Path to Security Architect

MitMMitM Member Posts: 622 ■■■■□□□□□□
Hi everyone,

I’ve been in IT for over 20 years in a variety of infrastructure roles (help desk, server,network, security). My currently role is network & security manager, but the security side is mostly network related. I don’t see my current role as long term, as it’s not a fit for my interests.  

From a networking perspective, I do have a heavy interest in network security design and proper implementation but I’d like to dig into cloud security, and tie them both together.  For me, my passion is finding the right solution to the business need and making sure it’s secure.  That being said, I’d like to pursue the path for security architecture role. That being said, should pursue the cissp-issap? Cloud security certs? 

Does any of this make sense? Lol hopefully it does 





Best Answers

Answers

  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    The AWS & Azure architect certs are excellent!


    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    You should get the AWS and Azure certs that lean into Infrastructure and Infosec. The CISSP-ISSAP may help. You may want to do a job search periodically to see if it fits your potential new jobs.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    beads said:
    Talking with more than a few InfoSec managers and their future plans tells me that networking and security will simply merge while design and planning will move to a more security orientated posture. This is all well and fine while we have long term infrastructure people with hard skills in the area available but it takes decades of hands on experience to be truly productive. Recent InfoSec grads aren't going to cut it here, at least not for a decade or two. So, once again, I see IT as chasing the short term gain while loosing the long term goal of sustainability is lost. Typical.

    As for the career path. Yeah, I think its fine. You will need to bone up real hard on your PKI, Infrastructure and R and S skills before taking the plunge. Those are the skillsets I see as being the weakest among security architects these days. Cluelessness simply cannot be tolerated when architects don't fully understand route diversity, cost and risk management structures across the enterprise.

    Wishing you good luck with your career goals.
    That's pretty ambitious talking in terms of decades when it comes to technology. :) I mean, 10 years ago people were still catching up on virtualization, let alone thinking ahead to devops and cloud too far. We were only just going through our first major rounds of a huge OS retirement (XP) and dealing with other lifecycles that weren't a thing until then. And smartphones, wut? It's barely been over 10 years since they swept in.

    Also, one of the problems with network and security merging is how there are more than a few things in play here, like privacy concerns and open environments and BYOD...one could say security is leaving networking!



    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    thanks @beads @UnixGuy @Pmorgan2 @bigdogz and @LonerVamp

    Some interesting replies. I left it out earlier but the certs I currently hold are CISSP, CCNP Sec, CCNP R&S and PCNSE. For those certs, I continue to refresh, renew and advance my knowledge, with the strongest being Palo Alto

    I mentioned cloud certs as I see cloud security as the next step in knowledge.  TOGAF is always a good option, I just really liked the outline of CISSP-ISSAP.   CCSP also seems like a good option, but I think I should know more about aws/azure first.   
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Don't forget: Identity & access management. Big area and the demand isn't going away. Know your way around Single Sign On, fedeated access, Azure AD, SAML Authentication. Learn some technologies like Auth0, Okta, CyberArk, ..etc.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.


  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    beads said:
    Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.
    I'm with you.  I'm less interested in the certs, just the knowledge I need to make it happen
  • Azt7Azt7 Member Posts: 121 ■■■■□□□□□□
    edited November 2019
    I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
    From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.  
    I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salary :D 
    Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
    Studying for :  TBD
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Azt7 said:
    I'm heading in the same direction as OP with the twist that I want to have more of a business architect role with a strong focus on cloud security.
    From experience, I'm seeing that the biggest thing missing right now is Architects that can talk business. Lots of companies are making some cringe worthy decisions and that is because either there is no architect overviewing things or because the IT Director doesn't have the background to create that vision but the business expects him to. You can't ask somebody to do things they aren't trained to do.  
    I'm hoping that more and more companies will start seeing the Architect / Security Architect position as a value creator instead than just another 150K salary :D 
    I agree, see this a lot myself
  • Pmorgan2Pmorgan2 Member Posts: 116 ■■■■□□□□□□
    bigdogz said:
    I have already posted this once from someone else... I think this should be a sticky.... I hope this helps.



    Just so happens, I was just about to post an update to this with some on topic updates:
    beads said:
    Yeah but I didn't comment on a certification to help get you there. Just a list of common technologies that I find architects sorely lacking.

    Bead/s is right that Security and/or Enterprise Architecture is more about knowledge over a long career than certifications. But there are a few that can be situationally helpful.
    2021 Goals: WGU BSCSIA, CEH, CHFI | 2022 Goals: WGU MSCSIA, AWS SAA, AWS Security Specialist
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    @Pmorgan2
    I really think that YMMV depending on what type of organization you work for or your future employer.

    I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    edited November 2019
    From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening. 

    Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above. 

    On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting. 

    Enterprise level is a different story as its more strategy, governance and roadmap focused. This is where your architecture frameworks (depending on which one you follow) come in handy. I am yet to see anybody a pure player in TOGAF or SABSA but they take what they need. If you go down this route its nice to be certified against something to show you have that baseline knowledge but knowing how to apply it is key. For example, part 1 of SABSA teaches the mechanics but I've heard only if you do part to (A3 design for example) you really learn how to apply it.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • Pmorgan2Pmorgan2 Member Posts: 116 ■■■■□□□□□□
    bigdogz said:
    I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.
    That is definitely true. I didn't mean to say that certifications are not useful for architecture. In addition to clout with the vendors, those certs give you and your company clout with customers as well.
    2021 Goals: WGU BSCSIA, CEH, CHFI | 2022 Goals: WGU MSCSIA, AWS SAA, AWS Security Specialist
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Pmorgan2 said:
    bigdogz said:
    I have found that my credentials give me a better chance in an Enterprise / Security Architecture role because those certifications help my employer with a higher support level which gives quicker response times. It really comes in handy for Cisco, VMware, Juniper, and other vendor certifications. I also find that I get more recognition with the credentials than other co workers who do not have them.
    That is definitely true. I didn't mean to say that certifications are not useful for architecture. In addition to clout with the vendors, those certs give you and your company clout with customers as well.
    I know what you were saying. I know that having the certs is secondary to the knowledge. :)
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    scasc said:
    From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening. 

    Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.

    On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting. 

    I have also looked at 530/545 but unfortunately, would need to be self funded, so I decided to hold off. They both look great 

    For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?


    I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first? 

    I may even revisit the ccie security down the road. That’s a big maybe 

  • scascscasc Member Posts: 461 ■■■■■■■□□□
    MitM said:
    scasc said:h
    From what I have seen, security architecture (solution based) looks fundamentally at what you can bring to the table from an experience perspective and asks for the typical set of certs - most notably CISSP/CISM. I did the ISSAP training earlier in the summer and it was a deeper focus on the architecture elements as compared to CISSP but was told by the instructor that ISC2 themselves are not much bothered about ISSAP (hence have not updated the book etc.) as they see less demand for this cert. They are positioning themselves more around CCSP and Cloud as they see the market going down this route a lot more - which makes sense if you see the projects happening. 

    Getting cloud certs is good (generic like CCSP/CCSK and specialist such as AWS CSA/Azure Sec Engineer) but ultimately what you bring to the table is worth its weight in gold - and by having the typical certs mentioned above.

    On a side note, I'm looking at SANS' architecture courses - 530/545 myself - both look interesting. 

    I have also looked at 530/545 but unfortunately, would need to be self funded, so I decided to hold off. They both look great 

    For those currently in security architecture roles or pursuing them, are you working for (or plan to work for) resellers/vars or for enterprise?


    I think I will be adding CCSP to my cert plan, as well as AWS and Azure security certs. The question is do that look at the AWS/Azure architect certs first? 

    I may even revisit the ccie security down the road. That’s a big maybe 

    I reckon go for the AWS/Azure certs first as you will enjoy them. Very interesting and practical. After you have developed a decent understanding of the concepts do CCSP - which is more theory (think abstraction and pooling of resources at hardware layer). 

    I did AWS CSA then Security engineering on AWS before doing CCSK/CCSP and glad I did as it gave me a decent foundation which I was grateful for. 

    I see a lot of this stuff heading down the cloud way which is the way forward. 
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
Sign In or Register to comment.