Never create a security architecture.
A substantial amount of time and effort as well as other resources are required to create a security architecture. Unless risks justify getting systematic, the benefits don't warrant the costs.
Create or update security architecture as part of enterprise information infrastructure design or redesign.
Whenever a major redesign is undertaken, it is an ideal time to architect security along with the new infrastructure. This will help to integrate protection issues into enterprise infrastructure design and save time and money in retrofits and avoid unnecessarily weak protection. Costs will be small compared to the costs of the rest of the effort, and benefits will likely be large.
Create or update security architecture based on changing operational modes.
As businesses change the manner in which they operate, which most often happens when they pass particular thresholds of size, or when they go public, it becomes important to re-evaluate issues related to information protection to meet the substantial changes in the way management and operations function.
Periodically revisit security architecture as technology and systems change.
At least once a year, existing security architecture should be reviewed for changes. In addition, for enterprises that are Defined or higher maturity levels, enterprise inventory and risk control processes should define work flows that cause architectural reviews when risks associated with changes justify such a revisitation.
Continuously update security architecture.
For high risk situations, security architecture should be intimately tied to every element of design and operation, and minor adaptations to each should be made in concert with each other over time. However; these changes should be at the design level whenever possible and architectural changes should only be made when justified, even if the architecture is revisited often.
Create a security architecture.
All other things being equal, if no security architecture is in place, and if none of the other conditions hold, a security architecture should be put in place.