WEBVTT

1
00:00:00.160 --> 00:00:02.560
<v Speaker 1>Welcome to the deep dive, where we extract the most

2
00:00:02.600 --> 00:00:05.919
<v Speaker 1>important nuggets of knowledge and insight from our sources just

3
00:00:06.000 --> 00:00:09.880
<v Speaker 1>for you. Now, when you hear security in a business context,

4
00:00:10.000 --> 00:00:13.199
<v Speaker 1>what's the immediate reaction? For many, it's a technical headache,

5
00:00:13.240 --> 00:00:15.080
<v Speaker 1>maybe a line item that just adds to the cost,

6
00:00:15.640 --> 00:00:18.480
<v Speaker 1>or perhaps a necessary evil that feels like it's constantly

7
00:00:18.480 --> 00:00:20.239
<v Speaker 1>slowing things down. Does that sound familiar?

8
00:00:20.359 --> 00:00:24.480
<v Speaker 2>Oh, definitely. It's a very common, almost ingrained perception in

9
00:00:24.519 --> 00:00:25.600
<v Speaker 2>a lot of organizations.

10
00:00:25.679 --> 00:00:29.320
<v Speaker 1>But what if that perception is well fundamentally limited. What

11
00:00:29.399 --> 00:00:32.479
<v Speaker 1>if security isn't just a blocker, but actually a powerful

12
00:00:32.560 --> 00:00:35.960
<v Speaker 1>enabler for your business, helping you achieve those ambitious goals,

13
00:00:36.479 --> 00:00:40.240
<v Speaker 1>maybe even your wildest dreams. Today we're taking a deep

14
00:00:40.280 --> 00:00:45.200
<v Speaker 1>dive into enterprise security architecture or essay. Our source material

15
00:00:45.240 --> 00:00:49.359
<v Speaker 1>is a really comprehensive guide to building business driven security architectures,

16
00:00:49.759 --> 00:00:53.439
<v Speaker 1>and our mission is to cut through the technical complexity

17
00:00:53.439 --> 00:00:56.359
<v Speaker 1>and equip you with a clear, engaging understanding of ESA.

18
00:00:56.920 --> 00:00:59.399
<v Speaker 1>We want to reveal its critical business value and show

19
00:00:59.439 --> 00:01:02.479
<v Speaker 1>how a wholeiststick model can prevent those costly failures and

20
00:01:02.560 --> 00:01:04.280
<v Speaker 1>really enable strategic growth.

21
00:01:04.439 --> 00:01:07.000
<v Speaker 2>Yeah, and what's truly foundational here, I think, is how

22
00:01:07.040 --> 00:01:10.280
<v Speaker 2>the very concept of enterprise has evolved. Our guide explains

23
00:01:10.280 --> 00:01:14.239
<v Speaker 2>it beautifully. It defines enterprise as treating an organization not

24
00:01:14.400 --> 00:01:17.480
<v Speaker 2>just as a collection of separate departments, but as a

25
00:01:17.599 --> 00:01:20.879
<v Speaker 2>single entity. This idea, it came out of management very

26
00:01:21.000 --> 00:01:24.519
<v Speaker 2>decades ago, right aiming for coherent optimization across the board,

27
00:01:24.599 --> 00:01:28.840
<v Speaker 2>moving away from those isolated silos. And historically security often

28
00:01:28.879 --> 00:01:30.920
<v Speaker 2>grew up in its own silo, kind of separate from

29
00:01:31.200 --> 00:01:35.480
<v Speaker 2>core business process work or even it systems engineering. But well,

30
00:01:35.519 --> 00:01:38.959
<v Speaker 2>with the pervasive reach of the Internet and the explosive

31
00:01:38.959 --> 00:01:43.400
<v Speaker 2>growth and computing power, those isolated approaches have been dramatically exposed.

32
00:01:43.439 --> 00:01:47.159
<v Speaker 2>They create vulnerabilities failures that impact the entire business. So

33
00:01:47.200 --> 00:01:49.120
<v Speaker 2>this deep dive isn't just about what the ESA is.

34
00:01:49.159 --> 00:01:52.560
<v Speaker 2>It's really about why it's absolutely critical for business success

35
00:01:52.640 --> 00:01:54.400
<v Speaker 2>today in this interconnected world.

36
00:01:54.560 --> 00:01:57.480
<v Speaker 1>That makes perfect sense totally, And here's where it gets

37
00:01:57.560 --> 00:02:00.959
<v Speaker 1>really interesting for anyone who's ever grappled with security issues,

38
00:02:01.799 --> 00:02:05.560
<v Speaker 1>the stark reality of what happens when you don't take

39
00:02:05.640 --> 00:02:09.800
<v Speaker 1>that enterprise wide architectural view. Our source points out that

40
00:02:09.840 --> 00:02:13.159
<v Speaker 1>for many, just thinking about enterprise wide security feels like

41
00:02:13.199 --> 00:02:15.000
<v Speaker 1>a huge daunting task.

42
00:02:15.199 --> 00:02:16.479
<v Speaker 2>It really can't seem that way.

43
00:02:16.560 --> 00:02:20.120
<v Speaker 1>And the core reason why these architectures sometimes fail, why

44
00:02:20.159 --> 00:02:23.280
<v Speaker 1>they don't deliver real benefit, It's often because they're built

45
00:02:23.319 --> 00:02:27.199
<v Speaker 1>in an ad hoc manner, maybe bolted onto legacy processes

46
00:02:27.199 --> 00:02:30.680
<v Speaker 1>and systems, which of course leads to a complete lack.

47
00:02:30.520 --> 00:02:32.840
<v Speaker 2>Of coherence exactly, no joined up thinking.

48
00:02:32.960 --> 00:02:35.439
<v Speaker 1>Let's make this tangible. We've got a few striking examples

49
00:02:35.439 --> 00:02:39.039
<v Speaker 1>from the guide. Okay, picture this a retail bank online service.

50
00:02:39.479 --> 00:02:42.919
<v Speaker 1>A user accidentally mistypes the URL, oh dear, and suddenly

51
00:02:42.960 --> 00:02:45.719
<v Speaker 1>they can access account details and credit card details of

52
00:02:45.759 --> 00:02:48.479
<v Speaker 1>all of the customers, about twenty five hundred people.

53
00:02:48.719 --> 00:02:50.560
<v Speaker 2>Wow, that's bad.

54
00:02:50.639 --> 00:02:54.000
<v Speaker 1>And when the bank was informed, what did they do? Initially? Nothing?

55
00:02:54.120 --> 00:02:55.479
<v Speaker 2>Nothing? Seriously yep.

56
00:02:56.280 --> 00:03:00.000
<v Speaker 1>Our source notes public relations management is just as important

57
00:03:00.159 --> 00:03:04.439
<v Speaker 1>as technical expertise and the protection of reputation. This incident

58
00:03:04.639 --> 00:03:08.680
<v Speaker 1>was likely managed from a very technical perspective, probably with

59
00:03:08.960 --> 00:03:13.280
<v Speaker 1>little or no impert from people with any real business acumen.

60
00:03:13.120 --> 00:03:16.800
<v Speaker 2>Which led to a massive public relations nightmare, I imagine,

61
00:03:17.240 --> 00:03:18.960
<v Speaker 2>and a huge hit to their reputation.

62
00:03:19.080 --> 00:03:23.560
<v Speaker 1>Precisely all because of that narrow, purely technical view of security.

63
00:03:23.879 --> 00:03:25.439
<v Speaker 2>And it's not just date exposure is it.

64
00:03:25.479 --> 00:03:28.439
<v Speaker 1>No, not at all. Our source shows how these same

65
00:03:29.039 --> 00:03:34.120
<v Speaker 1>piecemeal approaches can just cripple operational effectiveness. Take another retail bank,

66
00:03:34.759 --> 00:03:37.639
<v Speaker 1>brand new online service launch week. Okay, it gets a

67
00:03:37.680 --> 00:03:41.840
<v Speaker 1>crippled by the surge and demand completely hopelessly underscaled. They

68
00:03:41.840 --> 00:03:43.360
<v Speaker 1>had to take it offline repeatedly.

69
00:03:43.479 --> 00:03:46.879
<v Speaker 2>Think of the lost business, the customer frustration exactly.

70
00:03:46.960 --> 00:03:49.639
<v Speaker 1>And then there's an insurance portal just unavailable because of

71
00:03:49.680 --> 00:03:53.639
<v Speaker 1>systems integration problems, the classic integration headache, right, and the

72
00:03:53.680 --> 00:03:57.719
<v Speaker 1>guide is crystal clear. Control over systems integration is all

73
00:03:57.759 --> 00:04:01.759
<v Speaker 1>part of security management and security architecture. These aren't just

74
00:04:01.840 --> 00:04:07.080
<v Speaker 1>you know it glitches. These are fundamental business failures, costing reputation, revenue,

75
00:04:07.400 --> 00:04:10.039
<v Speaker 1>customer trust, the works.

76
00:04:10.240 --> 00:04:12.280
<v Speaker 2>Yeah. If we connect this back to the bigger picture,

77
00:04:12.919 --> 00:04:17.519
<v Speaker 2>these examples just powerfully illustrate the well the costly consequences

78
00:04:17.720 --> 00:04:22.720
<v Speaker 2>of those piecemeal implementations of security. When organizations just chase

79
00:04:22.879 --> 00:04:27.240
<v Speaker 2>point solutions for specific problems without thinking about the organization

80
00:04:27.279 --> 00:04:29.839
<v Speaker 2>as a whole, they inevitably run into these kinds of

81
00:04:30.800 --> 00:04:35.199
<v Speaker 2>dramatic and expensive failures. What's fundamentally missing is that structured

82
00:04:35.199 --> 00:04:38.920
<v Speaker 2>inter relationship between the technical and procedural solutions, you know,

83
00:04:38.959 --> 00:04:41.600
<v Speaker 2>something that supports the long term needs of the business.

84
00:04:42.000 --> 00:04:44.920
<v Speaker 2>Every single security decision really from the top down. It

85
00:04:44.920 --> 00:04:48.439
<v Speaker 2>should be derived from a thorough understanding of the business.

86
00:04:48.040 --> 00:04:49.800
<v Speaker 1>Requirements, which makes total sense.

87
00:04:50.079 --> 00:04:52.240
<v Speaker 2>So this raises a critical question, doesn't it? How do

88
00:04:52.319 --> 00:04:54.959
<v Speaker 2>we shift? How do we get away from this reactive,

89
00:04:55.040 --> 00:04:59.160
<v Speaker 2>fragmented approach to one where security is proactively integrated.

90
00:04:58.879 --> 00:05:01.720
<v Speaker 1>Right into the DNA of the Okay, So that's the

91
00:05:01.839 --> 00:05:05.879
<v Speaker 1>perfect setup for the solution. A powerful framework steps in here.

92
00:05:06.240 --> 00:05:09.360
<v Speaker 1>Our source introduces us to the SABSA model.

93
00:05:09.600 --> 00:05:10.000
<v Speaker 2>Ah.

94
00:05:10.040 --> 00:05:15.000
<v Speaker 1>SABSA good stuff stands for Sherwood Applied Business Security Architecture,

95
00:05:15.199 --> 00:05:18.800
<v Speaker 1>developed back in nineteen ninety five, and it's defining characteristic.

96
00:05:19.079 --> 00:05:21.839
<v Speaker 1>Everything must be derived from an analysis of the business

97
00:05:21.839 --> 00:05:25.959
<v Speaker 1>requirements for security, particularly where security acts as an enabler.

98
00:05:26.000 --> 00:05:27.800
<v Speaker 2>That business driver is key totally.

99
00:05:27.839 --> 00:05:31.040
<v Speaker 1>And what's brilliant is how SABYSA structures this whole model

100
00:05:31.120 --> 00:05:35.040
<v Speaker 1>around six basic questions. Our source even uses that fantastic

101
00:05:35.120 --> 00:05:39.680
<v Speaker 1>memorable reference Kipling's poem about his six honest serving men.

102
00:05:39.839 --> 00:05:42.240
<v Speaker 1>What why, how, who? Where? And when?

103
00:05:42.399 --> 00:05:44.399
<v Speaker 2>I love that analogy. It makes it so clear, it

104
00:05:44.439 --> 00:05:44.800
<v Speaker 2>really does.

105
00:05:44.839 --> 00:05:47.120
<v Speaker 1>It's a masterclass and making complex ideas stick.

106
00:05:47.199 --> 00:05:50.680
<v Speaker 2>Indeed, and those six questions they map directly to sabsa's

107
00:05:50.720 --> 00:05:54.680
<v Speaker 2>six layers. And it follows this really powerful top down approach.

108
00:05:54.720 --> 00:05:58.079
<v Speaker 2>You start with the why. That's a contextual security architecture.

109
00:05:58.240 --> 00:06:02.680
<v Speaker 2>It's all about figuring out the business requ vironments, identifying risks, assets, goals, threads.

110
00:06:02.720 --> 00:06:05.040
<v Speaker 1>Impacts the business foundation exactly.

111
00:06:05.240 --> 00:06:08.360
<v Speaker 2>Then you move down. You define strategies and plans in

112
00:06:08.399 --> 00:06:12.000
<v Speaker 2>the conceptual layer. Then you map out what security services

113
00:06:12.000 --> 00:06:14.560
<v Speaker 2>are needed. That's the logical layer, so what needs to

114
00:06:14.600 --> 00:06:18.279
<v Speaker 2>be done right. Then the physical layer details how things

115
00:06:18.319 --> 00:06:21.120
<v Speaker 2>are actually built, the tech the layout, followed by the

116
00:06:21.160 --> 00:06:24.279
<v Speaker 2>component layer, which is like the tradesman's view, focusing on

117
00:06:24.319 --> 00:06:26.480
<v Speaker 2>specific products tools, hardware.

118
00:06:26.120 --> 00:06:28.000
<v Speaker 1>Software, the nitty gritty bits.

119
00:06:27.879 --> 00:06:31.560
<v Speaker 2>The nitty gritty, and finally the operational security architecture. This

120
00:06:31.680 --> 00:06:36.240
<v Speaker 2>ensures ongoing management measurement, basically keeping everything secure and running

121
00:06:36.279 --> 00:06:37.720
<v Speaker 2>smoothly over its whole life.

122
00:06:37.560 --> 00:06:38.439
<v Speaker 1>Right the day to day.

123
00:06:38.600 --> 00:06:42.000
<v Speaker 2>But the real genius here, what makes it truly enterprise grade,

124
00:06:42.680 --> 00:06:46.000
<v Speaker 2>is the bi directional traceability built into the model.

125
00:06:46.120 --> 00:06:47.480
<v Speaker 1>Ah that sounds important.

126
00:06:47.639 --> 00:06:50.000
<v Speaker 2>It is. You start with those high level business drivers

127
00:06:50.000 --> 00:06:52.800
<v Speaker 2>at the top right, and the framework ensures that every

128
00:06:52.800 --> 00:06:56.120
<v Speaker 2>single component, every procedure down at the bottom layers is

129
00:06:56.160 --> 00:06:58.720
<v Speaker 2>there because at the top of the model there is

130
00:06:58.759 --> 00:07:01.600
<v Speaker 2>a business driver that eventually is satisfied.

131
00:07:01.720 --> 00:07:04.040
<v Speaker 1>So everything connects back purposefully.

132
00:07:04.399 --> 00:07:09.040
<v Speaker 2>Exactly. This rigorous linkage ensures that security investments aren't just

133
00:07:09.160 --> 00:07:13.160
<v Speaker 2>you know, random tech buys. They're always aligned with tangible

134
00:07:13.199 --> 00:07:14.000
<v Speaker 2>business value.

135
00:07:14.079 --> 00:07:17.920
<v Speaker 1>That bi directional traceability really does sound incredibly powerful. It

136
00:07:18.040 --> 00:07:22.319
<v Speaker 1>ensures every security investment has a clear business reason. That

137
00:07:22.439 --> 00:07:25.959
<v Speaker 1>shifts the whole conversation, doesn't it completely, So let's staff

138
00:07:26.000 --> 00:07:28.800
<v Speaker 1>a bit deeper into those business aspects, especially the why

139
00:07:28.879 --> 00:07:32.240
<v Speaker 1>and what. From those top layers you mentioned. Our guide

140
00:07:32.319 --> 00:07:36.360
<v Speaker 1>makes a really crucial point. Security is a relative term.

141
00:07:36.399 --> 00:07:40.800
<v Speaker 1>It's not absolute, right, There's no absolute scale, no universal definition.

142
00:07:41.120 --> 00:07:43.560
<v Speaker 1>It only really has meaning when you interpret it as

143
00:07:43.600 --> 00:07:47.680
<v Speaker 1>an attribute of something that you consider valuable. The level

144
00:07:47.680 --> 00:07:49.920
<v Speaker 1>of security you need, well, it depends entirely upon the

145
00:07:50.000 --> 00:07:51.720
<v Speaker 1>value and upon the operational risk.

146
00:07:51.920 --> 00:07:55.879
<v Speaker 2>Makes sense. Protect what matters proportionally exactly.

147
00:07:56.000 --> 00:08:01.439
<v Speaker 1>If assets are poorly protected, you have vulnerability, and security controls,

148
00:08:01.480 --> 00:08:05.199
<v Speaker 1>which can be technical or procedural, they're introduced to reduce

149
00:08:05.240 --> 00:08:09.839
<v Speaker 1>that vulnerability. This changes the whole paradigm, doesn't it from

150
00:08:09.879 --> 00:08:13.079
<v Speaker 1>seeing security as just a fixed cost to seeing it

151
00:08:13.120 --> 00:08:14.560
<v Speaker 1>as a calculated investment.

152
00:08:14.720 --> 00:08:16.519
<v Speaker 2>Precisely, it's risk management.

153
00:08:16.639 --> 00:08:19.480
<v Speaker 1>And our source powerfully states that information security is the

154
00:08:19.600 --> 00:08:21.680
<v Speaker 1>enabling technology of electronic business.

155
00:08:21.839 --> 00:08:24.360
<v Speaker 2>Yes, it's not just about stopping bad things.

156
00:08:24.439 --> 00:08:27.720
<v Speaker 1>It's not just about protecting. It's about helping us meet

157
00:08:27.720 --> 00:08:31.680
<v Speaker 1>our business objectives and maybe even realize our wildest dreams

158
00:08:31.879 --> 00:08:36.320
<v Speaker 1>by leveraging information and communication tech. And here's a crucial insight,

159
00:08:36.440 --> 00:08:40.559
<v Speaker 1>especially for digital business. Trust is a business relationship attribute,

160
00:08:40.600 --> 00:08:42.279
<v Speaker 1>not a technical attribute.

161
00:08:42.320 --> 00:08:44.360
<v Speaker 2>That's a really profound point worth pausing on.

162
00:08:44.519 --> 00:08:47.039
<v Speaker 1>Think about that for a second. Right, our technical systems,

163
00:08:47.200 --> 00:08:49.600
<v Speaker 1>they're merely there to protect the trust that exists in

164
00:08:49.600 --> 00:08:51.960
<v Speaker 1>the relationship, not actually create it.

165
00:08:52.039 --> 00:08:54.519
<v Speaker 2>The tech serves the relationship exactly.

166
00:08:54.639 --> 00:08:57.679
<v Speaker 1>The guide offers a great analogy. Imagine a house party.

167
00:08:58.279 --> 00:09:01.840
<v Speaker 1>The host introduces you to someone new. They act as

168
00:09:01.840 --> 00:09:05.320
<v Speaker 1>a trusted introducer, giving that new friendship a kickstart.

169
00:09:05.519 --> 00:09:07.559
<v Speaker 2>Ah okay, I see the parallel in.

170
00:09:07.519 --> 00:09:10.200
<v Speaker 1>The digital realm, where you know outsiders can gain access

171
00:09:10.200 --> 00:09:13.879
<v Speaker 1>to your business computing systems. That traditional eggshell security, the

172
00:09:13.879 --> 00:09:16.240
<v Speaker 1>hard perimeter, it just isn't enough anymore.

173
00:09:16.279 --> 00:09:18.360
<v Speaker 2>The hard shell cracks easily once you're inside.

174
00:09:18.440 --> 00:09:21.240
<v Speaker 1>Right, we need a more sophisticated approach. Yeah, what the

175
00:09:21.240 --> 00:09:26.039
<v Speaker 1>source calls a honeycomb concept of internal logical security domains

176
00:09:26.559 --> 00:09:29.960
<v Speaker 1>basically creating layers of trust and protection inside not just

177
00:09:30.080 --> 00:09:30.480
<v Speaker 1>at the.

178
00:09:30.480 --> 00:09:34.279
<v Speaker 2>Edge like internal compartments. Makes sense for complexity.

179
00:09:34.039 --> 00:09:38.039
<v Speaker 1>And speaking of complexity, ESA is absolutely essential for managing it.

180
00:09:38.279 --> 00:09:40.240
<v Speaker 1>As our guide points out, you know the Sydney Opera

181
00:09:40.279 --> 00:09:42.639
<v Speaker 1>House could not have been built in piecemeal fashion.

182
00:09:42.799 --> 00:09:45.000
<v Speaker 2>Ah No, I imagine not complex.

183
00:09:44.639 --> 00:09:48.360
<v Speaker 1>Large scale projects, whether iconic buildings or sprawling business systems.

184
00:09:48.679 --> 00:09:52.200
<v Speaker 1>They just demand that holistic architectural approach to have any

185
00:09:52.279 --> 00:09:54.679
<v Speaker 1>chance of succeeding absolutely.

186
00:09:54.279 --> 00:09:57.200
<v Speaker 2>And zooming back in on that contextual layer of SABSA.

187
00:09:57.279 --> 00:10:01.120
<v Speaker 2>It's fascinating how the model uses exactly those six basic

188
00:10:01.200 --> 00:10:05.639
<v Speaker 2>questions why, how, who, what where when to really thoroughly

189
00:10:05.759 --> 00:10:08.759
<v Speaker 2>establish the business requirements for security.

190
00:10:08.320 --> 00:10:10.559
<v Speaker 1>Getting that foundation solid, totally solid.

191
00:10:10.720 --> 00:10:14.200
<v Speaker 2>This step identifies the business assets, the threats they face,

192
00:10:14.279 --> 00:10:17.600
<v Speaker 2>the potential impacts, the vulnerabilities. It leads directly into a

193
00:10:17.679 --> 00:10:22.559
<v Speaker 2>robust understanding of operational risk management. This isn't just technical risk,

194
00:10:22.639 --> 00:10:27.440
<v Speaker 2>mind you. It's about identifying threats, assessing impacts, understanding vulnerabilities

195
00:10:27.440 --> 00:10:28.639
<v Speaker 2>from all angles.

196
00:10:28.240 --> 00:10:29.960
<v Speaker 1>And regulators are pushing this too.

197
00:10:30.279 --> 00:10:33.919
<v Speaker 2>Increasingly, like those behind the new Basal Capital Accord Basil two.

198
00:10:34.440 --> 00:10:39.200
<v Speaker 2>They're compelling financial institutions to actually allocate capital against operational risk.

199
00:10:39.480 --> 00:10:45.120
<v Speaker 2>That's the risk of loss from inadequate or failed internal processes, people, systems,

200
00:10:45.200 --> 00:10:48.240
<v Speaker 2>or even external events. It's a huge financial incentive to

201
00:10:48.279 --> 00:10:49.120
<v Speaker 2>get security right.

202
00:10:49.240 --> 00:10:49.840
<v Speaker 1>Money talks.

203
00:10:50.120 --> 00:10:52.799
<v Speaker 2>It certainly does, and our source gives a really compelling

204
00:10:52.840 --> 00:10:56.399
<v Speaker 2>case study to illustrate this point. A small island economy,

205
00:10:56.759 --> 00:11:01.159
<v Speaker 2>single electrical power plant controlled remotely high stakes, very high

206
00:11:01.159 --> 00:11:04.799
<v Speaker 2>stakes security became an important issue when they found out

207
00:11:04.840 --> 00:11:08.799
<v Speaker 2>that Harry, the deputy power station manager, had installed this

208
00:11:09.000 --> 00:11:10.240
<v Speaker 2>software from the Internet.

209
00:11:10.360 --> 00:11:13.000
<v Speaker 1>Oh Harry, not good, not good at all.

210
00:11:13.480 --> 00:11:16.559
<v Speaker 2>This seemingly innocent act by someone they trusted created a

211
00:11:16.639 --> 00:11:21.799
<v Speaker 2>significant vulnerability. It just underscores the need for robust operational

212
00:11:21.919 --> 00:11:26.039
<v Speaker 2>risk assessment that looks beyond just external threats or obvious malice.

213
00:11:26.879 --> 00:11:28.799
<v Speaker 2>You have to consider internal actions.

214
00:11:28.440 --> 00:11:30.639
<v Speaker 1>Too, even unintentional.

215
00:11:29.919 --> 00:11:34.240
<v Speaker 2>Ones, even unintentional ones. And to help organizations think systematically

216
00:11:34.279 --> 00:11:37.919
<v Speaker 2>about these risks, the guide introduces a practical two dimensional

217
00:11:37.919 --> 00:11:41.320
<v Speaker 2>threat classification. It helps you consider who or what could

218
00:11:41.320 --> 00:11:45.840
<v Speaker 2>pose a threat, people, processes, systems, external factors and how

219
00:11:45.840 --> 00:11:50.559
<v Speaker 2>that threat might manifest, facilities issues, behavior, tech failures.

220
00:11:50.080 --> 00:11:52.919
<v Speaker 1>Crime, structured way to brainstorm threats exactly.

221
00:11:53.039 --> 00:11:56.159
<v Speaker 2>It ensures hopefully no critical vulnerability gets overlooked.

222
00:11:56.200 --> 00:11:59.120
<v Speaker 1>And this nuanced view it extends to trust in digital

223
00:11:59.120 --> 00:12:00.120
<v Speaker 1>interactions too.

224
00:12:00.399 --> 00:12:04.600
<v Speaker 2>Yes, absolutely, the SAVVYSA model highlights the need for different

225
00:12:04.679 --> 00:12:08.639
<v Speaker 2>levels of trust and for appropriate registration processes. Think about

226
00:12:08.679 --> 00:12:11.600
<v Speaker 2>simple self registration, maybe a click and go process for

227
00:12:11.679 --> 00:12:17.240
<v Speaker 2>public info versus say a rigorous registration needing physical presence

228
00:12:17.279 --> 00:12:19.840
<v Speaker 2>and documents like setting up a bank account.

229
00:12:20.039 --> 00:12:21.960
<v Speaker 1>Different levels of assurance needed.

230
00:12:21.879 --> 00:12:25.799
<v Speaker 2>Precisely, and these different levels naturally lead to different classes

231
00:12:25.799 --> 00:12:29.440
<v Speaker 2>of digital certificate, ensuring the technical protection and the identity

232
00:12:29.440 --> 00:12:32.840
<v Speaker 2>assurance perfectly match the business's required level of trust for

233
00:12:32.879 --> 00:12:34.000
<v Speaker 2>that specific interaction.

234
00:12:34.360 --> 00:12:37.039
<v Speaker 1>So it's all about matching the security effort to the

235
00:12:37.080 --> 00:12:39.000
<v Speaker 1>actual business need and risk.

236
00:12:39.159 --> 00:12:41.559
<v Speaker 2>That's the core idea proportionality.

237
00:12:41.639 --> 00:12:44.759
<v Speaker 1>Okay, so we've really explored the why yes as essential

238
00:12:44.799 --> 00:12:47.480
<v Speaker 1>and what a robust framework like SABBYSA looks like. But

239
00:12:47.639 --> 00:12:49.480
<v Speaker 1>you know, the rubber needs to meet the road. How

240
00:12:49.480 --> 00:12:53.559
<v Speaker 1>do we bridge that understanding to actual action? A crucial

241
00:12:53.559 --> 00:12:56.399
<v Speaker 1>step seems to be articulating these benefits in a language

242
00:12:56.399 --> 00:13:01.080
<v Speaker 1>that senior leadership understands, you know, selling the value of

243
00:13:01.159 --> 00:13:02.200
<v Speaker 1>security architecture.

244
00:13:02.240 --> 00:13:04.480
<v Speaker 2>That's often the hardest part, isn't it getting buy in?

245
00:13:04.720 --> 00:13:08.159
<v Speaker 1>It really can be. Our guide gives us some powerful arguments,

246
00:13:08.320 --> 00:13:12.039
<v Speaker 1>better risk management that obviously aligns with corporate governance, reduced

247
00:13:12.080 --> 00:13:15.759
<v Speaker 1>operating costs, and its cites concrete examples like savings on

248
00:13:15.879 --> 00:13:18.720
<v Speaker 1>helped us resources and lost user productivity.

249
00:13:18.919 --> 00:13:20.720
<v Speaker 2>Tangible savings always.

250
00:13:20.440 --> 00:13:25.480
<v Speaker 1>Good, and crucially fast time to market, enabling that competitive

251
00:13:25.480 --> 00:13:27.840
<v Speaker 1>advantage by having secure systems ready to go.

252
00:13:28.159 --> 00:13:30.879
<v Speaker 2>Security is an accelerator, not a break exactly.

253
00:13:31.279 --> 00:13:33.960
<v Speaker 1>And to put a number on those reduced operating costs,

254
00:13:34.360 --> 00:13:38.399
<v Speaker 1>our Guide shares an incredible case study from IBFS Intergalactic

255
00:13:38.440 --> 00:13:40.399
<v Speaker 1>Banking and Financial Services Inc.

256
00:13:40.759 --> 00:13:43.480
<v Speaker 2>Love the name, Yeah sounds important.

257
00:13:43.519 --> 00:13:46.200
<v Speaker 1>They found that one percent of logins failed for some reason,

258
00:13:46.879 --> 00:13:49.440
<v Speaker 1>which okay, for one hundred and twenty thousand users. Translated

259
00:13:49.440 --> 00:13:52.919
<v Speaker 1>to get this, another eighty eight thousand resource hours per

260
00:13:53.000 --> 00:13:54.440
<v Speaker 1>year spent just logging in.

261
00:13:54.600 --> 00:13:57.279
<v Speaker 2>Eighty eight thousand hours just on failed log in.

262
00:13:57.360 --> 00:14:00.519
<v Speaker 1>Just logging in. That's a massive, quantifiable operator and cost.

263
00:14:00.960 --> 00:14:04.399
<v Speaker 1>A well designed ESA can significantly reduce that by improving

264
00:14:04.480 --> 00:14:06.360
<v Speaker 1>user experience system reliability.

265
00:14:06.399 --> 00:14:09.320
<v Speaker 2>Wow, that's a compelling number to take to management.

266
00:14:09.120 --> 00:14:11.639
<v Speaker 1>Isn't it. And when it comes to actually building the

267
00:14:11.720 --> 00:14:16.039
<v Speaker 1>team to implement all this, our source wisely references Belbin's

268
00:14:16.080 --> 00:14:16.879
<v Speaker 1>team roles.

269
00:14:17.159 --> 00:14:21.159
<v Speaker 2>Ah Yes, Belban shapers implementers.

270
00:14:20.639 --> 00:14:24.320
<v Speaker 1>Exactly like the shaper for driving things forward, the implementer

271
00:14:24.360 --> 00:14:27.679
<v Speaker 1>for practical action, the completer finisher for that crucial attention

272
00:14:27.759 --> 00:14:31.200
<v Speaker 1>to detail. It really emphasizes the importance of a balanced

273
00:14:31.200 --> 00:14:34.720
<v Speaker 1>team over just you know, subjective selection based on who

274
00:14:34.759 --> 00:14:37.559
<v Speaker 1>you like, because that doesn't necessarily bring the right mix

275
00:14:37.559 --> 00:14:38.159
<v Speaker 1>of skills.

276
00:14:38.240 --> 00:14:40.759
<v Speaker 2>You need that diversity of roles to succeed totally.

277
00:14:41.320 --> 00:14:44.960
<v Speaker 1>And for fostering the right security culture, the source makes

278
00:14:45.000 --> 00:14:47.080
<v Speaker 1>a strong case for a no blame.

279
00:14:46.799 --> 00:14:49.879
<v Speaker 2>Culture m crucial for transparency.

280
00:14:49.399 --> 00:14:52.600
<v Speaker 1>Right, encouraging people to report mistakes, rather than a culture

281
00:14:52.639 --> 00:14:56.360
<v Speaker 1>of blame that just drives errors underground, making them impossible

282
00:14:56.360 --> 00:14:57.159
<v Speaker 1>to find and fix.

283
00:14:57.480 --> 00:15:01.360
<v Speaker 2>People hide things if they fear punishments. Human nature So true.

284
00:15:01.559 --> 00:15:04.200
<v Speaker 2>And when it comes to actually building these secure systems,

285
00:15:04.600 --> 00:15:09.360
<v Speaker 2>our guide brings in Boardman's five basic considerations. For any system,

286
00:15:09.440 --> 00:15:13.159
<v Speaker 2>you need to think about its objectives, its environment, the resources,

287
00:15:13.159 --> 00:15:16.240
<v Speaker 2>it uses, its parts, and its management.

288
00:15:15.840 --> 00:15:18.720
<v Speaker 1>A holistic view of the system itself exactly.

289
00:15:19.360 --> 00:15:23.159
<v Speaker 2>These considerations are vital because they guide the design, ensuring

290
00:15:23.159 --> 00:15:27.000
<v Speaker 2>that performance, measurement and overall effectiveness are baked in right

291
00:15:27.039 --> 00:15:30.559
<v Speaker 2>from the start, not just bolted on later. And regarding

292
00:15:30.559 --> 00:15:34.279
<v Speaker 2>the sabsa development process itself, it's really crucial to understand

293
00:15:34.320 --> 00:15:38.320
<v Speaker 2>that enterprise wide security architecture will never be implemented as

294
00:15:38.360 --> 00:15:39.480
<v Speaker 2>a single project right.

295
00:15:39.519 --> 00:15:40.879
<v Speaker 1>It's not a one and done thing.

296
00:15:40.960 --> 00:15:43.799
<v Speaker 2>Not at all. It unfolds one project at a time,

297
00:15:43.879 --> 00:15:48.360
<v Speaker 2>which demands strong architecture governance to ensure consistency and compliance

298
00:15:48.399 --> 00:15:52.320
<v Speaker 2>across the whole organization. The process moves through distinct phases

299
00:15:52.679 --> 00:15:57.240
<v Speaker 2>strategy and concept, then design, then implementation, and then critically

300
00:15:57.440 --> 00:15:59.919
<v Speaker 2>manage and measure that ongoing loop.

301
00:16:00.279 --> 00:16:01.159
<v Speaker 1>And measure Got it.

302
00:16:01.440 --> 00:16:06.120
<v Speaker 2>And another important practical distinction the source highlights concerns outsourcing security.

303
00:16:06.200 --> 00:16:07.919
<v Speaker 1>Ah yeah, that comes up a lot, it.

304
00:16:07.879 --> 00:16:12.000
<v Speaker 2>Does, and the clarification is key. Assessing business risk, specifying

305
00:16:12.039 --> 00:16:16.559
<v Speaker 2>business security requirements, granting authorizations and setting policy are matters

306
00:16:16.600 --> 00:16:18.840
<v Speaker 2>to be retained by the business folks, so the core

307
00:16:18.879 --> 00:16:23.679
<v Speaker 2>decisions stay in house. Absolutely. These are core business responsibilities.

308
00:16:23.919 --> 00:16:29.159
<v Speaker 2>They define what security means for your organization. However, implementing

309
00:16:29.240 --> 00:16:33.240
<v Speaker 2>decisions and policies is what an outsourcing service provider does

310
00:16:33.279 --> 00:16:33.759
<v Speaker 2>for a living.

311
00:16:33.840 --> 00:16:36.799
<v Speaker 1>Okay, so what and why stay with the business the

312
00:16:36.879 --> 00:16:38.840
<v Speaker 1>how can potentially be outsourced?

313
00:16:38.919 --> 00:16:41.519
<v Speaker 2>Yeah, that's a good way to put it. Understanding that

314
00:16:41.559 --> 00:16:45.320
<v Speaker 2>clear split is key to effective management. But even with

315
00:16:45.360 --> 00:16:48.639
<v Speaker 2>good processes, things can go wrong if you don't manage

316
00:16:48.679 --> 00:16:52.120
<v Speaker 2>the life cycle. Our source gives this cautionary tale of

317
00:16:52.519 --> 00:16:53.440
<v Speaker 2>phantom backups.

318
00:16:53.559 --> 00:16:56.519
<v Speaker 1>Phantom backups sounds spooky a little.

319
00:16:56.639 --> 00:16:59.720
<v Speaker 2>A small software house had a daily backup routine seemed fine.

320
00:17:00.120 --> 00:17:03.039
<v Speaker 2>Years later a court orders them to retrieve transaction data

321
00:17:03.039 --> 00:17:05.720
<v Speaker 2>from nineteen ninety three. They discover their backup tapes were

322
00:17:05.759 --> 00:17:09.200
<v Speaker 2>unable to read them. Why because their physical architecture had

323
00:17:09.279 --> 00:17:12.400
<v Speaker 2>changed beyond all recognition and the old tape drives needed

324
00:17:12.400 --> 00:17:14.319
<v Speaker 2>to read those tapes long gone.

325
00:17:14.400 --> 00:17:17.119
<v Speaker 1>Ouch data was there, but inaccessible exactly.

326
00:17:17.319 --> 00:17:20.960
<v Speaker 2>It powerfully illustrates the critical importance of considering lifetimes and

327
00:17:21.000 --> 00:17:24.319
<v Speaker 2>deadlines for data and technology, and the often overlooked cost

328
00:17:24.359 --> 00:17:26.519
<v Speaker 2>of long term support and maintenance.

329
00:17:26.160 --> 00:17:28.960
<v Speaker 1>Something easily forgotten in the day to day rush.

330
00:17:28.839 --> 00:17:33.240
<v Speaker 2>Very easily. Another common pitfall the guide addresses is capacity planning.

331
00:17:33.519 --> 00:17:35.519
<v Speaker 1>Ah like that bank example earlier.

332
00:17:35.640 --> 00:17:39.880
<v Speaker 2>Precisely, the infamous UK census website failure back in two

333
00:17:39.920 --> 00:17:43.440
<v Speaker 2>thousand and two, which was just overwhelmed by unexpected demand,

334
00:17:44.000 --> 00:17:48.720
<v Speaker 2>serves as a stark reminder you absolutely need robust processes

335
00:17:49.000 --> 00:17:52.640
<v Speaker 2>for making predictions and forecasts about future capacity.

336
00:17:52.240 --> 00:17:54.839
<v Speaker 1>Needs or risk spectacular public failure you do.

337
00:17:55.519 --> 00:17:58.640
<v Speaker 2>And finally, just weaving through all of this, organizations have

338
00:17:58.720 --> 00:18:02.160
<v Speaker 2>to navigate that labyrinth of laws and regulations, things like

339
00:18:02.200 --> 00:18:06.359
<v Speaker 2>the UK Data Protection Act, which directly impacts information security

340
00:18:06.599 --> 00:18:09.279
<v Speaker 2>by dictating exactly how personal data must be handled.

341
00:18:09.440 --> 00:18:11.519
<v Speaker 1>Compliance is non negotiable, it really is.

342
00:18:11.759 --> 00:18:15.359
<v Speaker 2>And all these operational considerations, life cycle capacity, compliance, they

343
00:18:15.559 --> 00:18:19.839
<v Speaker 2>absolutely must be meticulously woven into a robust enterprise security architecture.

344
00:18:19.960 --> 00:18:23.000
<v Speaker 1>Okay, so wrapping this up, what does this all really

345
00:18:23.039 --> 00:18:27.039
<v Speaker 1>mean for you, our listener? This deep dive into enterprise

346
00:18:27.079 --> 00:18:31.079
<v Speaker 1>security architecture, especially looking through the lens of powerful holistic

347
00:18:31.160 --> 00:18:35.880
<v Speaker 1>models like ZEBISA, it truly transforms how we should view security.

348
00:18:36.160 --> 00:18:38.759
<v Speaker 1>It shifts it from being just a technical afterthought or

349
00:18:39.160 --> 00:18:43.319
<v Speaker 1>a dreaded cost center into a genuinely strategic business enabler.

350
00:18:43.440 --> 00:18:46.680
<v Speaker 1>That's the goal you've hopefully now gained a more structured,

351
00:18:46.960 --> 00:18:51.119
<v Speaker 1>holistic understanding that empowers you to make informed decisions to

352
00:18:51.240 --> 00:18:55.160
<v Speaker 1>drive real business value, to see security not as a burden,

353
00:18:55.519 --> 00:18:59.160
<v Speaker 1>but as an integral, proactive part of your organization's success

354
00:18:59.359 --> 00:19:00.680
<v Speaker 1>and future growth and.

355
00:19:00.720 --> 00:19:02.839
<v Speaker 2>Building on that. Perhaps this leads us to a final

356
00:19:02.920 --> 00:19:06.079
<v Speaker 2>crucial question for you to ponder. If we accept that

357
00:19:06.119 --> 00:19:09.519
<v Speaker 2>security is a relative term tied directly to value, an

358
00:19:09.519 --> 00:19:14.240
<v Speaker 2>operational risk, and if trust is fundamentally a business relationship

359
00:19:14.279 --> 00:19:17.799
<v Speaker 2>attribute that our technical systems merely protect, then what deeper

360
00:19:17.880 --> 00:19:21.240
<v Speaker 2>role do you believe your organization's security architecture plays or

361
00:19:21.319 --> 00:19:24.920
<v Speaker 2>could play in actively shaping customer and partner trust, not

362
00:19:25.000 --> 00:19:25.920
<v Speaker 2>just defending.

363
00:19:25.599 --> 00:19:27.920
<v Speaker 1>It, shaping trust, not just protecting it.

364
00:19:28.240 --> 00:19:34.079
<v Speaker 2>Exactly, how can we collectively better articulate security's proactive role

365
00:19:34.119 --> 00:19:38.079
<v Speaker 2>in building rather than just defending, our most valuable business relationships.

366
00:19:38.359 --> 00:19:40.200
<v Speaker 2>So I'm going to think about perhaps and how it

367
00:19:40.279 --> 00:19:42.799
<v Speaker 2>might reshape your own approach to security going forward.