Security Architect


A security architect creates and designs security for a system or service, maintains security documentation and develops architecture patterns and security approaches to new technologies.

At this role level, you will:

  • recommend security controls and identify solutions that support a business objective

  • provide specialist advice and recommend approaches across teams and various stakeholders

  • communicate widely with other stakeholders

  • advise on important security-related technologies and assess the risk associated with proposed changes

  • inspire and influence others to execute security principles

  • help review other people’s work


Background Components

Description Background

Is familiar with the principles and practices involved in development and maintenance and in service delivery. Has good technical understanding and the aptitude to remain up to date with IT security and developments. Possesses a general understanding of the business applications of IT. Is effective and persuasive in both written and oral communication.

Prior Knowledge and Skills

Work Activity Components

Title Details

Evaluation and selection

Identifies and evaluates alternative architectures and the trade-offs in cost, performance and scalability.


Contributes to compliance reviews. Assists in the assessment of configuration and security procedures for adherence to legal and regulatory requirements

Risks and vulnerability

Conducts business risk and vulnerability assessments and business impact analysis for medium- complexity information systems.

Security architecture development

Contributes to the development of security architectures in specific business or functional areas, using appropriate tools and methods.

Security assurance

Participates in quality reviews (e.g. fitness for purpose, quality attributes, non-functional requirements, risk) of security architecture components.


Knowledge/Skills Components

Title Depth Details Type

Analytical Thinking

Acquiring a proper understanding of a problem or situation by breaking it down systematically into its component parts and identifying the relationships between these parts. Selecting the appropriate method/tool to resolve the problem and reflecting critically on the result, so that what is learnt is identified and assimilated.

Behavioural Skills

Attention to Detail

Applying specific quality standards to all tasks undertaken to ensure that deliverables are accurate and complete.

Behavioural Skills

Cross-Functional and Inter-Disciplinary Awareness

Understanding the needs, objectives and constraints of those in other disciplines and functions.

Behavioural Skills

Interacting with People

Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences.

Behavioural Skills


Working collaboratively with others to achieve a common goal.


Application Systems

Aware of

Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support.

Technical Knowledge and Skills

National/International Standards

Familiar with

Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO.

Technical Knowledge and Skills

Networking and Communications

Familiar with

The planning and management of the interaction between two or more networking systems, computers or other intelligent devices.

Technical Knowledge and Skills

Operational/Service Architecture

Familiar with

Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency.

Technical Knowledge and Skills

IT Audit

Aware of

Principles, practices, tools and techniques of IT auditing.

Technical Knowledge and Skills

Access Control Systems

Proficient in

Any tool or system which provides security access control (i.e. prevents unauthorised access to systems).

Technical Knowledge and Skills

Business Environment

Familiar with

The business environment relating to own sphere of work (own organisation and/or closely associated organisations, such as customers, suppliers, partners and competitors), in particular those aspects of the business that the specialism is to support (i.e. localised organisational awareness from a technical perspective).

Technical Knowledge and Skills

Big Data

Aware of

The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy.

Technical Knowledge and Skills


Familiar with

The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments.

Technical Knowledge and Skills


Familiar with

The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC).

Technical Knowledge and Skills

Network Data Security

Proficient in

Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies.

Technical Knowledge and Skills

Infrastructure/System Security

Proficient in

The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components.

Technical Knowledge and Skills

Techniques for Effective Meetings

Aware of

Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants.

Other Knowledge and Skills

Standards Writing Techniques

Aware of

Principles, methods and techniques for establishing, documenting, and maintaining standards.

Other Knowledge and Skills

Training Activities

Training Components

Title Details

Project Planning and Control

Project planning and control methods and techniques including budgeting and financial control.

Software Configuration

Installation, configuration and tuning of applications or systems software.

Security Software

Understanding the security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents. For example access control software like Active Directory (AD).

Solution Architecture

Methods, tools and techniques for architecture design and development to provide an understanding of the critical architecture terms and concepts and how to apply them across typical architecture domains — business, applications, data and infrastructure.


PDA Components

Title Details


Standing in for supervisor or manager on a temporary basis during periods of absence.

Job Shadowing and Special Assignments

Undertaking temporary periods or secondments in other roles, inside or outside IT, particularly those that offer a new perspective on own function or exposure to other environments and cultures.

Research Assignments

Exploring a topic which is not part of own normal responsibilities and presenting findings to colleagues and/or management

Gaining Knowledge of Activities of Employing Organisation

Developing an understanding of the potentially diverse range of activities (service, governance, administrative, regulatory, commercial, charitable, industrial, etc.) undertaken by the employing organisation.

Gaining Knowledge of IT Concepts and Techniques

Undertaking study, learning and, where possible, practice in IT concepts and techniques external to own function.

Participation in Professional Body Affairs

Taking an active part in professional body affairs at branch, specialist group, committee or board level.

Negotiating and Influencing

Undertaking learning and practice of negotiating with and influencing others.


Qualification Components

Title Awarding Body

CISSP Certified Information Systems Security Professional

(ISC)2 International Information Systems Security Certification Consortium

Registered IT Technician (RITTech)

BCS – The Chartered Institute for IT

FEDIP Practitioner


Organisation Skills

Framework » Organisation
Category » Subcategory
Skill Name and Description Level

DDaT » Security Architect

Security Architect – Analysis

You can visualise and articulate complex problems and concepts by interrogating and using data or intelligence, formulating and influencing solutions and plans. You can interpret complex business and technical issues and identify a viable solution or control. You can understand and link complex and diverse sets of information to inform the response and approach (for example, identifying vulnerabilities and their impact).

2 – Working

You can apply the approach to real problems and consider all relevant information. You can apply appropriate rigour to ensure a full solution is designed and achieves the business outcome.

DDaT » Security Architect

Security Architect – Communication (security architect)

You can understand security concepts deeply enough to engage with security technologists and communicate in language that’s appropriate to your audience. You can successfully respond to challenges.

3 – Practitioner

You can demonstrate a deep understanding of security concepts and can apply them to a technical level. You can effectively translate and accurately communicate security and risk implications to technical and non-technical stakeholders. You can successfully respond to challenges. You can manage stakeholder expectations and be flexible, adapting to stakeholder reactions to reach consensus.

DDaT » Security Architect

Security Architect – Designing secure systems

You can design secure system architectures through the application of patterns and principles, to meet user needs while managing risks. You can identify security issues in system architectures.

2 – Working

You can design and review system architectures through the application of patterns and principles.

DDaT » Security Architect

Security Architect – Enabling and informing risk-based decisions

You can make and guide effective decisions on risk, explaining clearly how the decision has been reached. You can make decisions proportionate to the level of technical complexity and risk.

2 – Working

You can work with risk owners to advise and give feedback. You can advise on risk impact and whether this is within risk tolerance. You can describe different risk methodologies and how these are applied, as well as the proportionality of risk.

DDaT » Security Architect

Security Architect – Research and innovation

You can understand and correctly apply a range of user research methods. You can choose appropriate methods for different situations or phases of a product life cycle.

2 – Working

You can advise on developments to security properties in technology. You can identify new technologies and design their use in a business context.

DDaT » Security Architect

Security Architect – Security technology

You can demonstrate knowledge of system architectures. You can understand the risk impact of vulnerabilities on existing and future designs and systems. You can identify how easy or difficult it will be to exploit these vulnerabilities.

2 – Working

You can demonstrate knowledge of system architectures. You can understand and articulate the impact of vulnerabilities on existing and future designs and systems, and can articulate a response. You can demonstrate broad knowledge of a range of systems, but may

DDaT » Security Architect

Security Architect – Understanding security implications of transformations

You can work with business and technology stakeholders to understand the security implications of business change. You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist in the development of technical solutions or controls.

2 – Working

You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist the development of technical solutions or controls.

This job role profile was created in collaboration with BCS, using Role Model Plus. BCS is the professional body that has the responsibility of updating this job family.

Give Feedback

The Occupational Architecture Project is interative and dynamic

If you would like to provide feedback on this job role, or the job families, please click the button below.

Give Feedback