Thursday, September 11, 2008
Are you an Enterprise Architect that buries your head in the sand when it comes to understanding security?
Gunnar Peterson, Brenda Michelson, Mike Kavis and others talk about risk and metrics yet haven't talked about the risk actually introduced by notions such as IT governance where it results in a false sense of security. At some level if architects aren't security literate, then only by luck could an enterprise be secure.
The challenge that OWASP and other security organizations can start noodling is that there is no real definition of a minimum body of knowledge that an enterprise architect must have to be considered prepared for the job role. Consider the fact that there are many enterprise architects in the blogosphere that are highly competent where the likes of Scott Mark, Todd Biske and James Tarbell come to mind. Likewise, there are lots of pretenders as well. Until a body of knowledge along with appropriate certification exists, we will still have project managers, socializers and hand wavers pretending they are enterprise architects.
There are quite a few security-related certifications that are worthwhile but most of them are targeted towards full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications) and they have varying degrees of difficulty in gaining and maintaining certification. I think there is a need for a "foundation level" certificate that covers security basics that span the traditional body of knowledge domains but is targeted for IT architects. If you are in agreement, maybe you could contribute your two cents to the OWASP Certification Project.
It is not critical that Enterprise Architects be security experts but they need to know where to plan for security and when to involve and collaborate with Security Architects and other security professionals to ensure they are building security into their designs and implementations. Given that web-enabled enterprises are now commonplace, the need for security knowledge about infrastructure, networking, application development, information assurance, regulatory and privacy are required.
Links to this post: