Turning Information Security Architects into Chefs

Information security architects are chefs, cooking up security designs that incorporate routine and exotic ingredients to produce dishes fit for the occasion. As a casual cook and food aficionado, I’ve observed two types of amateur cooks:

  • Recipe-diehards: Some amateur cooks follow recipes with meticulous precision to create delicacies that delight all senses. Unfortunately, if the recipe is bad, the dish they will produce will be lackluster as well. When the recipe is right, the excellence of their execution produces an amazing dish.
  • Improvisers: Some amateur cooks are averse to following recipes, improvising their delectables on the spot. Sometimes they might dream up a bad dish. However, with enough skill and experience, they may be able to create delightful fare quite often.

How do these traits exhibit themselves in information security architects? Some architects rigorously follow common infosec standards and control frameworks. Others are good at thinking on their feet, coming up with reasonable designs based on their experience and common sense.

Neither of these approaches by itself is sufficient.

A true architect in information security knows design patterns, regulatory requirements and control frameworks (i.e., recipes) to make decisions in a structured, well-researched manner. Yet, such a professional also has the skills to integrate unexpected data and unique requirements into the design (i.e., improvise). Accomplishing this takes deliberate practice.

These principles apply in the culinary context, too. According to the case study What Makes a Great Chef by J.D. Pratten, mediocre cooks work mechanically without truly understanding intricacies of taste. A head chef surpasses this limitation; however, he cannot cook whatever he wants due to business restrictions:

“He needs to develop the skill of compiling a menu, which balances lighter and heavier starters with appropriate main courses… so as to present a menu attractive to all customers within cost constraints.”

Information security architects need to know how to operate within the business constraints without blindly following a checklist. They have to be familiar with common design patterns and must be able to tell when to use them and when to come up with new ones. And they must keep their cool when faced with unexpected restrictions or requirements. Only then will they turn from amateur cooks into chefs.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds creative anti-malware solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more