Security Architect: Job Role at a Glance
Security Architects blend their understanding of security software and hardware, organizational security objectives, and security threats with company policies and technical standards.
Security Architects are increasingly becoming an essential part of the security teams. According to the U.S. Bureau of Labor Statistics (BLS), a 5% growth in employment for computer network architects is projected for the years between 2018-2028.
For this blog I interacted with three experienced security professionals, currently working as security architects- Smitha Sriharsha, Cisco; Nityanand Mishra, Novartis and Tarun Bansal, Bosch.
Here are the questions and answers that give a glance at the role of a security architect:
Describe how crucial is a security architect to the organization’s security as a whole.
Security Architect plays an important role in implementing the organization’s real-world use-cases and requirements into a technical secure design that is understood by developers for easy and clear enforcement. A security architect helps in improving the security posture of the product and ensures a security-based development mindset. In almost all organizations, Secure-SDLC is followed so that security is inhibited in the product in the design phase. Security architects perform threat modeling and risk assessment so that S-SDLC is followed.
Thus they help to bring security early in the process to avoid any heavy roll-backs later.
How essential is having the “hacker’s perspective” for a security architect and how can one develop it?
A security architect should have the mindset of an ethical hacker and should be able to think about all possible threats, vulnerabilities, and motives, and how to protect the systems from the threat actors. “Hacker’s perspective” distinguishes a security architect from a regular system architect.“You cannot design a secure system until you know how to break it”- this statement applies the other way around too. Therefore, a security architect needs to critic his/her designs in all possible ways. This can only be done by knowledge sharing- discussing, contributing and conducting reviews with multiple people, like group discussions.
How does the security architect gain an understanding of the company’s systems and use that knowledge to implement security measures and user policies and protocols?
A security architect has to closely work with the concerned infrastructure and development teams to understand the system architecture closely to gain an understanding of the loopholes that the adversaries may exploit and secure them. She/He has to go through the design documents, existing security specifications, prerequisites for the new technologies, etc. to identify the appropriate controls and determine the forthcoming steps and remediations.
Hence a systematic approach to do the complete Threat and Risk Analysis is essential. Security-relevant use cases and standard risk evaluation practice enable a security architect to do the intended tasks.
What are some must-have technical skills for becoming a security architect?
The fundamental technical skills and concepts required (but not limited to) for the security architect job role are listed as follows:
- Strong network concepts
- Cryptography, Information security (CIA)
- Secure Development Life Cycle
- Access Controls
- System administration skills
- Developing hacker’s mindset
These listed skills are not enough for a security architect role, other technical skills and interpersonal skills are also important.
What are some significant interpersonal skills that a security architect should possess?
The ability to explain and communicate technical ideas with real-world examples and hence being a good storyteller is a must-have skill for security architects. To become the best translator between management and developers, they should be able to switch between different departments like talking to Management in risk-based language, Developers in requirements-based language.
Leadership, information management, networking are also quintessential. Security architects alone cannot discover and answer all security issues, therefore they should know who is the right contact/role to be reached for a specific case. Persuasiveness and good presentation skills are also important for a security architect.
How can students or aspirants aiming for security architect roles in the future develop the skills required for the security architect role?
Foundational technical skills and knowledge should be strong and clear. Network security concepts are vital to gain an understanding of any system and network. This will be beneficial for security architects to adopt and understand the new technologies. Developing both the developer’s and the hacker’s perspectives is important. Interest and passion in security, being updated with new trends and technologies are significant.
How essential are certifications for the job role of a security architect?
Certifications are a plus point and help an individual stand out from the general crowd. They don’t guarantee a job but help in boosting the profile for the concerned role. CISSP is a good certification for high-level roles such as that of a security architect.
Certifications are not mandatory but still vital to show the proof that one is equipped with ongoing trends, practices and state-of-the-art. Certifications provide the confidence that the person is up-to-date which can be beneficial, rather than earning the certificates for proof basis.
How do the roles and responsibilities of a security architect vary from large and developed organizations to startups or developing organizations?
Security architect roles and responsibilities remain the same in both cases, but effort varies to a large extent.
Mature organizations already have defined processes, support, baselines, internal case studies, internal groups to discuss, thus save a lot of time for a security architect so that she/he could work on multiple projects simultaneously.
In developing organizations, this is completely the opposite. Security architect needs to put more effort to bring the above-mentioned stuff in streamline, but the advantage here is learning from scratch. This is itself a reward in new organizations which boosts the confidence of organizations and security architects.
With the increasing complexity and variety of attacks, how do security architects keep themselves updated with the latest security trends and threats?
Security is a vast domain that observes daily changes in policy, threats and adversaries. Networking, joining, and participating in different communities, webinars are great ways of being updated. Apart from this going through threat intelligence feeds and security bulletins can help to be updated with the latest threats and trends.
After a significant cyber-attack/data breach that affects the usual functioning of the organization, how does a security architect contribute to the security team of an organization?
A security attack is a great learning experience to improve and shortcoming and avoid its further exploitation. Attacks will happen because security and stability are inversely proportional. No product and service are risk-free and security assumptions are meant to be broken with time, therefore an organization is always vulnerable to an attack.
A security architect’s key role is to help analyze the impact and risk and imply the mitigation techniques. Security architect sets out to address the present condition and future steps to prevent the attack. She/He lays out the detailed assessment of the mitigation options. It is an ethical duty for a security architect to stick to the process and raise any security gaps to the management. She/He must participate in the process (TARA, SDLC, ISO) maturity and enforcement
Disclaimer: The blog is based on certain perspectives and not everyone may agree with the points outlined here. The roles and responsibilities are not ideal, they change from person to person and organization to organization.
This brings up to the end of the blog. Hope you had a good read. Ciao!