Path to Security Architect

Hi everyone,

I’ve been in IT for over 20 years in a variety of infrastructure roles (help desk, server,network, security). My currently role is network & security manager, but the security side is mostly network related. I don’t see my current role as long term, as it’s not a fit for my interests.

From a networking perspective, I do have a heavy interest in network security design and proper implementation but I’d like to dig into cloud security, and tie them both together. For me, my passion is finding the right solution to the business need and making sure it’s secure. That being said, I’d like to pursue the path for security architecture role. That being said, should pursue the cissp-issap? Cloud security certs?

Does any of this make sense? Lol hopefully it does

Find more posts tagged with

Accepted answers

beads

Talking with more than a few InfoSec managers and their future plans tells me that networking and security will simply merge while design and planning will move to a more security orientated posture. This is all well and fine while we have long term infrastructure people with hard skills in the area available but it takes decades of hands on experience to be truly productive. Recent InfoSec grads aren't going to cut it here, at least not for a decade or two. So, once again, I see IT as chasing the short term gain while loosing the long term goal of sustainability is lost. Typical.

As for the career path. Yeah, I think its fine. You will need to bone up real hard on your PKI, Infrastructure and R and S skills before taking the plunge. Those are the skillsets I see as being the weakest among security architects these days. Cluelessness simply cannot be tolerated when architects don't fully understand route diversity, cost and risk management structures across the enterprise.

Wishing you good luck with your career goals.

Pmorgan2

CISSP-ISSAP is a solid option. If you're not currently implementing cloud solutions, you could do some of the specialty cloud security certifications to round yourself out and open up opportunities.

I'm a few steps behind you on the same path. Most of the value of security architecture is from hands on experience with a variety of problems and solutions. Frameworks such as ITIL, PMI, and TOGAF can help structure how solutions are found and implemented. Deep knowledge of popular platforms can be certified to increase customer confidence. These certifications are on my radar with bolded ones seeming to apply to your next step:

Foundation

CCNA (the new one)
MCSA Server 2016
One of: Security+, CySA, GSEC, SSCP
AWS Security and/or Azure Security Engineer Associate
ITIL Foundation
Project+ and/or CAPM
TOGAF 9 Foundation and/or Zachman Enterprise Architect Associate

Mid Career

CCNP Security (the new one)
MCSE Core Infrastructure
VCP6-DCV
CISSP and/or CISM
Some of: CISA, GCIA, GCCC, CAP, GSLC, GCIH, Juniper Networks, CCSP
TOGAF 9 Certified and/or Zachman Enterprise Architect Practitioner

Advanced

CCIE
CISSP-ISSAP
CISSP-ISSEP
GSE
GREM
AWS Solutions Architect Professional and/or Azure Solutions Architect Expert
ITIL Master
Zachman Certified Enterprise Architect Professional
PMP

LonerVamp

I am in a similar boat and am off-and-on pursuing Security Architect roles casually. I've done security and IT work for 17+ years now, mostly around systems/servers, developer support, and security.

Being in Security Architecture is a wholistic area. You need to be familiar (and comfortable diving deep on no notice) with infrastructure (networking), servers, systems and how they work, PKI and crypto/auth, characteristics of development languages and solutions built on them, data classifications and flow, cloud environments and their additional concerns, let alone actual "hard" security.

You don't need to design the deepest details to 100% accuracy, but you need to make sure security is thought about and dealt with earlier in the design and implementation phases, and make sure there are not huge surprises later on down the road.

Personally, I think cloud certs are good, CISSP-ISSAP is good, and definitely some sort of established framework like TOGAF.

All comments

UnixGuy

The AWS & Azure architect certs are excellent!

you might find SABSA useful too ( https://community.infosecinstitute.com/discussion/135591/sabsa-foundation-training-review )

beads

Wishing you good luck with your career goals.

Pmorgan2

CCNA (the new one)
MCSA Server 2016
One of: Security+, CySA, GSEC, SSCP
AWS Security and/or Azure Security Engineer Associate
ITIL Foundation
Project+ and/or CAPM
TOGAF 9 Foundation and/or Zachman Enterprise Architect Associate

Mid Career

CCNP Security (the new one)
MCSE Core Infrastructure
VCP6-DCV
CISSP and/or CISM
Some of: CISA, GCIA, GCCC, CAP, GSLC, GCIH, Juniper Networks, CCSP
TOGAF 9 Certified and/or Zachman Enterprise Architect Practitioner

Advanced

CCIE
CISSP-ISSAP
CISSP-ISSEP
GSE
GREM
AWS Solutions Architect Professional and/or Azure Solutions Architect Expert
ITIL Master
Zachman Certified Enterprise Architect Professional
PMP

bigdogz

You should get the AWS and Azure certs that lean into Infrastructure and Infosec. The CISSP-ISSAP may help. You may want to do a job search periodically to see if it fits your potential new jobs.

LonerVamp

beads said:

Talking with more than a few InfoSec managers and their future plans tells me that networking and security will simply merge while design and planning will move to a more security orientated posture. This is all well and fine while we have long term infrastructure people with hard skills in the area available but it takes decades of hands on experience to be truly productive. Recent InfoSec grads aren't going to cut it here, at least not for a decade or two. So, once again, I see IT as chasing the short term gain while loosing the long term goal of sustainability is lost. Typical.

As for the career path. Yeah, I think its fine. You will need to bone up real hard on your PKI, Infrastructure and R and S skills before taking the plunge. Those are the skillsets I see as being the weakest among security architects these days. Cluelessness simply cannot be tolerated when architects don't fully understand route diversity, cost and risk management structures across the enterprise.

Wishing you good luck with your career goals.

That's pretty ambitious talking in terms of decades when it comes to technology.

I mean, 10 years ago people were still catching up on virtualization, let alone thinking ahead to devops and cloud too far. We were only just going through our first major rounds of a huge OS retirement (XP) and dealing with other lifecycles that weren't a thing until then. And smartphones, wut? It's barely been over 10 years since they swept in.

Also, one of the problems with network and security merging is how there are more than a few things in play here, like privacy concerns and open environments and BYOD...one could say security is leaving networking!

LonerVamp

I am in a similar boat and am off-and-on pursuing Security Architect roles casually. I've done security and IT work for 17+ years now, mostly around systems/servers, developer support, and security.

Personally, I think cloud certs are good, CISSP-ISSAP is good, and definitely some sort of established framework like TOGAF.

MitM

thanks @beads @UnixGuy @Pmorgan2 @bigdogz and @LonerVamp

Some interesting replies. I left it out earlier but the certs I currently hold are CISSP, CCNP Sec, CCNP R&S and PCNSE. For those certs, I continue to refresh, renew and advance my knowledge, with the strongest being Palo Alto

I mentioned cloud certs as I see cloud security as the next step in knowledge. TOGAF is always a good option, I just really liked the outline of CISSP-ISSAP. CCSP also seems like a good option, but I think I should know more about aws/azure first.

UnixGuy

Don't forget: Identity & access management. Big area and the demand isn't going away. Know your way around Single Sign On, fedeated access, Azure AD, SAML Authentication. Learn some technologies like Auth0, Okta, CyberArk, ..etc.

bigdogz

I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.

beads

Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.

MitM

beads said:

Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.

I'm with you. I'm less interested in the certs, just the knowledge I need to make it happen

Azt7

I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.
I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salary

MitM

Azt7 said:

I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.
I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salary

I agree, see this a lot myself

Pmorgan2

bigdogz said:

I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.

Just so happens, I was just about to post an update to this with some on topic updates:

Image: https://us.v-cdn.net/6030959/uploads/editor/4b/8d096neaj79f.png

beads said:

Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.

Bead/s is right that Security and/or Enterprise Architecture is more about knowledge over a long career than certifications. But there are a few that can be situationally helpful.

bigdogz

@Pmorgan2
I really think that YMMV depending on what type of organization you work for or your future employer.

I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.

scasc

From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.

Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.

On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.

Enterprise level is a different story as its more strategy, governance and roadmap focused. This is where your architecture frameworks (depending on which one you follow) come in handy. I am yet to see anybody a pure player in TOGAF or SABSA but they take what they need. If you go down this route its nice to be certified against something to show you have that baseline knowledge but knowing how to apply it is key. For example, part 1 of SABSA teaches the mechanics but I've heard only if you do part to (A3 design for example) you really learn how to apply it.

Pmorgan2

bigdogz said:

I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.

That is definitely true. I didn't mean to say that certifications are not useful for architecture. In addition to clout with the vendors, those certs give you and your company clout with customers as well.

bigdogz

Pmorgan2 said:

bigdogz said:

I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.

That is definitely true. I didn't mean to say that certifications are not useful for architecture. In addition to clout with the vendors, those certs give you and your company clout with customers as well.

I know what you were saying. I know that having the certs is secondary to the knowledge.

MitM

scasc said:

From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.

Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.

On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.

I have also looked at 530/545 but unfortunately, would need to be self funded, so I decided to hold off. They both look great

For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?

I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first?

I may even revisit the ccie security down the road. That’s a big maybe

scasc

MitM said:

scasc said:h

From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.

Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.

On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.

I have also looked at 530/545 but unfortunately, would need to be self funded, so I decided to hold off. They both look great

For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?

I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first?

I may even revisit the ccie security down the road. That’s a big maybe

I reckon go for the AWS/Azure certs first as you will enjoy them. Very interesting and practical. After you have developed a decent understanding of the concepts do CCSP - which is more theory (think abstraction and pooling of resources at hardware layer).

I did AWS CSA then Security engineering on AWS before doing CCSK/CCSP and glad I did as it gave me a decent foundation which I was grateful for.

I see a lot of this stuff heading down the cloud way which is the way forward.

MitM

thanks all