Path to Security Architect
MitM
Member Posts: 622 ■■■■□□□□□□
Hi everyone,
I’ve been in IT for over 20 years in a variety of infrastructure roles (help desk, server,network, security). My currently role is network & security manager, but the security side is mostly network related. I don’t see my current role as long term, as it’s not a fit for my interests.
I’ve been in IT for over 20 years in a variety of infrastructure roles (help desk, server,network, security). My currently role is network & security manager, but the security side is mostly network related. I don’t see my current role as long term, as it’s not a fit for my interests.
From a networking perspective, I do have a heavy interest in network security design and proper implementation but I’d like to dig into cloud security, and tie them both together. For me, my passion is finding the right solution to the business need and making sure it’s secure. That being said, I’d like to pursue the path for security architecture role. That being said, should pursue the cissp-issap? Cloud security certs?
Does any of this make sense? Lol hopefully it does
Best Answers
-
beads Member Posts: 1,533 ■■■■■■■■■□Talking with more than a few InfoSec managers and their future plans tells me that networking and security will simply merge while design and planning will move to a more security orientated posture. This is all well and fine while we have long term infrastructure people with hard skills in the area available but it takes decades of hands on experience to be truly productive. Recent InfoSec grads aren't going to cut it here, at least not for a decade or two. So, once again, I see IT as chasing the short term gain while loosing the long term goal of sustainability is lost. Typical.As for the career path. Yeah, I think its fine. You will need to bone up real hard on your PKI, Infrastructure and R and S skills before taking the plunge. Those are the skillsets I see as being the weakest among security architects these days. Cluelessness simply cannot be tolerated when architects don't fully understand route diversity, cost and risk management structures across the enterprise.Wishing you good luck with your career goals.
-
Pmorgan2 Member Posts: 116 ■■■■□□□□□□CISSP-ISSAP is a solid option. If you're not currently implementing cloud solutions, you could do some of the specialty cloud security certifications to round yourself out and open up opportunities.
I'm a few steps behind you on the same path. Most of the value of security architecture is from hands on experience with a variety of problems and solutions. Frameworks such as ITIL, PMI, and TOGAF can help structure how solutions are found and implemented. Deep knowledge of popular platforms can be certified to increase customer confidence. These certifications are on my radar with bolded ones seeming to apply to your next step:
Foundation- CCNA (the new one)
- MCSA Server 2016
- One of: Security+, CySA, GSEC, SSCP
- AWS Security and/or Azure Security Engineer Associate
- ITIL Foundation
- Project+ and/or CAPM
- TOGAF 9 Foundation and/or Zachman Enterprise Architect Associate
- CCNP Security (the new one)
- MCSE Core Infrastructure
- VCP6-DCV
- CISSP and/or CISM
- Some of: CISA, GCIA, GCCC, CAP, GSLC, GCIH, Juniper Networks, CCSP
- TOGAF 9 Certified and/or Zachman Enterprise Architect Practitioner
- CCIE
- CISSP-ISSAP
- CISSP-ISSEP
- GSE
- GREM
- AWS Solutions Architect Professional and/or Azure Solutions Architect Expert
- ITIL Master
- Zachman Certified Enterprise Architect Professional
- PMP
2021 Goals: WGU BSCSIA, CEH, CHFI | 2022 Goals: WGU MSCSIA, AWS SAA, AWS Security Specialist -
LonerVamp Member Posts: 518 ■■■■■■■■□□I am in a similar boat and am off-and-on pursuing Security Architect roles casually. I've done security and IT work for 17+ years now, mostly around systems/servers, developer support, and security.Being in Security Architecture is a wholistic area. You need to be familiar (and comfortable diving deep on no notice) with infrastructure (networking), servers, systems and how they work, PKI and crypto/auth, characteristics of development languages and solutions built on them, data classifications and flow, cloud environments and their additional concerns, let alone actual "hard" security.You don't need to design the deepest details to 100% accuracy, but you need to make sure security is thought about and dealt with earlier in the design and implementation phases, and make sure there are not huge surprises later on down the road.Personally, I think cloud certs are good, CISSP-ISSAP is good, and definitely some sort of established framework like TOGAF.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Answers
-
UnixGuy Mod Posts: 4,570 ModThe AWS & Azure architect certs are excellent!you might find SABSA useful too ( https://community.infosecinstitute.com/discussion/135591/sabsa-foundation-training-review )
-
bigdogz Member Posts: 881 ■■■■■■■■□□You should get the AWS and Azure certs that lean into Infrastructure and Infosec. The CISSP-ISSAP may help. You may want to do a job search periodically to see if it fits your potential new jobs.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□beads said:Talking with more than a few InfoSec managers and their future plans tells me that networking and security will simply merge while design and planning will move to a more security orientated posture. This is all well and fine while we have long term infrastructure people with hard skills in the area available but it takes decades of hands on experience to be truly productive. Recent InfoSec grads aren't going to cut it here, at least not for a decade or two. So, once again, I see IT as chasing the short term gain while loosing the long term goal of sustainability is lost. Typical.As for the career path. Yeah, I think its fine. You will need to bone up real hard on your PKI, Infrastructure and R and S skills before taking the plunge. Those are the skillsets I see as being the weakest among security architects these days. Cluelessness simply cannot be tolerated when architects don't fully understand route diversity, cost and risk management structures across the enterprise.Wishing you good luck with your career goals.That's pretty ambitious talking in terms of decades when it comes to technology. I mean, 10 years ago people were still catching up on virtualization, let alone thinking ahead to devops and cloud too far. We were only just going through our first major rounds of a huge OS retirement (XP) and dealing with other lifecycles that weren't a thing until then. And smartphones, wut? It's barely been over 10 years since they swept in.Also, one of the problems with network and security merging is how there are more than a few things in play here, like privacy concerns and open environments and BYOD...one could say security is leaving networking!
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
MitM Member Posts: 622 ■■■■□□□□□□thanks @beads @UnixGuy @Pmorgan2 @bigdogz and @LonerVamp
Some interesting replies. I left it out earlier but the certs I currently hold are CISSP, CCNP Sec, CCNP R&S and PCNSE. For those certs, I continue to refresh, renew and advance my knowledge, with the strongest being Palo Alto
I mentioned cloud certs as I see cloud security as the next step in knowledge. TOGAF is always a good option, I just really liked the outline of CISSP-ISSAP. CCSP also seems like a good option, but I think I should know more about aws/azure first.
-
UnixGuy Mod Posts: 4,570 ModDon't forget: Identity & access management. Big area and the demand isn't going away. Know your way around Single Sign On, fedeated access, Azure AD, SAML Authentication. Learn some technologies like Auth0, Okta, CyberArk, ..etc.
-
bigdogz Member Posts: 881 ■■■■■■■■□□I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.
-
beads Member Posts: 1,533 ■■■■■■■■■□Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.
-
Azt7 Member Posts: 121 ■■■■□□□□□□I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.
I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salaryCertifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
MitM Member Posts: 622 ■■■■□□□□□□Azt7 said:I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.
I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salary -
Pmorgan2 Member Posts: 116 ■■■■□□□□□□bigdogz said:I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.
beads said:Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.
Bead/s is right that Security and/or Enterprise Architecture is more about knowledge over a long career than certifications. But there are a few that can be situationally helpful.2021 Goals: WGU BSCSIA, CEH, CHFI | 2022 Goals: WGU MSCSIA, AWS SAA, AWS Security Specialist -
bigdogz Member Posts: 881 ■■■■■■■■□□@Pmorgan2
I really think that YMMV depending on what type of organization you work for or your future employer.
I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them. -
scasc Member Posts: 465 ■■■■■■■□□□From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.
Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.
On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.
Enterprise level is a different story as its more strategy, governance and roadmap focused. This is where your architecture frameworks (depending on which one you follow) come in handy. I am yet to see anybody a pure player in TOGAF or SABSA but they take what they need. If you go down this route its nice to be certified against something to show you have that baseline knowledge but knowing how to apply it is key. For example, part 1 of SABSA teaches the mechanics but I've heard only if you do part to (A3 design for example) you really learn how to apply it.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
Pmorgan2 Member Posts: 116 ■■■■□□□□□□bigdogz said:I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.2021 Goals: WGU BSCSIA, CEH, CHFI | 2022 Goals: WGU MSCSIA, AWS SAA, AWS Security Specialist
-
bigdogz Member Posts: 881 ■■■■■■■■□□Pmorgan2 said:bigdogz said:I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.
-
MitM Member Posts: 622 ■■■■□□□□□□scasc said:From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.
Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.
On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?
I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first?I may even revisit the ccie security down the road. That’s a big maybe -
scasc Member Posts: 465 ■■■■■■■□□□MitM said:scasc said:hFrom what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening.
Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.
On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting.For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?
I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first?I may even revisit the ccie security down the road. That’s a big maybeI did AWS CSA then Security engineering on AWS before doing CCSK/CCSP and glad I did as it gave me a decent foundation which I was grateful for.I see a lot of this stuff heading down the cloud way which is the way forward.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...