What does a security architect do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. This set of short videos will provide a brief look into cybersecurity careers and the experience needed to enter them. Today I'll be speaking with InfoSec Skills author, Leighton Johnson, about the role of security architect. And fun fact, Leighton was also the very first guest on our CyberWork podcast. So go check that out. Without further ado, though, let's get into it. Welcome, Leighton.

[00:00:29] Leighton Johnson: Thanks, Chris. Good morning.

[00:00:31] CS: So Leighton, let's start with the basics. What is a security architect? And what exactly does a security architect do? What are the day-to-day tasks?

[00:00:39] LJ: The security architect creates, plans and provides guidance on implementation of security solutions for the organization. They are knowledgeable in, obviously, security, and systems, and networks, and computing. But they're also going to be knowledgeable in risk management, in strategies and in the overarching IT infrastructure architecture that the organization has.

[00:01:07] CS: So this is obviously not going to be an entry level position. How does one become a security architect? I know it's a fairly advanced job title. So can you walk me through some of the experiences that you would need to become qualified for this job role?

[00:01:20] LJ: Sure. First, you need to know the security components directly. So things like having educational components, whether it’d be a degree in cybersecurity or an information security is a good start. Another way, which was the path that I took, was to gain years of experience on top of professional certifications and utilize those in security, those certifications in security, and in IT, and those types of things, to gain an understanding of what's necessary for the organization. The third thing you always have to have is an understanding from an organization view of how they deal with risk. So you need to understand risk management and how it's implemented within the organization.

[00:02:15] CS: Now, you mentioned formal degrees in either cybersecurity or information security. And you also mentioned certifications. What type of certs would help you in supporting your knowledge base?

[00:02:27] LJ: Well, I would typically approach it. And what I often recommend to people is to approach it from starting with basic security certifications like Security+, CompTIA, which I know InfoSec delivers. CISSP. And then move into the CISSP from (ISC)². They have a concentration in architecture specifically that follows it. It's called ISSAP, Information System Security Architecture Professional. It helps with the big picture of what you have to focus on.

[00:03:06] CS: Great. So yeah, that's a great set of educational milestones, set points. So breaking it down into a more granular level, what's skills, either tech skills or soft skills, does a security architect need to do their job well?

[00:03:23] LJ: They have to have skills in understanding how security components work. Firewalls, intrusion detection systems, network access, segmentation. How operating systems employ security? Windows, Linux, Unix, Macintosh. And then how the components work together? So where do they work? How do you route information? How do you keep it secure? In today's world, in the last 18 months, for example, how do VPNs work? How do you do remote access and keep it secure? Those types of things would be where they work with on a day-to-day activity.

[00:04:07] CS: Now, I'm imagining that most people who want to get to security architect probably have one or more of these tools in their toolbox? Is there a way of sort of looking at sort of holistically at like what a completed – Something that a security architect has created? Like, I mean, like chess masters learn by old chess moves. Is there a way to look at like well-designed –

[00:04:31] LJ: Well, yeah. I mean, you start from an architectural standpoint. I mean, security itself has been placed into the enterprise architecture tools kit that most organizations, at one way or another, have, whether it’d be internationally or nationally. There are tools and techniques out there around the US federal space, which has their federal enterprise architecture, which has a security architecture component. These days, they added that in the last 10 years since they originally created it. DoD also has one in their architecture framework they call DoDAF that has a security component to it. TOGAF, SABSA, these are specifically focused on the security side of the IT utilizations that – So these are other starting tools.

And then you get into classic mechanisms around understanding network data flows and those types of things. So data flow maps, and data flow diagrams, and system design components. Coming out of the general development arena, whether it’d be internationally from ISO, or ITIL, or common tools are available today from places like COSO, and COBIT, from ISACA, and that type of thing, all our tools that we would use to help design out the resistant resilient architectures needed to ensure that the requirements for all the components are in place, and then check them.

One of the other things that a security architect does every day is check what's working, right? They do vulnerability assessments. They'll do risk reviews. They'll do updates based on security engineering mechanisms. So they'll have a foot in that field. They'll have a foot in the field of implementation. They don't put it in, but they guide how it gets put in.

[00:07:06] CS: Got it. Now speaking on a micro level in terms of tools, are there common tools that security architects use? Are there any sort of open source ones that people can play around with? Or is this a lot of very sort of vendor-specific proprietary?

[00:07:22] LJ: Both SABSA and TOGAF are open source. So you can get both of those. The architectural components in DoDAF and the architectural components in FEA are also open. You can go to those locations, one in the DoD architectural world, one in the Federal architectural world, which is run openly by the CIO Council, the US government, which is all the CIOs of all the agencies. And they manage the Federal Enterprise Architecture program.

[00:07:59] CS: Now, where do security architects work? A lot of job roles will have – They're better as a freelancer, or they only work in-house. Is this something where you're basically going to work with a company for a long haul? Or is it do you kind of ride in like the man with no name, and then move on once you've started designing things?

[00:08:19] LJ: As a consultant. I got you. Most of the security architects that I've worked with and that I did were regular employees of companies. They work not necessarily at a system level. They typically would work above that, where they would approach it from, say, a business unit level. And so they would get a sense of how the business does their activities. And so they would be a regular employee. They would be looking at different parts of the organization. And so they would have, and gain over a period of time, institutional knowledge of how they do things. And that makes them even more valuable to the organization because then they'll be the ones who know where one thing is handled. If it's not handled in a particular system, it’s handled somewhere else. They're the architects of our layer defenses for security is what a security architect does. They're the ones who map it out.

[00:09:26] CS: Mm-hmm. Mm-hmm. I love that. So, yeah. Now speaking to like private versus federal space, are there extra layers? Because I know you also teach CMMC with InfoSec. Are there additional layers to the way security architect works in a federal or military space?

[00:09:43] LJ: Military, yes. Federal, generally, no. Virtually, all the federal agencies have an enterprise architecture division. And that's where their security architects will be. Generally, they're not going to be assigned to a particular subagency or subdepartment of a federal agency. They're going to be, as I said, working with multiple organizations. Now, commercially, what I've seen when I worked with Blockade, when I worked with other organizations as a regular employee, we would be up from the actual delivery organization that's doing the product or the service or producing whatever it is for the company up a layer or two, but still be exposed to what they're doing on a relatively frequent, often weekly basis, around what they have. Basically, because the security architect in the commercial world also has an extra role, which I've seen where they are the ones who create the standards for how the security is going to be implemented across the lines of business, across the unit, based upon what the business needs are.

[00:11:09] CS: Got it. Now, for people who are moving towards security architect and then want to use it as a pivot point, what other roles can you move into from security architect? Is this especially suited to move you towards like CISO, or manager, or something even higher?

[00:11:24] LJ: Well, it'll move you up to technical scale dramatically.

[00:11:27] KP: Yes.

[00:11:28] BM: Because you're the one, as a security architect, who understands the layout of the security for the whole organization. And so you'll end up working potentially as a CISO, which is what I ended up doing. But I've certainly seen security architects as the technical lead for the CISO, because, of course, CISOs have to worry about budgets and the other things. So they would be the point person for that. I've certainly seen them provide support on special projects and those types of things as well.

[00:12:12] CS: Now, for people who are watching this video, whether they're a security analyst, or a pen tester, or something who are ready to get started, what's something they can do right now after they turn this video off that will move them towards the goal of becoming a professional security architect?

[00:12:26] LJ: Understand, one, where – You're going to be looking at vulnerabilities and weaknesses in the security anyway. But you're going to have to be doing it from two perspectives. You're going to have to be doing it from the security perspective. And you're also going to have to be exposed to where those exists in the business and what the business is doing. And so you always got to have two eyes when you're looking at it, two viewpoints. One from the business perspective, as well as one from the IT security perspective, both sides.

[00:13:02] KP: Got it.

[00:13:02] BM: And so which side that you feel less comfortable with, go learn about, all right? Within the business especially. And that will increase both what you can do as a security architect and obviously increase your value to the organization as well, and help your career progression.

[00:13:24] CS: Perfect. Leighton Johnson, thank you so much for your time and insight today. It's always great to talk to you

[00:13:28] LJ: Nice. Good to talk to you too, Chris.

[00:13:31] CS: And thank you all for watching this episode. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s Career Video Series. We'll talk to you next time.