What does a security architect do? | Cybersecurity Career Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the infosec career video series this set of short videos will provide a brief look into cyber security careers and the experience needed to enter them today i'll be speaking with infosec skills author leighton johnson about the role of security architect and fun fact leighton was also the very first guest on our cyber work uh podcast so go check that out but without further ado though let's get into it welcome leighton thanks chris good morning uh so leighton let's start with the basics what is a security architect and what exactly does the security architect do what are the day-to-day tasks the security architect creates plans and provides guidance on implementation of security solutions for the organization they are knowledgeable and obviously security and systems and networks and computing but they're also going to be knowledgeable in risk management and strategies and in the overarching i.t infrastructure architecture that the organization has so this is obviously not going to be an entry-level position how does one become a security architect i know it's a fairly advanced job title so can you walk me through some of the experiences that you would need to become qualified for this job role sure first you need to know the security components directly so things like having educational components whether it be a degree in cyber security or in information security is a good start another way that which was the path that i took was to gain years of experience on top of professional certifications and utilize those in security those certifications in security and in i.t and those types of things to gain an understanding of what's necessary for the organization the third thing you always have to have is an understanding from an organization view of how they deal with risk so you need to understand risk management and how it's implemented within the organization uh now you you mentioned uh formal degrees in either cyber security or information security um and you also mentioned certifications what type of certs would help you uh in supporting your your knowledge base well i would typically approach it and what i often recommend to people is to approach it from starting with the basic security certifications like security plus from comptia which i know infosec delivers um casp and then move into the cissp from ise squared they have a concentration in architecture specifically oh yes uh that follows is called iss ap information system security architecture professional right that helps with the big picture of what you have to focus on great uh so yeah that's uh that's a great set of uh educational um milestones uh set points so uh breaking it down to a more granular level what's skills either tech skills or soft skills does a security architect need to do their uh job well they have to have skills in understanding how security components work uh firewalls intrusion detection systems network access segmentation how operating systems employ security windows linux unix macintosh and then how the components work together so uh where do they work how do you route information how do you keep it secure how do you what's you know in today's world in the last 18 months for example how do vpns work how do you do remote access and keep it secure those types of things would be where they work with um on a day-to-day activity now i'm imagining that most people who want to get to security architect probably have one or more of these tools in their toolbox is there a way of sort of looking at sort of holistically at like what a completed you know something that a security architect has created like you know i mean like just masters learned by vis you know you start from an architectural standpoint i mean security itself um has been placed into the enterprise architecture tools kit that most organizations at one way or another have whether it be internationally or nationally you know there are tools and techniques out there around the u.s federal space which has their federal enterprise architecture which has a security architecture component these days they've added that in the last 10 years since they originally created it dod also has one in their architecture framework they call dodaf that has a security component to it togaf sabsa these are specifically focused on the security side of the it utilizations that uh so these are other starting tools and then you get into you know classic mechanisms around understanding network data flows and those types of things so data flow maps and data flow diagrams and system um design components coming out of the general development arena uh you know whether it be um internationally from iso or itil or common tools like are available today from places like uh coso and covet you know from isaaca and that type of thing all our tools that we would use to help design out the resistant resilient architectures needed to ensure that the requirements for all the components are in place and then check them one of the other things that a security assessor security architect does every day is check what's working okay they do vulnerability assessments they'll do risk reviews they'll do updates based on security engineering mechanisms so they'll have a foot in that field they'll have a a foot in the field of implementation they don't put it in but they guide how it gets put in got it now um speaking uh very um you know on a micro level in terms of tools are there are there common tools that security architects use are there are there any sort of open source ones that people can play around with or is this a a lot of very sort of um specific proprietor both sabse and togaf are open source so you can get both of those um the the architectural components in dodaf and the architectural components in fea are also open you can go to those locations one in the dod architectural world one in the federal architectural world which is run openly by the cio council of the u.s government which is all the cios of all the agencies and they manage the federal enterprise architecture program now where do security architects work you know a lot of job roles will have you know they're better as a freelancer or they only work in in-house like how does is this something where you're you're basically going to work with a company for a long haul or is it do you kind of write in like the man with no name and then move on once you've sort of designed that as a consultant i got you yeah okay most of the security architects that i've worked with and that i did were regular employees of companies they worked not necessarily at a system level they typically would work above that where they would approach it from say a business unit level and so they would get a sense of how the business does their activities and so they would be a regular employee they would be looking at different parts of the organization and so they would have you know and gain over a period of time institutional knowledge of how they do things and that makes them even more valuable to the organization because then they'll be the ones who know where one thing is handled if it's not handled in a particular system it's handled somewhere else they're the architects of our layered defenses for security is what a security architect does they're the ones who map it out i love that um so yeah now speaking to like a private versus federal space are there extra layers i know you also teach cmmc with infosec uh are there additional layers to the way security architect works uh in in a federal or military space uh military yes uh federal generally no virtually all the federal agencies have an enterprise architecture division and that's where the security architects will be um generally they're not going to be assigned to a particular sub-agency or sub-department of a federal agency they're going to be um as i said working with multiple uh organizations now commercially um what i've seen when i worked with lockheed when i worked with other organizations as a regular employee we would be up from the actual delivery organization that's doing the product or the service or producing whatever it is for the company um up a layer or two but still be exposed to what they're doing on a relatively frequent often weekly basis around what they have basically because the security architect in the commercial world also has an extra role which i've seen where they are the ones who create the standards for how the security is going to be implemented across the lines of business across the unit based upon what the business needs are got it now um for people who are are moving towards security architect and then want to use it as a pivot point what other roles can you move into from security architect is this especially suited to move you towards like cso or manager or something even higher well it'll move you up the technical scale dramatically yes because you're the one as a security architect who understands the layout of the security for the whole organization and so you'll end up working potentially as a ciso um which is what i ended up doing uh but i've certainly seen security architects as the technical lead for the cso um because of course csos have to worry about budgets and the other things you know so they would be the point person for that um i've certainly seen them uh provide support on special projects um you know and those types of things as well now uh for people who are watching this video whether they're a security analyst or a pen tester or something who are ready to get started what's something they can do right now after they turn this video off that'll move them towards the goal of becoming a professional security architect understand one where you're going to be looking at vulnerabilities and weaknesses in the security anyway but you're going to have to be doing it from two perspectives you're going to have to be doing it from the security perspective and you're also going to have to be exposed to where those exist in the business and what the business is doing and so you always got to have two eyes when you're looking at it you know two viewpoints uh one from the business perspective as well as one from the i.t security perspective both sides got it and so which side that you feel less comfortable with go learn about all right within the business especially and that will increase both what you can do as a security architect and obviously increase your value to the organization as well hands help your career progression perfect leighton johnson thank you so much for your time and insight today it's always great to talk to you guys good to talk to you too chris uh and thank you all for watching this episode if you'd like to know more about other cyber security job roles please check out the rest of infosec's career video series we'll talk to you next time [Music]

Info

Channel: Infosec

Views: 44,544

Rating: undefined out of 5

Keywords: Infosec, cybersecurity job, cybersecurity career, cybersecurity training, Infosec careers, Security architect

Id: nIT5lM_YosE

Channel Id: undefined

Length: 13min 52sec (832 seconds)

Published: Mon Feb 21 2022