Summary
A principal security architect works on services of high complexity and risk, making decisions to enable the business to achieve its needs.
At this role level, you will:
-
work on projects with high strategic impact, setting a strategy that can be used in the long term and across the breadth of the organisation
-
communicate with a broad range of senior stakeholders and be responsible for defining the vision, principles and strategy for security architects
-
recommend security design across several projects or technologies, up to an organisational or inter-organisational level
-
have a deep and evolving level of technical expertise, so you can act as an exemplar
-
make and influence important business and architectural decisions
-
research, identify, validate and adopt new technologies and methodologies
-
be a recognised expert and demonstrate this expertise by solving unprecedented issues and problems
-
further the profession, demonstrating and sharing best practice within and outside the organisation
Background
Background Components
Description | Background |
---|---|
Is familiar with the principles and practices involved in development and maintenance and in service delivery. Has extensive technical understanding and the aptitude to remain up to date with IT security and developments. Possesses a comprehensive understanding of the business applications of IT. Is effective and persuasive in both written and verbal communication. |
Prior Knowledge and Skills |
Work Activity Components
Title | Details |
---|---|
Development needs |
Determines development needs for a professional practice area. Aligns development activities with organisational priorities, learning and development strategies and career pathways. |
Communities of practice |
Promotes the establishment and ongoing development of one or more community of practice (CoP). Encourages participation and ensures alignment with organisational needs. |
Compliance |
Ensures compliance between business strategies and information security. Takes steps to ensure the organisation complies with GDPR regulations. |
Risks and vulnerability |
Contributes to the development of organisational strategies that address information control requirements. Prepares and maintains a business strategy and plan for information security activities which addresses the evolving business risk and information control requirements, and is consistent with relevant IT and business plans, budgets, strategies, etc. |
Policy and strategy |
Oversees the delivery of the security components of enterprise architectures. Ensures architectural principles are applied during design to reduce risk, and drives adoption and adherence to policy, standards and guidelines. |
Security architecture development |
Leads development of security architectures for complex solutions, ensuring consistency with specified requirements agreed with both external and internal customers. Takes full responsibility for ensuring that security architectures balance functional and non-functional (e.g. service quality and systems management) requirements within a significant area of the organisation. |
Evaluation and selection |
Establishes policy and strategy for the selection of security architecture components and takes responsibility for the strategy and methods used in implementing a security architecture in a significant area of the organisation. Manages the organisation’s security strategies, policies, standards and practices, ensures that they are applied correctly, and promotes consistency. |
Security assurance |
Takes responsibility for the technical integrity of security designs, ensuring for example that reusable elements are recognised, and that work is not unnecessarily duplicated. Ensures that all changes are managed effectively and contributes to formal reviews and evaluations when projects and programmes end. |
Coordination |
Manages or coordinates the security architecture function within an organisation. |
Knowledge/Skills
Knowledge/Skills Components
Title | Depth | Details | Type |
---|---|---|---|
Conceptual Thinking |
Acquiring understanding and insights regarding the underlying issues in complex problems or situations through the development of abstract representations, the identification of patterns and the analysis of hypotheses. |
Behavioural Skills |
|
Strategic Perspective |
Keeping organisational objectives and strategies in mind and ensuring courses of action are aligned with the strategic context. |
Behavioural Skills |
|
Organisational Awareness |
Understanding the hierarchy and culture of own, customer, supplier and partner organisations and being able to identify the decision makers and influencers. |
Behavioural Skills |
|
Cross-Functional and Inter-Disciplinary Awareness |
Understanding the needs, objectives and constraints of those in other disciplines and functions. |
Behavioural Skills |
|
Interacting with People |
Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences. |
Behavioural Skills |
|
Influence, Persuasion and Personal Impact |
Conveying a level of confidence and professionalism when engaging with stakeholders, influencing positively and persuading others to take a specific course of action when not in a position of authority. |
Behavioural Skills |
|
Teamwork |
Working collaboratively with others to achieve a common goal. |
Behavioural |
|
Application Systems |
Familiar with |
Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support. |
Technical Knowledge and Skills |
National/International Standards |
Proficient in |
Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO. |
Technical Knowledge and Skills |
Networking and Communications |
Proficient in |
The planning and management of the interaction between two or more networking systems, computers or other intelligent devices. |
Technical Knowledge and Skills |
Operational/Service Architecture |
Proficient in |
Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency. |
Technical Knowledge and Skills |
IT Audit |
Proficient in |
Principles, practices, tools and techniques of IT auditing. |
Technical Knowledge and Skills |
Access Control Systems |
Expert in |
Any tool or system which provides security access control (i.e. prevents unauthorised access to systems). |
Technical Knowledge and Skills |
Business Environment |
Expert in |
The business environment relating to own sphere of work (own organisation and/or closely associated organisations, such as customers, suppliers, partners and competitors), in particular those aspects of the business that the specialism is to support (i.e. localised organisational awareness from a technical perspective). |
Technical Knowledge and Skills |
Big Data |
Familiar with |
The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy. |
Technical Knowledge and Skills |
Cloud/Virtualisation |
Proficient in |
The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments. |
Technical Knowledge and Skills |
BYOD |
Proficient in |
The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC). |
Technical Knowledge and Skills |
Network Data Security |
Expert in |
Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies. |
Technical Knowledge and Skills |
Infrastructure/System Security |
Expert in |
The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components. |
Technical Knowledge and Skills |
Techniques for Effective Meetings |
Proficient in |
Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants. |
Other Knowledge and Skills |
Coaching Techniques |
Proficient in |
Methods and techniques for coaching individuals or groups by a balanced combination of support and direction, including use of virtual learning environments plus add-ons to augment feedback specific to work items, workflow or career plans. |
Other Knowledge and Skills |
Standards Writing Techniques |
Proficient in |
Principles, methods and techniques for establishing, documenting, and maintaining standards. |
Other Knowledge and Skills |
Training Activities
Training Components
Title | Details |
---|---|
Technology Products for Future |
Technology products or solutions that are potentially of use to the organisation. |
Strategic Planning for Information and Communications Systems |
The process of defining the ICT strategic plan of an organisation in a methodical way based on business aims and objectives thereby enabling the specification of options and associated action plans for the use of IT-enabled business processes. |
Software Configuration |
Installation, configuration and tuning of applications or systems software. |
Coaching |
Concepts, methods and techniques for providing coaching in subject specialisms to individuals or groups (e.g. GROW model). |
Human Resource Planning |
Techniques and practices involved in planning the numbers and types of personnel needed over time by a particular skillset, department or function within an organisation. |
Mentoring |
Methods and techniques for providing mentoring support to less experienced individuals. |
Solution Architecture |
Methods, tools and techniques for architecture design and development to provide an understanding of the critical architecture terms and concepts and how to apply them across typical architecture domains — business, applications, data and infrastructure. |
PDAs
PDA Components
Title | Details |
---|---|
Job Shadowing and Special Assignments |
Undertaking temporary periods or secondments in other roles, inside or outside IT, particularly those that offer a new perspective on own function or exposure to other environments and cultures. |
Project Assignments |
Participating in a project team, working group or task force established to deliver a solution to a specific problem or issue – especially valuable if the group is inter-disciplinary. |
Mentoring |
Acting as a mentor, advising those for whom there is no direct responsibility, on matters to do with their job role, career and professional development. |
Gaining Knowledge of Broader IT Issues |
Increasing and maintaining currency of knowledge of broader IT issues through reading, attending and participating in seminars or conferences, special studies, temporary assignments etc. |
Gaining Strategic Knowledge of Employing Organisation |
Developing a comprehensive understanding of the business environment in which the employing organisation operates and its position, policies and direction in relation to industry, country and global issues. |
Gaining Knowledge of Standards and Legislation |
Gaining and maintaining knowledge of relevant national and international standards and legislation. |
Participation in Professional Body Affairs |
Taking an active part in professional body affairs at branch, specialist group, committee or board level. |
Qualifications
Qualification Components
Title | Awarding Body |
---|---|
CISM Certified Information Security Manager |
ISACA |
Chartered IT Professional (CITP) |
BCS – The Chartered Institute for IT |
FEDIP Leading Practitioner |
FEDIP |
Organisation Skills
Framework » Organisation Category » Subcategory |
Skill Name and Description | Level |
---|---|---|
DDaT » Security Architect |
Security Architect – Analysis You can visualise and articulate complex problems and concepts by interrogating and using data or intelligence, formulating and influencing solutions and plans. You can interpret complex business and technical issues and identify a viable solution or control. You can understand and link complex and diverse sets of information to inform the response and approach (for example, identifying vulnerabilities and their impact). |
4 – Expert You can provide direction and lead on change regarding factors that feed into analysis. You can monitor changes in the technical environment and assess whether risks are still at acceptable levels or whether previous decisions need to be revisited. You can direct and influence others on best practice and policy. |
DDaT » Security Architect |
Security Architect – Communication (security architect) You can understand security concepts deeply enough to engage with security technologists and communicate in language that’s appropriate to your audience. You can successfully respond to challenges. |
4 – Expert You can demonstrate expert understanding of security concepts and can apply them to a technical level, at the highest levels of risk complexity. You can effectively translate and accurately communicate security and risk implications at the most senior levels across technical and non-technical stakeholders. You can successfully respond to challenges. You can manage stakeholder expectations across high risk and complexity or under constrained timescales. |
DDaT » Security Architect |
Security Architect – Designing secure systems You can design secure system architectures through the application of patterns and principles, to meet user needs while managing risks. You can identify security issues in system architectures. |
4 – Expert You can lead design and review solutions to complex problems with system architectures by defining and challenging patterns and principles. You can create precedents and set direction. |
DDaT » Security Architect |
Security Architect – Enabling and informing risk-based decisions You can make and guide effective decisions on risk, explaining clearly how the decision has been reached. You can make decisions proportionate to the level of technical complexity and risk. |
4 – Expert You can act as a point of escalation. You can be trusted by senior risk owners as an expert in security. You can apply risk methodologies at the most complex levels of |
DDaT » Security Architect |
Security Architect – Research and innovation You can understand and correctly apply a range of user research methods. You can choose appropriate methods for different situations or phases of a product life cycle. |
3 – Practitioner You can contribute to and inform developments on security properties in technology. You can identify new technologies and design the use of these in the business context across the organisation. You can engage with the broader security community |
DDaT » Security Architect |
Security Architect – Security technology You can demonstrate knowledge of system architectures. You can understand the risk impact of vulnerabilities on existing and future designs and systems. You can identify how easy or difficult it will be to exploit these vulnerabilities. |
4 – Expert You can demonstrate strong knowledge of system architectures. You can understand and articulate the impact of vulnerabilities on existing and future designs and systems, and how easy or difficult it will be to exploit these vulnerabilities. You can be recognised as an expert by peers in the broader security industry. |
DDaT » Security Architect |
Security Architect – Understanding security implications of transformations You can work with business and technology stakeholders to understand the security implications of business change. You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist in the development of technical solutions or controls. |
4 – Expert You can challenge and lead changes to policy and processes to support business outcomes, business architecture, and legal and political implications. |
This job role profile was created in collaboration with BCS, using Role Model Plus. BCS is the professional body that has the responsibility of updating this job family.