Professional development

How to become a security architect

Greg Belding
December 30, 2019 by
Greg Belding

The guest of this episode of Cyber Work is Leighton Johnson, CTO and founder of ISFMT (Information Security Forensics Management Team). Chris Sienko, the host of Cyber Work, spoke with him about how to become a security architect. Leighton has 40 (yes, 40!) years of experience working in information security and 20 years of experience working as a security architect. 

Without further ado, get ready for top-flight tips from one of the world’s top security architect experts about how to move from being a security newcomer to a security architect.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

How do you become a security architect?

To become a security architect, you first need a firm security footing. Earning a certification is a good idea, and Leighton suggests you start with an introductory certification like CompTIA Security+. 

Aspiring security architects should start by working a few years in the field and learning what you will be performing daily, eventually moving toward understanding the technology behind it and gaining some additional education. 

The next step is to become a security engineer, doing things like installing systems and hardening them. Then comes security architect, which is a culmination of all the experience that came before it: security architects need to understand everything as opposed to having compartmentalized expertise. 

What types of jobs and responsibilities is a security architect part of on a daily basis?

Security architects have several high-level responsibilities they perform daily. These include:

  • Reviewing enterprise architecture from an IT perspective to ensure proper placement of security components
  • Looking at where best to place authentication mechanisms
  • Keeping an overarching view of IT, security and network
  • Risk and risk advisory — giving recommendations for options of dealing with risk in both the IT and the business side of things
  • Reviewing technology policies and procedures

What kind of projects and reading should you be doing if you’re interested in becoming a security architect?

Leighton suggests spending time finding out what cybercriminals are doing and then building organization security to stop them. 

You should find out the different cyber arenas your organization has and understanding what needs to be done to handle risk. He researches two to three hours per day, attends both webinars and conferences and recommends that you do the same. Security is dynamic and changes every day, so you should be able to keep up with this intense amount of change.

What certifications should you earn on the path to becoming a security architect?

The first level of certifications that should be earned are introductory security ones, Security+ for example. The next level that should be earned are more intermediate ones, including CISSP and CASP. Lastly, aspiring security architects should earn as many security architect certifications as possible. 

Vendor-specific certifications are helpful and can help advance your career. However, know that what you will learn will not apply to every other vendor the same way, so make sure to distinguish what knowledge can be applied elsewhere.

What hands-on activities should you enjoy to pursue this career?

Aspiring security architects should enjoy the following:

  • Understanding servers: How they are set up and configured, and the different kinds of servers available
  • Understand storage: Devices, types, methods and how it works
  • Understanding of the elements of security architecture including hands-on build outs, whether certain devices will work at certain network levels and more

How can you get ahead in your search for a security architect position?

Being a security architect is a unique position that demands a unique skill set. Leighton suggests earning vendor-neutral certifications because many in the field do not have them. Security architects have even more movement within an enterprise than enterprise architects, so learn as much as you can about the organization.

What are some common mistakes infosec aspirants make along the way?

Security architects need to understand the big picture. Many become security architects, which is normally a transition from a related field (like security, network or IT), and do not understand how all the pieces fit together. For example, someone becomes a security architect from a network background but miss how it connects with the business side of things. 

This is the most common and dangerous pitfall, as security architects need to know it all. 

What is one thing you could do today to move towards becoming a security architect?

Leighton offers three suggestions for what you can do today to move toward your goal of becoming a security architect.

First, you should always be inquisitive. Security changes every day, and you will need to be a lifelong learner just to keep up with it all. 

Second, understand your organization’s business. You need to know what their lines of business are, how it works, why they are doing it and how to support it. 

Lastly, you need to know how you can support the organization (or business line). Being a security architect touches nearly every aspect of an organization, so understanding how you can support the business end of things is a sort of icing on the proverbial cake.

How might the role change in the future based on current and upcoming technology?

Leighton has seen an enormous amount of change throughout his career, mostly due to technological changes. This dynamic change will continue, with new technology (such as IoT and algorithm-based systems) making things increasingly interesting. 

He suggests that you stay on top of technological changes, understanding the issues around this new technology and how people are handling these issues. Security is changing every day, but following this advice will help you keep a step ahead of the game. 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


In this episode of Cyber Work, Chris Sienko interviewed Leighton Johnson, a long-running security architect expert. Leighton offered solid advice for aspiring security architects, including what certifications to earn, what interests you should have and moves to help you reach this goal. Stay tuned to Cyber Work for further interviews with some of the movers and shakers of the information security world!

View this episode of the Cyber Work podcast here.

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.