By The Open Group
Organization leaders know they need cybersecurity, but 2017 has driven that point home with special force. Intelligence agencies have shown that even the most secure targets are vulnerable, and the rapid proliferation of ransomware has demonstrated that damage can be crippling and come without warning.
Unfortunately, cybersecurity is a moving target. Assets and threat vectors change constantly with technology, and organization leaders are hard pressed both to keep up with the technical landscape and to evaluate and hire the right people to provide the security expertise they need. Nevertheless, they are trying.
Examining various technology-oriented career sites turns up a wealth of high-paying openings for Security Architects (also called IT Security Architects and Cybersecurity Architects). But a review of the responsibilities attached to these positions reveals wide variation about what a Security Architect is supposed to do.
At one company, the Security Architect is a compliance-focused role: “Ensure and monitor security compliance” and “report security performance against established security metrics.” At another company, the role is deeply technical, with expected areas of expertise including network/system administration, encryption, and etc. At yet another company, the architect will “participate in incident response” and “supervise and mentor Security Engineers.” And at a fourth company, the Security Architect will “define security architecture” and “serve as a subject matter expert on information security architecture.”
All these roles have essentially the same title, but in many ways, they are different roles. They require different skill sets and experience and they feature different hiring criteria. So, at a time when excellence in cybersecurity is more necessary than ever, there is a critical lack of clarity on the very roles that an organization requires to provide their cybersecurity.
The Open Group and The SABSA Institute are working together to address that lack of clarity.
The Security Architecture Practitioner’s Initiative is a joint effort of The Open Group Security Forum (a global thought leader in Enterprise Architecture) and The SABSA Institute (a global thought leader in Security Architecture) to articulate in a clear, approachable way the characteristics of a highly-qualified Security Architect.
The focus of this initiative is on the practitioner, the person who fills the role of the Security Architect, and on the skills and experience that make them great. This project is not about security architecture as a discipline, nor about a methodology for security architecture but rather about people and what makes them great Security Architects.
The project team consists of pioneering Security Architects drawn from both The Open Group Security Forum and The SABSA Institute who have between them many decades of security architecture experience at organizations such as Boeing, IBM, HP, and NASA. Operating under the auspices of The Open Group and in collaboration with The SABSA Institute, they will provide two core deliverables:
- A body of knowledge (series of documents) describing the skills, experience, knowledge, and guiding principles of a good security architect.
- A certification program based on that body of knowledge
The two deliverables are being delivered in two separate phases of the project, with all important decisions about the certification program (including format, length, content, etc.) being delayed until after the body of knowledge is complete.
The project began in earnest at the beginning of 2017, and in subsequent posts, the team will provide a view into their ongoing work and accomplishments.