As a journalist specializing in IT security issues, I regularly talk to a lot of CISOs as well as the security folks working in the trenches. And there’s one thing that never ceases to amaze me about so many of these conversations: After all these years – and all the hacks and attacks we’ve seen take place over them -- security teams generally still run a step or two behind the deployment of new IT initiatives.

That places security groups in the unfortunate position of having to "bolt on" security controls well after a new project is under way. And that hard to do; it's tough to add security after a system has been designed or once a deployment gets going, whether that is the launch of a website or Web application, a system integration, or a move to a cloud service.

How is it that this continues to be the normal state of doing business – especially when the risks enterprises face aren’t exactly letting up? If anything, the danger is taking on new and potentially even more lethal forms when it comes to infiltrating business’ most privileged information. Consider some recent high-profile attacks, such as Operation Aurora, that targeted Fortune 500 companies, including many Western businesses — Google among them. Then there were the Night Dragon attacks, revealed in February, that were aimed at some in the energy industry. Most of these attacks are considered to be cyber-espionage. It’s widely assumed that they are the work of highly skilled and determined hackers on the payroll of nation-states and possibly even foreign business interests that want to steal corporate secrets.

Lately, we’ve also seen a spate of so-called cyber-hacktivist attacks, where businesses perceived to be taking a stand against Wikileaks were hit with embarrassing hacks and denials of service.

Pointing to those headline-making events doesn’t mean that less spectacular and less-publicized attacks that are perpetrated for common, everyday data and identity theft are any less important. They're not. Businesses daily confront online criminals with such evil intents in mind. Obviously, IT security organizations pay great attention to news of all kinds of security infiltrations, and clearly they have good intentions of making sure their business is not the next victim on the hit-list. But it’s hard for them to live up to those intentions when they’re not consulted to provide their expertise as soon as new initiatives are approved.

Change The Game

There is hope that lack of communications – even if it has festered as long as this – can be rectified. And I think enterprise architects can play an important role in making that happen.

Here’s how: Enterprise architects, who have a firm understanding of how systems are being deployed as well as knowledge of the business objectives behind these systems, can help a great deal when it comes to protecting an organization's business technology systems and information. To build security into new initiatives and system changes requires tight — and upfront — coordination among many groups. The enterprise architect can drive value in aligning security teams, quality assurance personnel, developers, the office of the CIO, and business managers and executives. All those parties — and the enterprise architect, as well — must work together to ensure that the focus and resources necessary to maintain a secure IT posture are in place.

I'm certainly not claiming this is going to be easy. For one thing, communications between security leaders and enterprise architects may need some work. While CISOs claim they're too often left out of early talks about new initiatives, I’ve had conversations with a few EAs who’ve grumbled that security teams are too quick to say no to them, and that can create hard feelings. There clearly seems to be some bridge-building to do between the groups.

What has been your experience as an enterprise architect in communicating with the security team? And how do you see your role in helping to align business, technological and security demands to protect your organization? I’d appreciate hearing your story, and any ideas or experiences on the topic that you'd like to share. I also invite CISOs to join the conversation and add comments here or send me note on the Exchange.