, limiting the number of tools and practices to those that maximize the desired risk management objectives without exposing the business to undue liability.
As for the cloud, a CSA is equally crucial. Cloud service providers have significant economic incentives to maintain levels of security that are often financially or politically unaffordable to other organizations. That gives a firm an incredible foundation to build on; but if they fail to design an architecture tuned for the cloud platform they will be deploying, the odds are high that they'll actually increase their security risk. Rich Mogull of Securosis notes that architecture is inarguably the most important factor when moving to the cloud.
He also notes that on the upside, as cloud providers continue to offer new features, firms can also take advantage of these for transformative security architectures. It's actually quite common to do things such as deploy throwaway servers with minimal network access and no SSH or other remote administrative access; leverage PaaS to wipe out common database exposures, and even use a cloud message queue and new deployment patterns to completely isolate sensitive application workers.
When it comes to the cloud, it's truly about the economics. The cloud provider wipes out the lower level, highly expensive security costs, which frees an organization to focus more on securing their applications. And that, for the most part, comes down to architecture.
Show me the architect
The Cisco annual security report states that modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country. That's the new reality every firm is dealing with. That means every firm, everywhere, needs a CSA.
Sign up for CIO Asia eNewsletters.