Lead Security Architect

Summary

A lead security architect undertakes complex work of a high risk level, often working on several projects.

At this role level, you will:

  • interact with senior stakeholders across departments

  • reach and influence a wide range of people across larger teams and communities

  • research and apply innovative security architecture solutions to new or existing problems and be able to justify and communicate design decisions

  • develop vision, principles and strategy for security architects for one project or technology

  • work out subtle security needs

  • understand the impact of decisions, balancing requirements and deciding between approaches

  • produce particular patterns and support quality assurance

  • be the point of escalation for architects in lower grade roles

  • lead the technical design of systems and services

Background

Background Components

Description Background

Has extensive knowledge of the principles and practices involved in development and maintenance and in service delivery. Has good technical understanding and the aptitude to remain up to date with IT security and developments. Possesses a general understanding of the business applications of IT. Is effective and persuasive in both written and oral communication.

Prior Knowledge and Skills

Work Activity Components

Title Details

Development needs

Supports the identification and prioritisation of development needs for a professional practice area. Identifies development activities that align with organisational priorities, learning and development strategies and career pathways.

Communities of practice

Provides advice, guidance and, where appropriate, support for the establishment and organisation of communities of practice.

Compliance

Reviews compliance with information security policies and standards. Assesses configurations and security procedures for adherence to legal and regulatory requirements.

Risks and vulnerability

Identifies threats to the confidentiality, integrity, availability, accountability and relevant compliance of information systems. Conducts risk, vulnerability and business impact assessments of business applications and computer installations and recommends appropriate action to management.

Policy and strategy

Contributes to development of information security policy, standards and guidelines.

Security architecture development

Leads the development of security architectures in specific business, infrastructure or functional areas. Ensures that appropriate tools and methods are available, understood and employed in architecture development. Educates and ensures an understanding of non-functional requirements by all stakeholders.

Evaluation and selection

Develops product short-lists and evaluation criteria then uses them in product selection, in accordance with policy and strategy for the selection of security architecture components. Translates component specifications into detailed designs for implementation using selected

Security assurance

Advises on appropriate security assurance criteria, and the conduct of quality reviews of technical products. Ensures change control is applied to specifications and designs. Ensures the adequacy and effective use of quality control procedures in relation to security architecture components.

Knowledge/Skills

Knowledge/Skills Components

Title Depth Details Type

Analytical Thinking

Acquiring a proper understanding of a problem or situation by breaking it down systematically into its component parts and identifying the relationships between these parts. Selecting the appropriate method/tool to resolve the problem and reflecting critically on the result, so that what is learnt is identified and assimilated.

Behavioural Skills

Attention to Detail

Applying specific quality standards to all tasks undertaken to ensure that deliverables are accurate and complete.

Behavioural Skills

Cross-Functional and Inter-Disciplinary Awareness

Understanding the needs, objectives and constraints of those in other disciplines and functions.

Behavioural Skills

Interacting with People

Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences.

Behavioural Skills

Influence, Persuasion and Personal Impact

Conveying a level of confidence and professionalism when engaging with stakeholders, influencing positively and persuading others to take a specific course of action when not in a position of authority.

Behavioural Skills

Teamwork

Working collaboratively with others to achieve a common goal.

Behavioural

Application Systems

Familiar with

Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support.

Technical Knowledge and Skills

National/International Standards

Familiar with

Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO.

Technical Knowledge and Skills

Networking and Communications

Familiar with

The planning and management of the interaction between two or more networking systems, computers or other intelligent devices.

Technical Knowledge and Skills

Operational/Service Architecture

Proficient in

Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency.

Technical Knowledge and Skills

IT Audit

Familiar with

Principles, practices, tools and techniques of IT auditing.

Technical Knowledge and Skills

Access Control Systems

Proficient in

Any tool or system which provides security access control (i.e. prevents unauthorised access to systems).

Technical Knowledge and Skills

Business Environment

Proficient in

The business environment relating to own sphere of work (own organisation and/or closely associated organisations, such as customers, suppliers, partners and competitors), in particular those aspects of the business that the specialism is to support (i.e. localised organisational awareness from a technical perspective).

Technical Knowledge and Skills

Big Data

Familiar with

The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy.

Technical Knowledge and Skills

Cloud/Virtualisation

Proficient in

The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments.

Technical Knowledge and Skills

BYOD

Proficient in

The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC).

Technical Knowledge and Skills

Network Data Security

Proficient in

Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies.

Technical Knowledge and Skills

Infrastructure/System Security

Proficient in

The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components.

Technical Knowledge and Skills

Techniques for Effective Meetings

Familiar with

Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants.

Other Knowledge and Skills

Coaching Techniques

Familiar with

Methods and techniques for coaching individuals or groups by a balanced combination of support and direction, including use of virtual learning environments plus add-ons to augment feedback specific to work items, workflow or career plans.

Other Knowledge and Skills

Standards Writing Techniques

Familiar with

Principles, methods and techniques for establishing, documenting, and maintaining standards.

Other Knowledge and Skills

Training Activities

Training Components

Title Details

Software Configuration

Installation, configuration and tuning of applications or systems software.

Security Software

Understanding the security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents. For example access control software like Active Directory (AD).

Coaching

Concepts, methods and techniques for providing coaching in subject specialisms to individuals or groups (e.g. GROW model).

Mentoring

Methods and techniques for providing mentoring support to less experienced individuals.

Solution Architecture

Methods, tools and techniques for architecture design and development to provide an understanding of the critical architecture terms and concepts and how to apply them across typical architecture domains — business, applications, data and infrastructure.

PDAs

PDA Components

Title Details

Deputising

Standing in for supervisor or manager on a temporary basis during periods of absence.

Job Shadowing and Special Assignments

Undertaking temporary periods or secondments in other roles, inside or outside IT, particularly those that offer a new perspective on own function or exposure to other environments and cultures.

Project Assignments

Participating in a project team, working group or task force established to deliver a solution to a specific problem or issue – especially valuable if the group is inter-disciplinary.

Mentoring

Acting as a mentor, advising those for whom there is no direct responsibility, on matters to do with their job role, career and professional development.

Research Assignments

Exploring a topic which is not part of own normal responsibilities and presenting findings to colleagues and/or management

Gaining Knowledge of Broader IT Issues

Increasing and maintaining currency of knowledge of broader IT issues through reading, attending and participating in seminars or conferences, special studies, temporary assignments etc.

Gaining Strategic Knowledge of Employing Organisation

Developing a comprehensive understanding of the business environment in which the employing organisation operates and its position, policies and direction in relation to industry, country and global issues.

Participation in Professional Body Affairs

Taking an active part in professional body affairs at branch, specialist group, committee or board level.

Negotiating and Influencing

Undertaking learning and practice of negotiating with and influencing others.

Qualifications

Qualification Components

Title Awarding Body

CISM Certified Information Security Manager

ISACA

Chartered IT Professional (CITP)

BCS – The Chartered Institute for IT

FEDIP Advanced Practitioner

FEDIP

Organisation Skills

Framework » Organisation
Category » Subcategory
Skill Name and Description Level

DDaT » Security Architect

Security Architect – Analysis

You can visualise and articulate complex problems and concepts by interrogating and using data or intelligence, formulating and influencing solutions and plans. You can interpret complex business and technical issues and identify a viable solution or control. You can understand and link complex and diverse sets of information to inform the response and approach (for example, identifying vulnerabilities and their impact).

3 – Practitioner

You can monitor the analysis of a technical solution and ensure analysis is reused for similar problem sets. You can review solutions and identify areas for change. You can drive the collection of information that is used and analysed. You can feed back on policy and requirements.

DDaT » Security Architect

Security Architect – Communication (security architect)

You can understand security concepts deeply enough to engage with security technologists and communicate in language that’s appropriate to your audience. You can successfully respond to challenges.

3 – Practitioner

You can demonstrate a deep understanding of security concepts and can apply them to a technical level. You can effectively translate and accurately communicate security and risk implications to technical and non-technical stakeholders. You can successfully respond to challenges. You can manage stakeholder expectations and be flexible, adapting to stakeholder reactions to reach consensus.

DDaT » Security Architect

Security Architect – Designing secure systems

You can design secure system architectures through the application of patterns and principles, to meet user needs while managing risks. You can identify security issues in system architectures.

3 – Practitioner

You can design and review system architectures through the development of patterns and principles.

DDaT » Security Architect

Security Architect – Enabling and informing risk-based decisions

You can make and guide effective decisions on risk, explaining clearly how the decision has been reached. You can make decisions proportionate to the level of technical complexity and risk.

3 – Practitioner

You can work with higher impact or more complex risks, advising on the impact and whether this is within risk tolerance. You can apply different risk methodologies in proportion to the risk in question.

DDaT » Security Architect

Security Architect – Research and innovation

You can understand and correctly apply a range of user research methods. You can choose appropriate methods for different situations or phases of a product life cycle.

3 – Practitioner

You can contribute to and inform developments on security properties in technology. You can identify new technologies and design the use of these in the business context across the organisation. You can engage with the broader security community.

DDaT » Security Architect

Security Architect – Security technology

You can demonstrate knowledge of system architectures. You can understand and articulate the impact of vulnerabilities on existing and future designs and systems, and can articulate a response. You can demonstrate broad knowledge of a range of systems, but may specialise in one.

4 – Working

You can demonstrate knowledge of system architectures, understand and articulate the impact of vulnerabilities on existing and future designs and systems, and can articulate a response. You can demonstrate broad knowledge of a range of systems, but may specialise in one.

DDaT » Security Architect

Security Architect – Understanding security implications of transformations

You can work with business and technology stakeholders to understand the security implications of business change. You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist in the development of technical solutions or controls.

3 – Practitioner

You can interpret and apply understanding across a complex area. You can start influencing policy and process, business architecture, and legal and political implications.

This job role profile was created in collaboration with BCS, using Role Model Plus. BCS is the professional body that has the responsibility of updating this job family.

Give Feedback

The Occupational Architecture Project is interative and dynamic


If you would like to provide feedback on this job role, or the job families, please click the button below.

Give Feedback