The field of Security is broad in scope and includes many different, specific disciplines. The Security Architect takes all aspects of security, physical and virtual, into account when designing an optimal system of security for an organization. Because the scope is so broad, much education, training and experience is required to be successful in the role. It is the Security Architect who builds the framework for the multi-level network of security features and systems for any given organization. That framework must be compatible with the organization’s needs, interactions and current state to be most effective. Like a Master Builder, the Security Architect has the vision to design a beneficial system and the ability to guide the creation of that system. The Security Architect is also where the final responsibility for success or failure of security ends.
Foundations – Education
While a strong background in computer technology and information technology are very important for this role, specific emphasis must be placed on security when completing an undergraduate degree. In addition to Information Technology, Network Administration and/or Decision Sciences, most employers require Cyber Security, Network/Information Security or similar degree program or major. This is not to ignore the physical aspect of Security which is typified by physical site access, identification requirements and passcode management. This is a vital part of the Security environment that the Security Architect must keep in view. Therefore, education in security and criminal justice should not be ruled out. Because the role of Security Architect is at an executive level, security-related post-graduate degrees are recommended.
Career changers who have a computer or network-related degree and experience within the network administration field can pivot their focus to security with additional coursework in a degree-completion arena or specific certifications. Likewise, physical security professionals with a bent toward computer technology can expand their horizons with computer network and cyber security coursework.
The ultimate educational goal for the role of Security Architect starts with a Bachelor’s and Master’s degree in a related field, expert knowledge of the following topics is non-negotiable:
Operating Systems including Windows, Unix, Linux and IOS
Security Attack Pathologies
Physical Security – wired and wireless and point-of-entry
Security Architecture including enterprise and network security
Foundations – Experience and Certifications
There are a number of professional Certifications available that apply directly to the role of Security Architect. Such certifications are aimed specifically at the computer network environment. These include (but are not limited to) the following:
CEH: Certified Ethical Hacker
CISA: Certified Information Systems Auditor
CISM: Certified Information Security Manager
CISSP: Certified Information Systems Security Professional
CISSP-ISSAP: Information Systems Security Architecture Professional
CSSA: Certified SCADA Security Architect
GSEC / GCIH / GCIA: GIAC Security Certifications
ISSEP: Information Systems Security Engineering Professional
Additionally, in order to gain exposure and experience within the field of Network Security leading to a Security Architect role, many organizations offer internships (both voluntary and paid). Internships are a great method to “get a foot in the door” with a specific organization while determining if the environment is a good fit.
Security Architects typically have 5-10 years’ worth of Information Technology, Network Administration, Information Security and other related experience before they are considered for an Architect role. At least 3-4 years of that experience should be specifically related to security.
Foundations – Continuing Education
Due to the nature of the Industry, Security Architects never stop training. Change is perpetual and as network administration, database structure and physical access technology changes, so the Security Architect must gain expertise in new systems. Conferences, coursework and industry journals are how a good Security Architect stays up to date and retains value to the organization.
Employment Opportunities – Job Titles
It is important to note that the role of Security Architect is not a starting point – it is a position to be sought via career path which will include such jobs as Security Administrator, Network Administrator and/or System Administrator, followed by Security Analyst, Security Engineer and Security Consultant. Once the level of Security Architect (including Information Security Architect and Information Systems Security Architect) is achieved, many large organizations have a structure within that role including Senior Security Architect or Chief Security Architect. The upper level of the organizational chart is Chief Information Security Officer (CISO), which is an upper executive-level position. It is worth noting that the nuanced differences between ‘Security Architect’ and ‘Information Security Architect’ are typically the difference between technical skill as opposed to managerial skills.
Employment Opportunities – Job Duties
A “day in the life” of a Security Architect is varied, as there are any number of tasks associated with the role. A sample short list includes:
Design and build a security suite for a production environment (including the physical location)
Align security standards with organizational strategy, function and vision
Recognize and identify potential security threats – cyber and physical
Respond proactively to potential security threats
Analyze and identify security gaps in existing architectures
Train users and programmers for implementation of procedures and/or conversion of systems
Test and evaluate current security systems and sponsor disaster training scenarios
The role of Security Architect is not necessarily a “task-driven” position, rather, it is a resource, leadership, design and oversight position. Therefore, the “daily duties” of the Security Architect are better captured in what they are responsible for, as opposed to what they would actually “do.”
Understand All Company Security Systems
Because the Architect role oversees all elements of an organization’s security, ranging from building entry and passcode maintenance to internet access and interfaces, they need a comprehensive understanding of all security systems actively in use by an organization. The Architect must also be sensitive to risks and potential threats to any individual security system in order to provide assurance of safety and data integrity to the stake holders, clients, vendors and employees. It is the Security Architect’s responsibility to stay abreast of all current security systems’ status, strengths, weaknesses or vulnerabilities and proper maintenance.
Interact with All Levels of Staff, Security Personnel and Leadership
The Security Architect must have first-hand knowledge of all levels of security and access to the organization’s assets. From the security guard at the front door to the vendor logging into the organization’s network to the staff accountant entering data in the bookkeeping program, the Architect must be very familiar with what access is required for each role as well as be able to monitor and adjust access levels as needed (including on short notice). Understanding the nuances of access and specific roles’ needs within the organization is vital to administering an effective suite of security systems.
Manage a Team of Security Specialists
The Security Architect administers a team of trusted, capable security specialists (each with their own specific role) in a coordinated effort to ensure safety of all personnel and assets and integrity of data. Strong people skills are important for this role, as the stereotype “tech-nerd” is socially awkward and disdains personal interaction. Managing a team of security specialist includes making staffing decisions (“hire and fire”); the Architect will work closely with Human Resources to ensure all proper protocols are followed. This is a sensitive are within a sensitive area. The Security Architect is not only the brains behind the security systems but also the spokesperson on behalf of the organization’s security department.
Report to (and work with) Executive Leadership
The Security Architect position is an executive leadership position, so the Architect interacts with leadership on a regular basis. This includes providing expert input when policy or other changes are being considered as well as reporting status, making recommendations for capital improvement and taking a part in running the organization. Typically, the role of Security Architect is only just below Chief Information Security Officer (CISO) and often, these two roles are combined into a single position. This can also include public speaking opportunities, so there must be a polish to the Security Architect’s verbal presentation.
Stay Informed of Current Conditions
The Security Architect must be aware of new and novel threat types to an organization’s security – both on-site and virtually. The Architect must be current on security technology and be able to evaluate new ideas in terms of feasibility for the organization. Not all “latest/greatest” are the best thing for every organization. A level of discernment and analytical skills are required in this role. However, when an upgrade, enhancement or change is warranted, the Security Architect must know first how to define and explain the benefit to the organization’s leadership, how to incorporate the upgrade/enhancement/change into the present system, how to effectively implement the change and work with impacted teams and staff to ensure a smooth transition.
The role and position of Security Architect is designed for well-seasoned, well-tested security experts. The knowledge requirements alone make this an intellectually high-level position reserved for those who excel at their craft through the lower levels (climbing the corporate ladder). This role is up high on the organization chart and, while the position represents a lofty goal, it is difficult to attain. This high-level position has a high set of performance standards to not meet, but meet or exceed consistently over time.