Enterprise Security Architecture

A resource for practical security architecture, written for security professionals at every stage of their careers.

I created this site to educate and make your work easier, whether you are tackling complex challenges, designing secure systems, or aligning security with business goals. You will find straightforward advice, actionable examples, and ready-to-use models that focus on what works in the real world.

Visual Architecture Resources

Core Resources

What is Architecture?

A concise explanation of enterprise architecture, enterprise security architecture, and the building analogy that helps explain the discipline.

Read the overview

Security Controls Matrix

A control set developed since 2005 to support gap analysis, requirements definition, control selection, and capability reviews.

Open the matrix

Models and Frameworks

Reusable tools, templates, frameworks, and presentations for architecture workshops and design conversations.

Browse models

Architect Roles

Enterprise, solution, and operational security architecture roles explained through their different responsibilities.

View roles

Guidance

Practical guidance for domain names, certificate management, certificate policy, and security operations.

Open guidance

Archi Model

Architecture modelling resources and exported views for exploring the model content directly.

Open Archi

Featured Publication

Governance, Risk and Compliance: Demystifying the Risk and Data Privacy Landscape

Mike Brass asked me to write the chapter on the role of Enterprise Security Architecture in the GRC landscape. The book is designed to equip apprentices, students, and professionals with a deeper understanding of governance, risk management, compliance, and data privacy.

It covers the fundamentals of GRC, the key components of a GRC programme, how to implement one, what Data Privacy is beyond protection, and how GRC can improve organisational performance.

Edition: 1. Published: 2026. ISBN: 9781040532348. Pages: 206.

About Me

I work at the intersection of enterprise architecture and security leadership, designing and transforming the capabilities, operating models, and functions that organisations need to be genuinely secure, not just compliant.

With over 30 years of experience across critical national infrastructure, financial services, central government, and regulated industries, my work has moved beyond pure security architecture into the broader Enterprise Architecture space: value chain modelling, operating model design, systems landscape analysis, and the organisational work that turns good architecture into lasting institutional capability.

Recent engagements include building and implementing an Enterprise Security Architecture capability within a major government infrastructure organisation, with 21 ESA business capabilities delivered end-to-end; redesigning the CISO operating model for a major national transport integration programme to consolidate a fragmented security function; and facilitating strategic security direction at CTO, CISO, and CIO level across the transport sector, working as a neutral, trusted advisor across multiple independent organisations simultaneously.

I hold SABSA Foundation certification and have completed SABSA Advanced training. I have also trained in TOGAF 9.2 and ArchiMate. I am an active contributor to the SABSA Institute, working on the Security Services Catalogue, Security Attributes, and ArchiMate modelling working groups. I present regularly at COSAC, the leading enterprise security architecture conference, and recently co-authored Governance, Risk and Compliance: Demystifying the Risk and Data Privacy Landscape with Dr Mike Brass.

I am also developing AI-based tools to help security architects and consultants deliver better work faster, and building a security architecture course designed to bring genuine EA rigour into what is still, too often, an under-professionalised discipline.

I am interested in connecting with fellow practitioners, security and architecture leaders, and organisations facing complex security transformation challenges, particularly in regulated environments, critical national infrastructure, and multi-body programmes where political and organisational complexity is as much of the problem as the technical one.

Use At Your Own Risk

The advice and information provided are general guidance only and are given without any warranty or guarantee. Threats, business context, regulatory obligations, implementation constraints, technical dependencies, and organisational risk appetite vary between organisations. Consider your own organisation type, operating model, architecture, and implementation intricacies before applying anything contained on this site. You use and rely on this information at your own risk.