Education :
Bachelor’s or master’s degree in computer science, information systems, cybersecurity or a related field.
Security And Technical Experience
The security architect should have direct, documented and verifiable experience with the following:
- Experience in using architecture methodologies such as SABSA, Zachman and TOGAF
- Direct, hands-on experience managing security infrastructure such as firewalls, IPSs, WAFs, endpoint protection, SIEM and log management technology
- Verifiable experience reviewing application code for security vulnerabilities
- Direct, hands-on experience using vulnerability management tools
- Documented experience and a strong working knowledge of the methodologies to conduct threat-modeling exercises on new applications and services
- Full-stack knowledge of IT infrastructure:
- Applications
- Databases
- Operating systems (Windows, UNIX and Linux)
- Hypervisors
- IP networks (WAN, LAN)
- Storage networks (Fibre Channel, iSCSI and network-attached storage)
- Backup networks and media
- Direct experience designing IAM technologies and services (e.g., Active Director, LDAP, Amazon Web Services’ [AWS’] IAM)
- Strong working knowledge of IT service management (e.g., ITIL-related disciplines):
- Change management
- Configuration management
- Asset management
- Incident management
- Problem management
- Experience designing the deployment of applications and infrastructure into public cloud services (e.g., AWS or Microsoft Azure)
Industry And Regulatory Experience
The security architect is expected to have documented experience with the following:
Regulations, Standards And Frameworks
- Payment Card Industry’s Data Security Standard (PCI-DSS)
- Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH)
- Validated Systems (e.g., Good Automated Manufacturing Practice [GAMP])
- Sarbanes-Oxley Act
- General Data Protection Regulation (GDPR)
- Privacy Principles (best practices)
- International Organization for Standardization (ISO) 27001/2
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- International Traffic in Arms Regulations (ITAR)
Industry, Market Or Sector Experience
Business-Related Skills
The security architect at a midsize organization is expected to contribute his/her insights not only to colleagues within the security team and the CISO, but also to colleagues within IA, risk management and other line-of-business teams. To ensure that security-related matters are adequately conveyed, the following skills are required:
- Strategic planning skills — The security architect must interpret business, technology and threat drivers, and develop practical security roadmaps to deal with these drivers.
- Communication skills — The security architect will be required to translate complex security-related matters into business terms that are readily understood by the CISO and line-of-business colleagues. The security architect should anticipate presenting his or her analysis both in person and in written formats.
- Financial analysis — As part of the due diligence of security technologies, the security architect will be expected to evaluate the financial costs of recommended technologies. Specifically, the security architect will need to quantify purchasing and licensing options, estimate labor costs for a given service or technology, and estimate the total cost of operation or the ROI, or payback period for services or technologies that are replacing existing capabilities.
- Project management — Security services and technology implementations will require solid project management skills. The security architect will be expected to draft project plans for security service and technology deployments, and coordinate with stakeholders across the organization.
Required Certifications
The security architect will evidence his or her knowledge of security and risk management through ongoing continuing professional education. The ideal candidate will maintain one or more of the following certifications.
- ISC2’s CISSP, ISACA’s CISM, ISACA’s CISA, The Open Group’s TOGAF, SANS’ GAIC, IAPP’s CIPT
Skill Required
