Security Architect as a career path. How do i do it?

Question

As it says, I want to become a Security Architect and I'm not sure of the career path to follow! I've already asked a few questions about certifications and got great help from this community. Deciding a career path is not easy, after all (at least for me).

I've looked at a lot of certifications list.. a few threads, here here and here. Looked at some career path threads, here and here. And even tailed a few people, Avid in this site, for example.. and one more nice site for a security architect.

At this point, I know for sure that I must amass extreme knowledge and good experience. But... where to start? Are there any certifications inline with this career? Is there a specific path that will get me there?

Currently, I am a Security Tester. I'm learning anything and everything that I come across. I might be able to connect the dots later, or maybe not. But there are people here, who are in great positions with knowledge who can help me out with what I want.

Help me with your opinion guys...

Answer 1

This is my experience working with security architects, so YMMV, and the role is evolving... maybe it's different for new architects. "Security Architects" have lots of outdated detailed knowledge and lots of up-to-date high level knowledge. Most seem to be promoted into the role and survive through sheer arrogance.

Pricing, scaling, project management and risk assessment can't be understated for their roles. They can't be experts in everything though, so that detailed knowledge they might have had earlier in their career becomes less and less important. An architect should not be getting their hands dirty outside of the lab. The reason being separation of duties and the risk of taking on too much of the workload.

Management needs to have somebody they can talk to. Security architects understand the policies, the risks, the business decisions, budget and costs and direct the practitioners' leadership to implement solutions or changes on time and on budget.

Eventually their in-depth knowledge fades into obsolescence. Some can't seem to cope with this.

The ones I worked with had CISSPs with some business training, ITIL, project management experience and a lot of technical certs collected from previous roles. They also sit in on all the free training and certs provided by vendors who are trying to sell them solutions.

But don't forget the arrogance. It's important. The job is really impossible. You're asked to provide perfection, but you're given a limited budget and a creeping scope. You're only right 90% of the time, but you'll waste all your time worrying about the 10% and burn out if you're not arrogant. Overspec and fight for budget improvements or get risk signoff, but do not admit you're uncertain. You are the expert. Nobody knows more than you do.

(don't mark this answer correct... let's see if the Security architects chime in)

Answer 2

The better follow-up might be: What do you want to architect? Web Applications? Networks? Servers? Mobile?

The architect's role is a proactive one, which means you need to have a vision. Your value will be about what you can see that others cannot. As for certifications, you will need to be proficient in building in the area you are aiming for, and then how to break it.

To be of value, show that you can build something securely, and be able to prove that it is secure, and how you got there. Be able to talk to business and developers equally well. Know how to write and maintain policies that work for the environment they are written for.