Skip to main content

Non-IT and Security Engineering Principles

April 15, 2014

I always look for interesting parallels between things we have learned or practiced in other industries and how they can be applied to the security discipline. Recreating the wheel is not always needed; sometimes we just need to know how the wheel was modified for other uses and if those modifications work for us too.

A few weeks back, while at the airport waiting for my flight, I stopped in a book store and picked up 101 Things I Learned in Architecture School by Matthew Frederick. While thumbing through it I was surprised at the number of non-IT engineering/architecture principles I came across that many of us in software and systems engineering use every day. I purchased the book and read on, and was able to draw seven interesting parallels between the principles that could be applied to both industries.

Principle #1: Buildings must be designed to withstand stress from earthquakes or other events.* An interesting concept not used enough in IT security architecture is designing for failure. This is illustrated in the defense in depth principle, where multiple security controls are layered throughout a system, making it more difficult for an adversary to complete a successful attack. The layers act as a back-up if a single control fails or a vulnerability is exploited.

This concept is applicable to any of the three elements of a successful security strategy: people, process and technology. As an example focused on the “people” element, say an incident response team is comprised of three individuals, all good consultants, with two working a case at any given time. What if on a certain day one person is sick (people fail too), how will the loss affect the team’s ability to respond to other incidents? Maybe there is a junior-level consultant interested in security monitoring and IR, who can work as an emergency backfill; maybe you use your MSSP to handle the incident more in-depth; you must be prepared for the failure.

Principle #2: Our experience of an architectural space is strongly influenced by how we arrive in it.* This holds true in security engineering. Many of us in security arrived at our careers from other paths. I came from a computer networking background in a very large enterprise which shaped my current thought process; enterprise controls and scales are something I think about in every architecture review I put forward. Others may have come from software engineering backgrounds with a developer mindset; they may focus only on the application and take the infrastructure for granted. To build a well-rounded team, a manager should hire resources that come from different backgrounds so the group is able leverage their perspectives and have a complete view security.

Principle #3: Engineers tend to be concerned with physical things in and of themselves. Architects are more directly concerned with the human interface than with physical things.* In security many engineers will focus on certain components of security. Some may focus on the OS, some on the application, and others on the incident response. As an architect we must think about all things. We must think about the way the solution will be used and how all aspects of security should be aligned to complete the user’s or application’s objective while maintaining all disciplines of security.

Stay tuned for my next blog post for information on the remaining four principles and how they apply to security engineering.

* Source: 101 Things I Learned in Architecture School, Matthew Frederick

    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

March 16, 2017

OCC Updated Guidance on Third-Party Risk

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk progra...

See Details

May 04, 2016

The First Two Steps – Operationalizing Enterprise Threat Intelligence, Really

Threat intelligence, about three years after it became the talk of RSA Conference, is still a hot topic for the enterprise. Rightfully so, as it’s a p...

See Details

August 17, 2015

What Makes Organizations Resilient and Why You Should Care

Information systems are inherently fragile. Operating systems and applications are very complex machinery, and considering how many changes (such as s...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

November 12, 2014

Empowering the CISO

A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” leve...

See Details

September 12, 2014

A CISO Needs a Plan

I had the opportunity to talk with Tim Wilson on Dark Reading Radio recently. The topic we discussed is one that cannot be overemphasized these days g...

See Details

May 25, 2017

Having an Identity Crisis? CISO’s Need to Own IAM

Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.