Turning Information Security Architects into Chefs

Information security architects are chefs, cooking up security designs that incorporate routine and exotic ingredients to produce dishes fit for the occasion. As a casual cook and food aficionado, I've observed two types of amateur cooks:

  • Recipe-diehards: Some amateur cooks follow recipes with meticulous precision to create delicacies that delight all senses. Unfortunately, if the recipe is bad, the dish they will produce will be lackluster as well. When the recipe is right, the excellence of their execution produces an amazing dish.
  • Improvisers: Some amateur cooks are averse to following recipes, improvising their delectables on the spot. Sometimes they might dream up a bad dish. However, with enough skill and experience, they may be able to create delightful fare quite often.

How do these traits exhibit themselves in information security architects? Some architects rigorously follow common infosec standards and control frameworks. Others are good at thinking on their feet, coming up with reasonable designs based on their experience and common sense.

Neither of these approaches by itself is sufficient.

A true architect in information security knows design patterns, regulatory requirements and control frameworks (i.e., recipes) to make decisions in a structured, well-researched manner. Yet, such a professional also has the skills to integrate unexpected data and unique requirements into the design (i.e., improvise). Accomplishing this takes deliberate practice.

These principles apply in the culinary context, too. According to the case study What Makes a Great Chef by J.D. Pratten, mediocre cooks work mechanically without truly understanding intricacies of taste. A head chef surpasses this limitation; however, he cannot cook whatever he wants due to business restrictions:

"He needs to develop the skill of compiling a menu, which balances lighter and heavier starters with appropriate main courses… so as to present a menu attractive to all customers within cost constraints."

Information security architects need to know how to operate within the business constraints without blindly following a checklist. They have to be familiar with common design patterns and must be able to tell when to use them and when to come up with new ones. And they must keep their cool when faced with unexpected restrictions or requirements. Only then will they turn from amateur cooks into chefs.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more