Bridging the Gap, summary:
Organizations are increasingly recognizing the importance of IT and information security, driven largely by EU regulations like DORA, NIS2, and CRA, which are rooted in established frameworks such as ITIL, ISO 270xx, CIS, and NIST. While technology plays a key role in security, it’s not a standalone solution. The real strength lies in combining technology with well-defined processes, preparation, automation, and a deep understanding of information flows.
A major challenge is the overemphasis on technology, often at the expense of organizational involvement and process alignment. This can lead to inefficiencies, increased risks, and barriers to business development. Complexity in tools and systems can hinder usability and security, making simplicity and clarity essential.
The missing link is often architecture—the glue that connects business needs with IT and security. Successful security initiatives require collaboration across departments, not isolated efforts. Generalists with deep technical knowledge and the ability to bridge gaps between people, processes, and technology are crucial.
Ultimately, building a secure and agile business starts with understanding customer needs and aligning capabilities accordingly—not just buying tech tools. EU regulations emphasize this process-oriented approach, and those who grasp the architectural and strategic implications will be best positioned to adapt and thrive…..
Bridging the Gap: Aligning Security, Architecture, and Business Needs in the Age of EU Regulations
Companies have increased their awareness for the importance of security, or at least there is a movement towards it. Maybe it’s a “follow the crowd” change? But probably more so that the EU regulations have put a lot of focus on security processes on companies and organizations.
All these EU regulations originate from ITIL, ISO 270xx, CIS controls, NIST and other similar frameworks and standards. This is obvious when you read them. DORA, NIS2, CRA to name a few are all pointing at a very similar direction. This is also something that the more experienced security experts have been pointing at for several years.
So how do we meet the challenges of every day IT and the security around it?
For several years there have been a focus and having the belief that technology is the solution to everything. – Well indeed, it’s definitely part of it, the other part, and even more important, is processes, preparation and preparedness, test, automation and understanding of information flows and information itself. Yet another big hurdle is people. I think though that there is a missing link….
The big challenge is that in many (or most of the projects), to be successful, experienced technicians are needed in their own area, but also the organization and business itself needs to be attending, those working with the processes or activities day in and day out.
The risks increases when having a very high focus on technology and that one may miss out on other areas and you start creating many weak links in the chain and create other high risks, or even a wall, a full stop, for the business development, not seeing the whole picture.
Another, costly, risk is that you may put money in the wrong pockets (or systems), unintentionally creating high hurdles for the personnel to acquire the understanding of how to use their tools and technology instead of having them working swiftly and with ease, creating and developing business. Complexity, tools and their configuration are issues that are at the top of the security problems listed. Remember it should be easy to make things right from the start, or else users will find new ways, and the bad actors will easily find them too…!
The complexity is where the small issues become bigger. Complexity and security don’t add up.
So now, maybe, we can see the glue that holds everything together, the architecture, and that this is something that often, unfortunately, is left out. There are challenges, -the experience from all the information and IT security, IT tech challenges and processes. You need to be on your toes to understand and embrace the large amount of technology. Rapid development and changes make it close to impossible. But the whole picture starts with the business and IT needs to meet up on the architectural work that meets the business needs. -In some companies Agile development hasn’t been helping here.
In projects where companies need to increase information and IT-security overall, more of a generalist with deep technical understanding and with the knowledge to address and scope the technical challenges is needed, pulling the right strings, connecting people, to get the right people with the right technology experience and understanding the real needs and activities to meet business expectations and compliance issues. But also securing the architecture to meet the business processes, capabilities and the right technology focus. This can’t be done alone in silos, it has to permeate the organization! Just as with security, details needs to be clarified, simplified and standardized in cooperation.
But, and this is evolving now to the better, I would say that some have a somewhat skewed picture of what the real challenges are and how to resolve them. Technology is not the solution and it’s not the problem. But rather how to tackle IT and information security, the processes and organization and focus on what is important, is part of the solution, together with the right activities and processes. All the systems, software and tools that keep popping up, if you even see them, can be a real hurdle and a risk. Keep it simple! This is also where architecture kicks in. Both security, IT and systems -architecture.
If you are going to build a company, you do not start by buying firewalls, routers and pen testers or even computers. You start with a business idea and look at the customer needs. What capabilities are needed to meet customer expectations, and how do we secure them?
The EU regulations will focus on processes and the things that meet the needs for security, most of the time, but having the understanding of where all these leads us is more important, both on technology but also architecturally. Those that understands this will be the people and businesses that are ready for agile business changes and securing it all the way, giving customer value and meeting expectations as well as the EU regulations intent.
In the end the complexity of technology and not meeting business needs will also be added cost to your business….