Principal Security Architect


A principal security architect works on services of high complexity and risk, making decisions to enable the business to achieve its needs.

At this role level, you will:

  • work on projects with high strategic impact, setting a strategy that can be used in the long term and across the breadth of the organisation

  • communicate with a broad range of senior stakeholders and be responsible for defining the vision, principles and strategy for security architects

  • recommend security design across several projects or technologies, up to an organisational or inter-organisational level

  • have a deep and evolving level of technical expertise, so you can act as an exemplar

  • make and influence important business and architectural decisions

  • research, identify, validate and adopt new technologies and methodologies

  • be a recognised expert and demonstrate this expertise by solving unprecedented issues and problems

  • further the profession, demonstrating and sharing best practice within and outside the organisation


Background Components

Description Background

Is familiar with the principles and practices involved in development and maintenance and in service delivery. Has extensive technical understanding and the aptitude to remain up to date with IT security and developments. Possesses a comprehensive understanding of the business applications of IT. Is effective and persuasive in both written and verbal communication.

Prior Knowledge and Skills

Work Activity Components

Title Details

Development needs

Determines development needs for a professional practice area. Aligns development activities with organisational priorities, learning and development strategies and career pathways.

Communities of practice

Promotes the establishment and ongoing development of one or more community of practice (CoP). Encourages participation and ensures alignment with organisational needs.


Ensures compliance between business strategies and information security. Takes steps to ensure the organisation complies with GDPR regulations.

Risks and vulnerability

Contributes to the development of organisational strategies that address information control requirements. Prepares and maintains a business strategy and plan for information security activities which addresses the evolving business risk and information control requirements, and is consistent with relevant IT and business plans, budgets, strategies, etc.

Policy and strategy

Oversees the delivery of the security components of enterprise architectures. Ensures architectural principles are applied during design to reduce risk, and drives adoption and adherence to policy, standards and guidelines.

Security architecture development

Leads development of security architectures for complex solutions, ensuring consistency with specified requirements agreed with both external and internal customers. Takes full responsibility for ensuring that security architectures balance functional and non-functional (e.g. service quality and systems management) requirements within a significant area of the organisation.

Evaluation and selection

Establishes policy and strategy for the selection of security architecture components and takes responsibility for the strategy and methods used in implementing a security architecture in a significant area of the organisation. Manages the organisation’s security strategies, policies, standards and practices, ensures that they are applied correctly, and promotes consistency.

Security assurance

Takes responsibility for the technical integrity of security designs, ensuring for example that reusable elements are recognised, and that work is not unnecessarily duplicated. Ensures that all changes are managed effectively and contributes to formal reviews and evaluations when projects and programmes end.


Manages or coordinates the security architecture function within an organisation.


Knowledge/Skills Components

Title Depth Details Type

Conceptual Thinking

Acquiring understanding and insights regarding the underlying issues in complex problems or situations through the development of abstract representations, the identification of patterns and the analysis of hypotheses.

Behavioural Skills

Strategic Perspective

Keeping organisational objectives and strategies in mind and ensuring courses of action are aligned with the strategic context.

Behavioural Skills

Organisational Awareness

Understanding the hierarchy and culture of own, customer, supplier and partner organisations and being able to identify the decision makers and influencers.

Behavioural Skills

Cross-Functional and Inter-Disciplinary Awareness

Understanding the needs, objectives and constraints of those in other disciplines and functions.

Behavioural Skills

Interacting with People

Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences.

Behavioural Skills

Influence, Persuasion and Personal Impact

Conveying a level of confidence and professionalism when engaging with stakeholders, influencing positively and persuading others to take a specific course of action when not in a position of authority.

Behavioural Skills


Working collaboratively with others to achieve a common goal.


Application Systems

Familiar with

Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support.

Technical Knowledge and Skills

National/International Standards

Proficient in

Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO.

Technical Knowledge and Skills

Networking and Communications

Proficient in

The planning and management of the interaction between two or more networking systems, computers or other intelligent devices.

Technical Knowledge and Skills

Operational/Service Architecture

Proficient in

Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency.

Technical Knowledge and Skills

IT Audit

Proficient in

Principles, practices, tools and techniques of IT auditing.

Technical Knowledge and Skills

Access Control Systems

Expert in

Any tool or system which provides security access control (i.e. prevents unauthorised access to systems).

Technical Knowledge and Skills

Business Environment

Expert in

The business environment relating to own sphere of work (own organisation and/or closely associated organisations, such as customers, suppliers, partners and competitors), in particular those aspects of the business that the specialism is to support (i.e. localised organisational awareness from a technical perspective).

Technical Knowledge and Skills

Big Data

Familiar with

The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy.

Technical Knowledge and Skills


Proficient in

The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments.

Technical Knowledge and Skills


Proficient in

The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC).

Technical Knowledge and Skills

Network Data Security

Expert in

Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies.

Technical Knowledge and Skills

Infrastructure/System Security

Expert in

The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components.

Technical Knowledge and Skills

Techniques for Effective Meetings

Proficient in

Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants.

Other Knowledge and Skills

Coaching Techniques

Proficient in

Methods and techniques for coaching individuals or groups by a balanced combination of support and direction, including use of virtual learning environments plus add-ons to augment feedback specific to work items, workflow or career plans.

Other Knowledge and Skills

Standards Writing Techniques

Proficient in

Principles, methods and techniques for establishing, documenting, and maintaining standards.

Other Knowledge and Skills

Training Activities

Training Components

Title Details

Technology Products for Future

Technology products or solutions that are potentially of use to the organisation.

Strategic Planning for Information and Communications Systems

The process of defining the ICT strategic plan of an organisation in a methodical way based on business aims and objectives thereby enabling the specification of options and associated action plans for the use of IT-enabled business processes.

Software Configuration

Installation, configuration and tuning of applications or systems software.


Concepts, methods and techniques for providing coaching in subject specialisms to individuals or groups (e.g. GROW model).

Human Resource Planning

Techniques and practices involved in planning the numbers and types of personnel needed over time by a particular skillset, department or function within an organisation.


Methods and techniques for providing mentoring support to less experienced individuals.

Solution Architecture

Methods, tools and techniques for architecture design and development to provide an understanding of the critical architecture terms and concepts and how to apply them across typical architecture domains — business, applications, data and infrastructure.


PDA Components

Title Details

Job Shadowing and Special Assignments

Undertaking temporary periods or secondments in other roles, inside or outside IT, particularly those that offer a new perspective on own function or exposure to other environments and cultures.

Project Assignments

Participating in a project team, working group or task force established to deliver a solution to a specific problem or issue – especially valuable if the group is inter-disciplinary.


Acting as a mentor, advising those for whom there is no direct responsibility, on matters to do with their job role, career and professional development.

Gaining Knowledge of Broader IT Issues

Increasing and maintaining currency of knowledge of broader IT issues through reading, attending and participating in seminars or conferences, special studies, temporary assignments etc.

Gaining Strategic Knowledge of Employing Organisation

Developing a comprehensive understanding of the business environment in which the employing organisation operates and its position, policies and direction in relation to industry, country and global issues.

Gaining Knowledge of Standards and Legislation

Gaining and maintaining knowledge of relevant national and international standards and legislation.

Participation in Professional Body Affairs

Taking an active part in professional body affairs at branch, specialist group, committee or board level.


Qualification Components

Title Awarding Body

CISM Certified Information Security Manager


Chartered IT Professional (CITP)

BCS – The Chartered Institute for IT

FEDIP Leading Practitioner


Organisation Skills

Framework » Organisation
Category » Subcategory
Skill Name and Description Level

DDaT » Security Architect

Security Architect – Analysis

You can visualise and articulate complex problems and concepts by interrogating and using data or intelligence, formulating and influencing solutions and plans. You can interpret complex business and technical issues and identify a viable solution or control. You can understand and link complex and diverse sets of information to inform the response and approach (for example, identifying vulnerabilities and their impact).

4 – Expert

You can provide direction and lead on change regarding factors that feed into analysis. You can monitor changes in the technical environment and assess whether risks are still at acceptable levels or whether previous decisions need to be revisited. You can direct and influence others on best practice and policy.

DDaT » Security Architect

Security Architect – Communication (security architect)

You can understand security concepts deeply enough to engage with security technologists and communicate in language that’s appropriate to your audience. You can successfully respond to challenges.

4 – Expert

You can demonstrate expert understanding of security concepts and can apply them to a technical level, at the highest levels of risk complexity. You can effectively translate and accurately communicate security and risk implications at the most senior levels across technical and non-technical stakeholders. You can successfully respond to challenges. You can manage stakeholder expectations across high risk and complexity or under constrained timescales.

DDaT » Security Architect

Security Architect – Designing secure systems

You can design secure system architectures through the application of patterns and principles, to meet user needs while managing risks. You can identify security issues in system architectures.

4 – Expert

You can lead design and review solutions to complex problems with system architectures by defining and challenging patterns and principles. You can create precedents and set direction.

DDaT » Security Architect

Security Architect – Enabling and informing risk-based decisions

You can make and guide effective decisions on risk, explaining clearly how the decision has been reached. You can make decisions proportionate to the level of technical complexity and risk.

4 – Expert

You can act as a point of escalation. You can be trusted by senior risk owners as an expert in security. You can apply risk methodologies at the most complex levels of

DDaT » Security Architect

Security Architect – Research and innovation

You can understand and correctly apply a range of user research methods. You can choose appropriate methods for different situations or phases of a product life cycle.

3 – Practitioner

You can contribute to and inform developments on security properties in technology. You can identify new technologies and design the use of these in the business context across the organisation. You can engage with the broader security community

DDaT » Security Architect

Security Architect – Security technology

You can demonstrate knowledge of system architectures. You can understand the risk impact of vulnerabilities on existing and future designs and systems. You can identify how easy or difficult it will be to exploit these vulnerabilities.

4 – Expert

You can demonstrate strong knowledge of system architectures. You can understand and articulate the impact of vulnerabilities on existing and future designs and systems, and how easy or difficult it will be to exploit these vulnerabilities. You can be recognised as an expert by peers in the broader security industry.

DDaT » Security Architect

Security Architect – Understanding security implications of transformations

You can work with business and technology stakeholders to understand the security implications of business change. You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist in the development of technical solutions or controls.

4 – Expert

You can challenge and lead changes to policy and processes to support business outcomes, business architecture, and legal and political implications.

This job role profile was created in collaboration with BCS, using Role Model Plus. BCS is the professional body that has the responsibility of updating this job family.

Give Feedback

The Occupational Architecture Project is interative and dynamic

If you would like to provide feedback on this job role, or the job families, please click the button below.

Give Feedback