Wilfing - The Curse of Security Architecture

This week’s media has been full of claims from a YouGov survey that two thirds of the UK’s Internet users waste a large amount of their time aimlessly chasing distractions or “wilfing” (What was I looking for?). But let’s be honest. Wilfing is a much more widespread malaise that’s infected many areas of IT and security. In particular, it’s a curse on security architects. That’s because architecture should be no more than a means to an end, but unfortunately that end frequently gets lost in translation.

In today’s jargon-driven IT world, real business requirements, such as “what are the security requirements for this platform” are likely to be communicated as “we need a security architecture”. Such a demand can spawn a new project or job function with a momentum and direction all of its own. Inexperienced architects will search high and low for examples of real security architectures, only to find that any instances they uncover are incompatible, having been produced at different times, for different purposes, by different individuals, with different levels of experience. On the other hand, the experienced architect will dust off one that was created earlier. But sadly it’s unlikely to be fit for the new purpose.

Years can be spent pursuing the Holy Grail of the all-encompassing enterprise security architecture. Only to find that – as John Zachman discovered many years before – you need a collection of different models. You can then spend further time categorizing, normalizing and connecting all of the individual sub-models. Along the way, enthusiastic architects will discover or develop architectural principles for enabling greater flexibility. And clever ones will introduce additional dimensions, such as time. The scope and sophistication of the target architecture will continue to grow, much as work expands to fill the time available. But eventually hard decisions will be taken and an operational version will be delivered.

Unfortunately, in practice nobody will quite know what to do with this architecture, except perhaps to cover that ugly stain on the wall or to pad out their Powerpoint presentation. It will progressively become outdated and ignored. Until of course someone else comes along searching for an example of a real enterprise security architecture.