Turning Information Security Architects into Chefs

Some architects rigorously follow frameworks (recipe-diehards); others improvise based on experience. Neither approach alone suffices. True architects know design patterns and control frameworks for structured decisions, yet can integrate unexpected requirements. Like chefs, they must balance creativity with business constraints.

Information security architects are chefs, cooking up security designs that incorporate routine and exotic ingredients to produce dishes fit for the occasion. As a casual cook and food aficionado, I’ve observed two types of amateur cooks:

Recipe-diehards: Some amateur cooks follow recipes with meticulous precision to create delicacies that delight all senses. Unfortunately, if the recipe is bad, the dish they will produce will be lackluster as well. When the recipe is right, the excellence of their execution produces an amazing dish.

Improvisers: Some amateur cooks are averse to following recipes, improvising their delectables on the spot. Sometimes they might dream up a bad dish. However, with enough skill and experience, they may be able to create delightful fare quite often.

How do these traits exhibit themselves in information security architects? Some architects rigorously follow common infosec standards and control frameworks. Others are good at thinking on their feet, coming up with reasonable designs based on their experience and common sense.

Neither of these approaches by itself is sufficient.

A true architect in information security knows design patterns, regulatory requirements and control frameworks (i.e., recipes) to make decisions in a structured, well-researched manner. Yet, such a professional also has the skills to integrate unexpected data and unique requirements into the design (i.e., improvise). Accomplishing this takes deliberate practice.

These principles apply in the culinary context, too. According to the case study What Makes a Great Chef by J.D. Pratten, mediocre cooks work mechanically without truly understanding intricacies of taste. A head chef surpasses this limitation; however, he cannot cook whatever he wants due to business restrictions:

“He needs to develop the skill of compiling a menu, which balances lighter and heavier starters with appropriate main courses… so as to present a menu attractive to all customers within cost constraints.”

Information security architects need to know how to operate within the business constraints without blindly following a checklist. They have to be familiar with common design patterns and must be able to tell when to use them and when to come up with new ones. And they must keep their cool when faced with unexpected restrictions or requirements. Only then will they turn from amateur cooks into chefs.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →