Enterprise Architecture Cybersecurity is no longer a topic reserved for IT departments. Its financial, legal, and business impacts make it a strategic concern for the entire organization. To address it, knowledge of the information system (IS) and enterprise architectures must be shared, dynamic, and integrated into business processes.
In this article, we bring together the perspectives of two committed experts: Charly Pierrat, Enterprise Architecture Consultant at Projexion, and Samuel Fourreau, Product Owner at AB+Software, publisher of myCarto. Together, they share their convictions and experiences on how mapping and architecture are becoming the foundations of cybersecurity.
Why have cybersecurity and legal compliance become critical issues for organizations, beyond the IT department ?
Samuel Fourreau: The question includes two interesting dimensions: how the level of criticality has evolved, and how its scope has expanded within the organization.
To me, two main reasons explain this criticality: technological evolution and societal context. Today, most systems are interconnected and hosted in the cloud. This leads to more applications, more exposed services, more interconnections between systems and therefore more attack surfaces. Add to that the widespread use of remote work and a tense geopolitical context, and you’ll understand why cybersecurity has never been more strategic. In many cases, we’re no longer talking about lone hackers but well-structured organizations with significant resources.
As for organizational scope, what’s changing today is that cybersecurity is no longer just a technical matter. It directly affects business continuity, financial performance, and even reputation. Regulations like GDPR or the NIS2 directive impose strict requirements, backed by potentially massive penalties. While IT still often leads the way, the impacts, and therefore the necessary involvement, concern the entire organization.
On top of that, data is at the heart of everything. A data breach or corruption isn’t just an IT issue: it affects customers, users, and sometimes the entire ecosystem. If a provider is attacked, you may have contractual clauses to fall back on—but the damage is done: loss of trust, reputational harm, even business shutdowns.
Charly Pierrat: Massive digitalization has dramatically multiplied entry points, and most attacks now target people, through phishing, social engineering, etc. It’s no longer enough to secure servers, you have to educate teams. With some clients, for example, we simulate phishing campaigns to measure cyber maturity. Cybersecurity is a culture that must be instilled throughout the organization!
In our role as enterprise architects, this translates into strong requirements around awareness, design, and processes. For example, before integrating a solution, the vendor must provide solid guarantees: compliance with standards, security audit results, access protocols, update capabilities… It’s not just about features, it’s about the vendor’s overall security posture. This kind of reflex helps reduce blind spots.
What does “controlled and well-understood architecture” mean in an organization? And why is it a prerequisite ?
Charly: It’s simple : you can’t secure what you don’t know. A controlled architecture is one that’s documented, shared, and updated in real time. That means knowing what the critical assets are, where applications are hosted, what flows exist between them, who’s responsible, and what the incident response plan is. Without that visibility, it’s impossible to assess risk or prepare for disaster recovery.
“I often compare it to a house : if you don’t know where the doors and windows are, you can’t secure access. And without a floor plan, you don’t know how far a thief can go in a limited amount of time!”
Charly Pierrat – Enterprise Architecture Consultant at Projexion
When we talk about “controlled,” we’re also referring to industrializing the approach and ensuring it fits the company’s standards and context. That includes how the model is used and how communication is adapted across all levels, using appropriate granularity.
Samuel: I agree with Charly’s definition, and I’d add two elements: visibility and clarity. Implementing a mapping tool often highlights the need for a common language. Here’s a concrete example: in a company with low maturity, ask four people what an “application” is, and you’ll get four different answers!
Mapping is therefore an opportunity to standardize: gather stakeholders, define a clear naming convention, use consistent granularity, and share a common vocabulary. That’s crucial, because cybersecurity affects the entire organization and relies on documentation that everyone can understand. With the rise of phishing and social engineering, every employee is now part of the security effort. But to play their role, they need to be on the same page. This also connects to compliance: you must be able to demonstrate it and convince your stakeholders!
Beyond IT, mapping should be seen as a medium for this control. At AB+Software, we believe it should be at the heart of processes, not just tucked away in application corners. It should connect processes, business lines, and the company’s overall vision, and deliver outputs that are useful to all stakeholders: business departments, project teams, and new hires.
The more value mapping brings to each actor, the more it will be maintained and kept alive! »
Samuel Fourreau – Product owner at AB+ Software
What are the main concrete benefits of controlled architecture for cybersecurity ?
Charly: The first benefit is identifying the attack surface and risks. A well-structured map makes it easy to analyze weak points and apply appropriate countermeasures.
The second is anticipation. In architecture, you’re constantly choosing between different scenarios. Mapping lets you visualize the impact of those decisions, including risk. It helps you make informed trade-offs and justify choices to executives or auditors. It also becomes a key asset during audits to explain what’s been done to secure the IS.
Samuel: A risk-free architecture doesn’t exist. The key is to know the risks, assess them, and explain how they’re being controlled. Mapping helps structure this analysis: it allows for industrialization, helps spot current vulnerabilities, and anticipates future ones, for instance, those that will emerge after an update.
“The more you standardize, the fewer blind spots you leave behind !”
Every architecture has weak points. Taken alone, they’re manageable. But when combined, they can open up unexpected vulnerabilities. Mixing heterogeneous architectures without common rules greatly increases the risk. By defining standards, you limit these edge effects, simplify management, control dependencies, and reduce exposure linked to system interconnections.
How can “security by design” principles be integrated from the earliest architectural stages ?
Samuel: Our vision is to encourage clients to approach architecture and mapping projects from a collaborative, multidisciplinary angle. That means including different perspectives right from the start, because everyone plays a key role : business, IT, security officers, architects. Cybersecurity teams should be involved early on to express their expectations in terms of documentation and architecture.
This collective effort not only involves all stakeholders, it also helps clarify requirements : define what’s expected, how to document it (runbooks, architectural documentation…), and how to update standards over time.
There’s no need to reinvent the wheel : there are tried-and-tested frameworks and methodologies to structure these efforts. Using them helps avoid classic mistakes. Finally, this process must be ongoing, with regular reviews, so that security becomes an integrated principle from the design phase throughout the system’s lifecycle—not a last-minute check.
Charly: To me, anticipation is key. From the design phase, we need to define architectural principles that are clear and shared by everyone. These principles become guardrails—for example, mandating two-factor authentication and SSO for all applications. It sounds obvious… but if it’s not formalized and shared, it won’t happen consistently.
As an enterprise architect, my role is also to get all business units on board with these requirements, including the DPO. I agree with Samuel: collaboration among all players is essential.
It’s precisely at the model or reference architecture stage that we must identify potential flaws and reduce their impact. How? By studying the most common attack vectors and embedding that knowledge into the design. It also means ensuring that chosen technologies won’t become obsolete in the short term.
“Designing a system that’s outdated in two years is like creating a future security hole!”
There’s no magic tool or single reference for cybersecurity : it’s a multifactorial topic. However, we can enhance our metamodels with critical attributes, for example, to flag technologies that pose a known risk in their current version. To support this approach, Projexion offers a dedicated toolbox for enterprise architecture modeling, with practical resources tailored to different contexts.
What tools or methods do you recommend for keeping architecture up to date while integrating security ?
Samuel: Mapping is obviously a central tool. But inaccurate documentation is worse than none at all. At AB+Software, we focus on two things to keep documentation updated : involving stakeholders and embedding it in processes.
We recommend placing mapping at the heart of IT governance. That means adapting processes to make updating a mandatory step : for example, no production go-live without updated documentation. Also, if only one person handles updates, the risk is high. In a collaborative setup, if 10 people access the information, at least one or two will report discrepancies.
Of course, we must reduce reliance on humans alone. That’s where automated discovery and monitoring tools come in, allowing discrepancies to be detected without waiting for a manual check.
“Our belief: if you’re unsure about a piece of data, treat it as a minus, not a plus. You can’t build a reliable model on shaky assumptions!”
In our project methodology, we take a progressive approach : start with what can be collected automatically, without human effort, to build a solid base. Then enrich it gradually with inputs from contributors : application records, architectures, interactions. These flows and dependencies are what deliver the most value…and motivate teams to contribute, because they see the benefit!
Finally, pragmatism is key: start with critical areas, the ones with the most interactions and risks. Take advantage of opportunities: if your HRIS is being redesigned, that’s the perfect time to model! And remember: mapping is a living process, it evolves over time.
Charly: I agree with Samuel’s points. For a long time, architects retained full control over modeling. But increasingly, delegating part of the update process makes it more responsive and better adopted. That’s why we establish governance structures, defining who updates what, when, and how.
Granularity is another key issue: the more detailed it gets, the harder it is to maintain. You need to strike the right balance and rely on tools to automate wherever possible: vulnerability detection, outdated version identification. No one has time to manually check all library vulnerabilities: automatic identification is essential.
To conclude, what’s in the model is often considered the truth. So we can’t afford to put in uncertain data! Better a partial but reliable map than a complete one that’s partially wrong. Start with a limited, well-controlled scope, and once that’s proven, expand gradually to other departments.
How do you see the architect’s role evolving with cybersecurity challenges in the coming years ?
Charly: Architects are becoming orchestrators and awareness leaders. Their role isn’t just technical : it’s also about bridging strategy, security, and operations. Today, it’s no longer possible for CISOs to work in silos. Architectural decisions have a direct impact on cybersecurity posture, and vice versa.
Our value lies in documenting, explaining, highlighting risks and dependencies—and bringing the right stakeholders in at the right time.
One of the battles for cybersecurity profiles within organizations is being able to communicate with leadership to frame projects and secure proper budgets ! »
Charly Pierrat – Enterprise Architecture Consultant at Projexion
Samuel: A few years ago, the CISO was the lone voice for security. Today, cybersecurity is a board-level concern, because the business risk is clear. Architects now play a key role: translating security requirements into concrete choices, while speaking the language of business and leadership.
And this trend is only going to accelerate. Cyberattacks won’t decrease, and regulations will tighten. Architects must become facilitators and guardians : working hand in hand with cyber teams and decision-makers.
