Cyber security architect
Who might be attracted to this role?
Strategic thinkers who are detail oriented and enjoy creating structured solutions to complex challenges. They should excel and balancing technical depth with big-picture thinking. Enjoy the structuring processes and aligning objectives across multiple teams.
Entry points
- Digital roles: System engineer, Network engineer, Security engineering, IT or Solution architect.
- Non digital roles: Generally not suitable for a direct career change from non-digital roles. May be possible from a project management, IT consulting or risk management role but would be very challenging.
SFIA behaviours
- Security, privacy and ethics: in all instances the adherence to security, privacy and ethics is at the forefront of the security architect’s mind.
- Problem solving: ability to find solutions that balance security and business needs.
- Decision making: ability to assess different options for a solution and make sound recommendations and decisions that ensure the organisation’s security.
- Leadership: provide technical supervision and guidance for the security team, leads by example towards achievement of the organisation’s security objectives.
Transition points
Possible next steps include:
- Chief Information Security Officer
- Security Consultant.
Proficiency level
Mapping
- Public service levels: A03-4
- SFIA: 1-2
- Leadership competencies for Queensland – Individual contributor
Due to the capabilities required, security architects are typically employed initially at the higher end of the practitioner level (e.g. A07 or above) or higher after many years of experience in related digital roles (see entry points).
Mapping
- Public service levels: A05-8
- SFIA: 3-5
- Leadership competencies for Queensland – Individual contributor; Program leader
Note: Security architect applies more to A07-A08; very unusual to see roles advertised at A05-6.
SFIA professional skills
- Consultancy CNSL
- Enterprise and business architecture STPL
- Information security SCTY
- Solution architecture ARCH
- Specialist advice TECH
Competencies
- How to embed cyber security principles into enterprise solution designs.
- How to ensure application and infrastructure compliance with security policies and standards.
- How to deliver expert security advice to stakeholders through effective communication methods.
- How to analyse risks and devise strategies for threat mitigation and security enhancements.
- How to mentor colleagues in cybersecurity and foster a collaborative security-focused culture.
70:20:10 examples
70: Suggested experiential learning
- Contribute to security strategy and roadmaps.
- Set standards and procedures.
- Conduct reviews and testing.
- Review emerging technologies.
20: Suggested professional development
- Mentor and coach team members and peers.
- Volunteer at industry events.
- Develop skills in areas of interest to become a subject matter expert e.g. networks, identify and access management, application, cloud.
- Collaborate with other security architect practitioners e.g. share best practices and learning.
10: Example formal learning
- Relevant bachelor’s degree
- AWS Certified Security - Specialty
- Certified Cloud Security Professional (CCSP)
- CISSP – Certified Information Systems Security Professional
- Essential 8 Assessment Course
- ISACA Certified Information Systems Auditor (CISA)
- Microsoft SC-100: Microsoft Cybersecurity Architect
- SABSA Chartered Security Architect – Foundation Certificate (SCF)
- SANS GIAC Cloud Security Architecture and Design (GCAD)
- The Open Group Architecture Framework (TOGAF) Foundation Certification
Mapping
- Public service levels: A08-SES
- SFIA: 6-7
- Leadership competencies for Queensland – Program leader; Executive; Chief executive
SFIA professional skills
- Consultancy CNSL
- Enterprise and business architecture STPL
- Governance GOVN
- Information security SCTY
- Solution architecture ARCH
- Specialist advice TECH
Competencies
- How to architect compliant, secure solutions aligned with business strategies.
- How to lead cybersecurity teams and oversee secure project delivery in line with organisational goals.
- How to set and review alignment with comprehensive information security policies and advise on strategic security controls.
- How to perform in-depth security risk assessments and formulate organisational protection strategies.
- How to expertly assess emerging technologies and security practices.
- How to develop business cases and or appraise investments that can assist with managing the organisation’s cyber security resilience.
- How to balance business need and risk to determine best solutions.
70:20:10 examples
70: Suggested experiential learning
- Develop and set the security architecture process.
- Architectural lead for development of security strategy and roadmaps.
- Lead setting of standards and procedures.
- Lead reviews and testing.
- Assess, advise and make security recommendations on emerging technologies.
- Appraising investment proposals and advising on procurement of solutions.
20: Suggested professional development
- Make contributions to the industry e.g. keynotes, board representation.
- Mentor emerging leaders including security architect practitioners.
10: Example formal learning
- Relevant post graduate degree
- CISM – Certified Information Security Manager
- Information Systems Security Architecture Professional (ISSAP)
- Microsoft Certified: Azure Solutions Architect Expert
- Microsoft Certified: Cybersecurity Architect Expert
- SABSA Chartered Security Architect – Practitioner Certificate (SCP)
- The Open Group Architecture Framework (TOGAF) Practitioner Certification
Also see related Cyber security architect role profile.
Career story
Cyber security architect - Practitioner
Tom, Queensland Government
Tell me about your career journey up to your current role. How did you get started in your role?
I started as an ICT graduate in Queensland Government where I was exposed to multiple ICT areas over two years as part of the program. I took a liking to the Microsoft, systems administration and infrastructure technical areas where I went on to obtain a temporary role in that space for another year.
During this time, I undertook industry training and certifications in Cisco, Microsoft, Citrix and other products. Once I had gained some years' experience in administering technologies in an enterprise environment, I was able to apply for higher level roles across government.
I next secured a permanent role in another department in their server infrastructure and enterprise applications team. I was involved in major projects and took more of a project technical lead role. I designed, documented and built new business systems myself from ground up, including building servers (physical and virtual), installing OS, databases (SQL), clustering, installing enterprise applications, publishing applications and arranging all the security (firewall ACL, permissions, user groups, etc.) around the application ready for go-live.
This gave me a very good introduction to all the ICT layers that make up an enterprise ICT environment in large organisations from desktop and devices through to networks and connectivity, through to server hosted services and the security elements around these layers.
I then undertook a less technical role as an ICT Enterprise Architect where I was needed to understand product capability and roadmaps, but not necessarily be the SME for any one product. This broadened my understanding of architecture building blocks and layers, including architecture frameworks such as TOGAF and SABSA. This role required me to build healthy working relationships with those SME’s.
What attracted you to security architecture?
Maintaining an interest in latest technologies was a big factor in heading into security architect type roles. Security is a rapidly changing landscape, and you need to be interested in keeping up to date, otherwise you will fall behind.
My background in technologies and architecture lead me to a more security focused role where I can draw on my past roles skills.
Since joining a security focused role, I have found there are excellent cyber frameworks to learn from and a fantastic community of security professionals willing to work together and share knowledge, as we are all working on the same side.
What were the key skills and job experiences from your previous career or role that helped you transition to security architecture?
Having had exposure to working in multi-disciplinary teams, working in large and complex Enterprise ICT environments with a range of technology products, understanding that each one performs a key function and how that function fits in with the over-arching enterprise architecture and cyber delivery framework for an organisation.
I am a friendly, approachable and social guy, so that served me well in being able to talk to people from all ICT roles such as technical teams, project managers and executives.
Being able to go and have a coffee with someone to build relationships so you can share useful information when needed is a skill that has served me well.
Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?
- Bachelor of IT, majoring in Information Systems
- Cisco CCNA
- Microsoft MCP/MSCE/Azure
- Critrix CCNP
- VMWare VCP
- ITIL
- TOGAF
- NIST
- ISO27001
- CISSP/CISM
What key behavioral skills are most important for this role profile?
Consultation skills;Collaboration; Communication; Improvement mindset; Digital mindset; Learning and development; Planning; Problem solving; Project Management; Framework mindset (building blocks/layers/capability/maturity); ability to quickly research a topic; willingness to be part of a community.
What key professional skills are most important?
- Information security SCTY
- Enterprise and business architecture STPL
- Solution architecture ARCH
- Data management DATM
- Risk management BURM
- Audit AUDT
- Information management IRMG
- Consultancy CNSL
- Systems design DESN
- Penetration testing PENT
- IT infrastructure ITOP
- Security operations SCAD
- Vulnerability assessment VUAS
Can you walk me through a typical day or week in your current role? Please include your main responsibilities, challenges and rewards and what other teams you work with.
Looking at system architecture and technical documentation such as system detailed designs. Auditing and reviewing the security controls for systems for compliance. Reviewing security questionnaires and undertaking gap assessments. Risk identification.
Challenge is always the risk tradeoff, when something isn’t “perfect”, working out what will be accepted and what won’t.
There is a self-sense that you are working on the good-guys side to stop the bad-guys. There is purpose to the role, which makes you want to do a good job.
What advice would you give to someone wanting to get started in or transition to a security architecture role?
Try and get broad exposure to lots of different ICT disciplines. If you want to be an architect work with Architecture teams and discuss technology capability, rather than technology configurations.
In my opinion, NIST framework provides the best architecture framework for cyber security within organisations.
Security architecture is also about risk and trade-off. Nothing is perfect, so you need to negotiate and be flexible in your approach and your recommendations as not all of what best practice is achievable in every organisation.
Use the cyber community to build your professional relationships, as this will open doors for your future.