In the piece I wrote in December ("What the Sony breach means for security in 2015"), I noted that while a good CISO is important; great security architects are critical. While a CISO may get the glory; security architects are what most organizations need.
About 95 percent of the firms in the U.S. are small-to-midsize businesses. These small firms with even smaller IT departments can't afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide security, privacy and risk management leadership. The bottom line is that good security design goes a very long way.
With that, I'd like to expand on the role of the cyber security architect.
So what exactly does a cyber security architect (CSA) do? An architect is defined as a person who plans, designs and oversees the construction of buildings. To practice architecture means to provide services in connection with the design and construction of buildings and the space within the site surrounding the buildings.
With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural guidance to apply a consistent set of information security principles, mechanisms and guidelines to ensure that the data, applications and devices are secure.
The CSA will know the firm's business and technology drivers, security risk management strategy, risk assessment philosophy and the various technology components of its IT infrastructure, and provide technical security leadership. A good CSA will be seen as the firm's trusted security adviser.
When designing a physical structure, the architect knows the component parts of the edifice, including electrical, plumbing, zoning laws, room size requirements, materials, and much more. The architect is not necessarily an expert in every area, but has the fundamental knowledge of all of them.
Similarly, an effective CSA will be a jack-of-all-trades in information security, and master of a few. Some of the areas in which the CSA needs to provide oversight are:
- Risk management
- Security engineering
- Secure coding and secure software development
- Access control and authentication
- Anti-malware protection
- Laws, standards and regulations
- Networks, routing, switching and network security
- Cryptography, encryption and key management
- Operating systems and system security
- Intrusion detection and change detection
- Incident response
- Policies and procedures
- Hacks, attacks and defense
- Business continuity planning (BCP) / disaster recovery planning (DRP)
- Physical security
Some of the responsibilities that a CSA will have include:
- Designing, reviewing and approving security configurations,
- Design and installation of security hardware and software such as VPN, firewalls, router, IDS, etc.
- Reviewing policies and procedures
Here's an example: A firm has created its environment around open source tools and frameworks, such as Groovy, Nginx, Git, Python, Atlassian, built on Amazon using their services such as AWS, RDS, ElastiCache, SES, Route 53 and more. It's the CSA who will be able to provide advice on how to securely use these technologies.
Sign up for CIO Asia eNewsletters.