Enterprises deploy security controls to reduce cyber risk. While the security effectiveness and performance of individual controls are critical metrics to evaluate when gauging an enterprise’s overall risk posture, these metrics do not provide the full picture. Many other factors, including network architecture design, must be evaluated.

A well-designed IT security architecture (i.e., the type, number, and location of security controls within an organization) can improve an organization’s threat detection capabilities and thus reduce its cyber risk. However, the IT security architecture is only as effective as its underlying network architecture, i.e., the framework in which its controls are deployed. Even the most cohesive IT security architecture cannot effectively defend a network that is not architected to be defendable.

This brief is part of a series on security controls deployed by US enterprises and includes aggregated usage statistics for architecture frameworks across small and medium-sized, large, and very large enterprises.