gespenstern wrote: » ... Also, Amazon's use of the word doesn't help. According to them everyone who can spin up a few VMs in AWS is an architect starting with "associate architect" (WTF). ....
infosec123 wrote: » There is nothing you can do about it, just worry about yourself and your company. There are people who are bad at their jobs in literally every job category out there. If you see someone performing poorly and putting your org's security at risk (and it sounds like you have), put some documentation together and bring it up with your management. Show what the person missed and how it can affect your org, these actions will not only protect the company, but if the issue continually occurs, they may look to replace the bad employee.
infosec123 wrote: » There is nothing you can do about it, just worry about yourself and your company
infosec123 wrote: » In regards to pen testing done by 3rd party companies, I do my own pentesting and am ok at it (at best), but if I had the budget I would hire companies like Praetorian any day of the week. No infosec pro is an expert at everything he/she does, and should recognize his/her limits and put the company' security ahead of their own ego.
UnixGuy wrote: » True but I think we can also point out that said architects aren't really qualified to design anything (I've done this by the way...not all managers are open to this idea...).
thomas_ wrote: » Sounds like architect might become the new engineer. Eventually we'll see custodial architects instead of custodial engineers.
UnixGuy wrote: » I've been in meeting with them, and their job boils down to to telling people how important it is to have complex password, review AWS security group to see who has access to what, and organise a pen test for the application by talking to a 3rd party company that will do the pentest (i.e. be the middle man between the pentester and the actualy devops professional).
UnixGuy wrote: » @JoJoCal19: But this *new* definition of an 'architect' is basically a middle man with an entry-level basic knowledge. What kind of knowledge is really required of someone to talk to a company and purchase a password management solution? And what kind of knowledge is really required of someone to coordinate a pentest? To me that's not really an architect, that's a 'project' coordinator at best; an entry level project coordinator really. Payscale should be adjusted, if this new age 'architect' is just coordinating a pentest, then their payscale should be much lower than both the developers and the professionas doing the pentest. Heck, I think this job is redundant and a waste of money; the developers or managers or even service desk can coordinate a pentest. Add to that the delusion that comes with those 'architect' (illusion of knowledge), the stuff I hear that come out of their mouth...
DatabaseHead wrote: » ... In respect to the data architects I work with, they have all had at least 10 years of ETL and specific business vertical experience. They are very bright people so, to answer your question,.......
JoJoCal19 wrote: » If what you posted was ALL they are doing, then yea that seems to be a ridiculous position. I was thinking in the course of what they are doing, they are also doing those activities. It seems maybe that's just a unique situation at your company. I would hope that's not the case at all of these companies that have Cloud Security Architects. But really the positions with that name are so new I've yet to talk to anyone who has that title.
thomas_ wrote: » I'm just dying to hear what some of these "Architects" have said...please, do share UnixGuy...
UnixGuy wrote: » Trying to remember the things that my brain try so hard not to remember (for survival purposes).... - WannaCry is an easy virus I can create one or stop it in 5 minutes - I'm hacking the websites (runs nmap and finds nothing) - From a "Security Point of View" --> insert any stupid line here such as: We MUST enable SAML authentication in this solution (all the users are external to the organisation, SAML has no place in that instance). - From a "Security Point of View": if it uses SSL it is secure, it if doesn't I will 'hack it'. - I'm doing Agile security==> Calls one of the big4 to run generic pentest against the app. - Overhears actual security professionals talk about 2 attacks detected and dropped by the IPS ==> "OMG WE ARE UNDER ATTACK WE ARE BEING HACKED WE NEED TO STOP THE ATTACKS" (shouts loudly so everyone hears..) - Sees one phishing emails....replies to phishing email (cc' everyone) to show them he is stopping phishing. The problem is I'm one of those guys if I see (or hear) something, I laugh loud...I've had this habit all my life, and it's hard to keep a straight face....
UnixGuy wrote: » They might not necessarily be called "Cloud Security Architects", but just "Security Architect".... Other tasks that come to mind: calling a third party company to assess the in house ISMS (basically create the ISMS for them). If you can always rely on vendors/service providers to do the real work, In house architects can get away with pretty much doing nothing
blargoe wrote: » This has been prevalent for a while for companies trying to sell professional services. Architect sounds better, and more expensive.
ITSec14 wrote: » This may sound like a stupid question, but what exactly is the difference between an architect and an engineer in security? I've never worked with anyone who had an "architect" title.
Remedymp wrote: » Architects would be your Associate Information Security Officer and Engineers are the ones who Lead off the Analyst. Engineers typically answer to the Architect. Architect answers to the CTO or CISO.
