How to become a security architect

Chris Sienko: Hello and welcome to InfoSec Institute's video series. This is the first in a series of videos that we will be doing which will include several types of security information and discussion. I hope you will check back regularly because we'll be covering several different areas of security. Some weeks we'll be doing security awareness topics, some weeks we'll be doing tools of the trade. We will do an occasional tool deep dive. And as we are doing this week we'll be looking at security career paths. Our aim is to break down the journey from security newcomer to an elite security practitioner so if you feel like you're sitting at the bottom of the security organizational ladder and aren't moving up as quickly as you'd like stay tuned.

Our guest this week is Leighton Johnson and he'll be talking to us about the path to the role of security architect. Leighton is the CTO and founder of the Information Security and Forensics Management Team, a provider of computer security, forensics, consulting and certification training. He has presented computer security, cyber security and forensics classes and seminars all across the United States and Europe. He has over 35 years in computer security, cybersecurity, software development and communication equipment operation and maintenance.

Leighton's primary focus areas include computer security, information operations and insurance, software system development life cycle focused on modeling and simulation systems, systems engineering and integration activities, database administration, business process and data modeling. With InfoSec Institute he has taught CISSP, CISA, C risk, CISM, security plus, CAP, DIACAP, antiterrorism, digital and network forensic security engineering, security architecture and risk management courses around the U.S. For over the past 10 years. So Leighton thank you very much for being here.

Leighton Johnson: Thank you I'm glad to be here.

Chris: Okay. So I want to start with asking a little bit about just the very beginning points. I'm doing this with the assumption that people who are listening are maybe just getting started in their security adventure and are looking at eyeing the higher level business professional levels without knowing really where to start. So what would be the major steps along the way in the progression of skillsets to become a security architect?

Leighton: Well, first off you have to become a security practitioner so you need to have an introduction to the security world itself whether it be just information security or the subset we call cybersecurity these days. Either way you need to start with that type of background. Potentially through either starting out as an interim person, just beginning in the security arena like getting your security plus or your first level certification just starting out that particular way. Then you need to spend a couple of years doing that type of activity getting used to the varying different types of security roles, log reviews, checking your management systems, looking at what's going on from an IDS alert alarm, possibly working on firewalls, those types of things starting out first.

And then gradually work your way into understanding the actual technologies behind them and as you begin to understand and work with the technologies and you gain some experience as well as some additional education you can then work your way towards becoming a security engineer. Once you do that those are the people who are putting in the devices, they are the ones who were installing the security components, they are the ones who are hardening the systems and the servers and the software, those types of things. And then you work your way to becoming a security architect after that.

Chris: Okay. So it sounds like any other yeoman tradesman system you're learning on doing all sorts of things until you start to find the areas that specifically pertain to this and then you get better at a narrowing set of skills.

Leighton: True. The only thing is as a security architect you need to know all of it and see that's one of the big arenas around architect security versus being a security engineer. Security engineers tend to focus on firewalls uniquely, or on routing, or on servers or on networks whereas a security architect needs to understand all of them. Okay,

Chris: Okay. So, you're really doing the top down, top level thing at every step of it?

Leighton: Right.

Chris: Okay. Because I know many of our viewers have only minimal IT or security experience this is related to that. Can you walk me through the day to day activities of what a security architect does?

Leighton: Okay. I can certainly do that no problem. A security architect typically their daily activities would include things like reviewing the enterprise architecture for the organization from an IT perspective to determine where and what type of security components need to be put in what location based upon what is the organization doing, what is its data flow, where the informational access is coming in. The architect is going to be looking at where best to put authentication mechanisms for the identities, for the people coming onto the network. And then how do they communicate with their systems that they're needing to do those activities and an architect would be the one who would be designing something like that at an overarching view.

One of the second things that an architect often does is look at the organizational risks and to determine what are the best ways to handle them. What are the best types of technologies, policies, procedures, operational activities and even managerial policy potential changes that are necessary in order for the risks to be appropriately handled for the organization from a security perspective? And those are the two big areas that an architect works with each particular day. Sometimes they get into details where they start actually developing an architectural construct an all view, or a technical view, or a security view, a component view of a particular path, a particular information flow for how does someone log in, get to the network, then get to their system, then update their data on that particular system. How does the application handle those authentications behind it and then how do they log off and what happens?

Chris: Okay and I'm assuming that this is a fairly managerial position as well, you're planning but you're also delegating roles or are you doing it all yourself?

Leighton: Well you're advising, you're doing an awful lot of advisory work as an architect. Most of the time architects don't necessarily have a lot of people working for them. They may be in certain lines of business uniquely. I know in my role as a chief security architect I had several lines of business architects who worked for me but for the most part it's relatively a singular role as an advisor, as a consultant to the lines of business as well as to the security and IT folks.

Chris: Okay, I see. Now does this also include a role in moving the C suite in making decisions about security or?

Leighton: Definitely because one of the major roles that a security architect does do as I said earlier is advise how to handle risks which is where the C suite fits in naturally right up front. And then as part of that we have to draft the recommendations, the options for them to make their decisions about how to deal with the risks both in the IT as well as in the line of business arenas.

Chris: Okay. Thank you. Now what activities or projects if you are a lower level security person, they say if you're going to move into a profession it should be something that you enjoy doing all the time, so what activities or projects should you be interested in or really enjoy doing if you're thinking of moving into security architect as a profession?

Leighton: Figuring out what the other guys are doing, the bad guys are doing, and then how to build organizational security to keep that from happening and that's a day to day challenge. Understanding the variety of cyber arenas that are out there that each organization has, some of which they may know, some of which they may not know. And then understanding organizationally in the infrastructure but with the networks, with the systems, with the servers, with the activities, what's going on and what needs to be where in order to handle the risks.

Chris: Okay. And so, do you do a lot of outside research to find, to keep up with these trends or is it really just ...

Leighton: Actually I do probably two to three hours a day.

Chris: Okay. Where do you go? What are you looking at?

Leighton: I go literally all over the internet. I do a lot of conferences so I always try to keep up to date on what's the newest, latest, greatest activities that are out there. How are things handling the new user based mechanisms for accessing computers with their UVEA and all those types of things. So I stay up to date a lot in those arenas. And so, I do a lot of reading and I do a lot of listening to webinars. I do a lot of going to conferences, I probably go to five or six a year, big ones and little ones both. Even ones I'm speaking at I've never stopped. I always go to other people's sessions just to hear what's going on, to see where things are going. I have a couple of areas that I specialize in that I have over 30 years.

Chris: What are those?

Leighton: Incident response and forensics both. And so, those types of things. I'm very interested in how organizations are handling all of the new risks. I've done a lot of work in the last few years in cloud and cloud architectures. I've been a member of the Cloud Security Alliance since it started about eight, nine years ago whenever it was. And so, I do a lot of work in that arena as well.

Chris: Interesting. Okay. So would you recommend lower level security practitioners do what they can to start attending seminars or at least doing preliminary research?

Leighton: Do the webinars, do the stuff that you can get online, do those types of things. If you do it at home you do it in the evenings, you do it on a weekend, when you have some downtime. That's probably the best way to keep yourself up to speed and up to date. This is such a dynamic field it changes every day and since it literally changes every day you have to really understand that you have to be in a constant learning mode otherwise it you're going to become static and your systems will become static and that's exactly what those bad guys want. So you've got to be constantly changing and understanding the dynamics.

Chris: Once step ahead all the time.

Leighton: You have to be.

Chris: Absolutely. Now what certifications should people pursue on the path to becoming a security architect?

Leighton: W­ell, the first level if you've got to get your basic security certifications. So starting with the standard the security plus, the initial introductory ones moving up a level to the more detailed ones with CISSP and with CISP which are the two big major ones that are out there from a security perspective. Then you start looking at the architectural ones on top of that. There is of course, with CISSP there's a follow on one called ISSAP which is the architecture professional. There are other ones that are architecture specific that are out there, SAPSA has one which is the open frameworks, architecture framework. If you're working in the governmental vertical there's a one called FEAC which is for the federal enterprise architecture. DOD has their own under DODAF which is the DOD architecture framework. These are all arenas around architecturally getting in there.

But primarily you need to understand both how systems work and how networks work together. And so understanding that architecturally those are the big areas you need to work for in getting your certifications is looking at those. Try not to get too specific on vendor activities from devices and those types of things because you're going to have wide ranges of architectural options. If you're working in an organization that's say a Cisco shop then go ahead and do the Cisco, if they're a Juniper shop then go ahead and do the Juniper, but understand that those aren't the only options either from an architectural standpoint. There's so many different vendors and so many different ways that you can look at it you need to generically look at it from a security perspective rather than from a vendor specific.

Chris: Now if you were to get say some of the vendor neutral certifications would there be a benefit in also being subspecialized in the Cisco or Juniper specifically?

Leighton: Sure. Because then you can focus on how does that fit into an architecture, where are all the companies pieces and parts to it those types of things. And certainly that's advantageous in a career path if you want to stick to being in that particular area and understand that all of them are great, they're all super, they all work, so they all have their advantages, they'll get you there. So none of them are any better than any of the others they're all very focused on what they provide as far as their services, as far as their equipment capabilities, et cetera. So most of the major network vendors once you learn the material from say one of them you can apply it to others at least partially uniquely. And our evolving network infrastructures over the years, different vendors have provided whole protocols and whole methodologies that have advanced the entire networking world or the entire server world rather than just uniquely just from their perspective.

Chris: Okay. Going to the other side of things what hands on work activities should you be good at and be doing regularly in your job to get on this path?

Leighton: Understand how servers are configured, understand how you set up making the classic hardening of a server. How do you do that? What does that mean? Understand it from an operating system. So you do need to know all the different kinds that are out there. Day to day what do you have to do to configure a Unix box or a Linux box versus a Windows box versus a desktop versus a Windows server? How do you handle SAN, NAS storage? That today's world security being one of the biggest uses of big data ourselves just because they're looking for all the problems and all the APTs that are out there and those types of things you need to understand storage and how it works. So day to day how do you do that? And then the other big thing is understanding what are the architectural elements, those types of things. So that's more hands on. Building an architectural element is it going to work, digging down into the protocols potentially to see if that particular type of device works at that level whatever level it may be in the network and those types of things.

Chris: And what types of companies require security architects and what types of professions or companies should you try? I imagine it's all of them right at this point?

Leighton: Well for the most part people who are operating not people who are vendors.

Chris: Okay.

Leighton: Service organizations, people who are out there making money by providing services to other organizations, information brokerages, service providers, a variety of those types of companies, financial institutions, all those types of things would be where you would want to do that whereas you wouldn't necessarily have that. Uniquely in a vendor space you may and they probably do but it's much more career path oriented towards the normal standard everyday business is going to need it. The bigger they are the more likely they're going to need an architect.

I was just working with a company that had 50,000 employees and they had 10 architects as an example, and one in each line of business plus a couple of principals that were over them that type of thing. So, there's not a lot of architects in a particular company typically because it is such a unique skill set because it covers everything that type of thing but they do have a lot of need for them. And in today's dynamic privacy driven world coming with GDPR in a couple of weeks those types of things, international companies are needing them even more than anybody else right now.

Chris: And we'll be talking about GDPR actually in our next video as well here so you're transitioning us nicely. Now I'm imagining that security architects have a fairly in demand job and there's a lot more candidates than there are positions. So what could a candidate do to put themselves head and shoulder above other people who might be interviewing for the same position?

Leighton: Not that many people have professional certifications, vendor neutral type certifications, in these arenas. There just isn't that a big area for it. Most people usually convert from being a security engineer or being an IT engineer over to being an architect, especially infrastructure architect type things. And they try to pick up the security part but it's a unique subset of that generalized IT infrastructure view that is different. And so, learning the trade mechanisms around security architecture uniquely what the mechanisms are because of course since it permeates all parts of an enterprise from an architectural standpoint it's even a little bit more of a specialty than say an enterprise architect even though they typically work together. I know governmentally in the government vertical industry they usually have an enterprise architect shop for the whole organization one. And then they'll have one per line of business or one per agency and then they'll have one or two security architects and that's it, that type of thing.

So it is a unique area in that once you get the process and you're in being as a security architect you will always be employed number one. Number two you'll be employed well because it is a unique arena. So it's a high demand and not many people can meet all the types of qualifications typically they're looking for because it is such a unique number of skill sets necessary rather than just one or two. You've got to understand IT, you've got to understand security, you've got to understand the combinations, but then you also have to understand how the lines of business do it so you got to be an analyst as well. And some business analytics, risk analytics come into play, all sorts of different things also come into play in understanding security architectures and being a security architect.

Chris:

Well, that transitions nicely into my next question. You said that a lot of people don't have this understanding or that qualification. What are some of the common pitfalls that people might make along the way? They think they're on their way but they're studying the wrong thing or they're focusing too much on this or that or not staying abreast as you say of current trends and so forth.

Leighton: The biggest things I've seen is not understanding the business and it's attack vectors, what people come after them for number one. And those who do that they're in incident response they're not architects. And so, they miss how to handle the risks. They can identify it but then they are missing the piece about what do you do after you have identified. How do you handle it? How do you fix it? There's a lot of network people who transition over to being architects in various different arenas and they miss the security piece. Or you'll have people who are really, really good at doing general IT and server activities and they'll be trying to become an architect and they'll miss the network piece and so that's part of the issues.

And the big underlying problem I've seen for the most part in the 20 plus years I've been a security architect is that there is a disconnect when someone approaches architecturally from only IT insecurity and misses the line of business or the other way around. The two have to work together and that's why it's such a unique field is they absolutely require you to have both view points all the time. You can't just have one at one time and one another no you've got to have them both, you've got to wear both hats simultaneously.

Chris: Both hats simultaneously and keeping on top of both industries [crosstalk 00:24:51] So again speaking to the people who are in their day job, you might be in the cube farm and you're not really, it might seem daunting to jump from where you're at to 10 steps up. What's one thing in your current position or life that you could change to put you on the path to security architect? Would you start taking a certification course? Would you ask for different responsibilities at work, do some outside work, anything like that?

Leighton: The biggest thing is be inquisitive about what's going on and why the lines of business are doing what they're doing and how is IT supporting them and are they meeting the needs. Understand how the business is working and the IT is supporting it, either yes or no. I mean sometimes they're more successful than others certainly. And then do some analysis and figure out why. What's missing? Is it because the organization isn't set up appropriately procedurally? Is it a workflow issue? Is it a technology issue? Understand that all three have to be working together and that's what the architect's ultimate goal is, is to get all three of those to work together in supporting the business operations of the organization.

Chris: Now how might the role of security architect change in the future based on current and up and coming technologies? I'm sure it's changed a lot since you got started.

Leighton: Well it has. I've been a security architect for 20 years. I've been in the industry for 40 but I've been an architect for 20 and it has changed a lot. A lot of it has because of the technology changes and because of the people who are sitting behind the keyboard changes. They're much more adapt and adapted to working with computing activities nonstop. They're doing it ...

Chris: Is that just because of the permeating of a technology with younger people or?

Leighton: Well technology with younger people and the fact that the businesses are now seeing returns in those arenas which for a long time they were skeptical about but now they're seeing it. And so, I mean the top six companies in the world are now technology companies. So, for years and years and years it certainly wasn't that way but now it is. And so, they're seeing lots and lots of money, they're seeing lots and lots of advancement professionally, personally for people in those arenas that have just dramatically shifted as we've had a series of technologies that came together with cloud, with mobile, with big data, all basically hitting at the same time, all hitting their stride simultaneously. There was obviously technological components behind them with virtualization, et cetera, and moving from 3G to 4G and soon to be 5g and the cellular world and the advances of all the mobile devices with the smart phones and smart everything.

And IOT now is adding to all of this because of course now that means anything and everything that is electrical could potentially be with a CPU which means it can be computing which means it can be a device that is addressable from somewhere. So on and on and on it goes. So stay on top of the technology, stay understanding of what's changing, see where the issues are around them and how people are handling those issues today. As technology advances the methodologies of handling the issues around those technologies advance as well. So it's a little bit of lag typically between the two but we're seeing people get caught up on what's happening and the in the bad guy world with the hackers and the crackers across the board what they're doing. We're starting to take technologies today and advancing them with AI and with machine learning and those types of things.

Now of course those techniques generally have been around for a long time but they're more advanced now with the algorithmic based review systems that we got today, with the machine learning activities where systems are understanding and learning on their own as things are going on. Those are changing and those are creating another dynamic that will be back to being caught up and then the technology will advance again. And understand it is a dynamic process it is never static. If there's one thing in the cyber world is to understand it's always changing every day.

Chris: That seems like a fantastic place to end there so I think we will wrap up. Thank you very much Leighton Johnson for being with us today. And if you would like to know more about certification study you can visit infosecinstitute.com that's I-N-F-O-S-E-C institute.com. And if you'd like to read a number of, we have a blog that is resources.infosecinstitute.com. There are a number of articles and labs and videos such as this one and I encourage you to visit those as well. So again Leighton thank you very much for your time today and thank you very much everyone for watching.

Leighton: Thank you.

Chris: Take care.