How to write an information security architect job description

A good information security architect straddles the business and technical worlds. Writing a solid, clear job description ensures that both sides understand the role.

Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.

Any good job description will spell out the role’s duties and priorities. It also outlines where the role falls in the reporting structure. The job description might also provide the role’s requirements, which could include certifications, skills, experience and education. This series focuses on the duties and requirements, because the priorities and reporting structure will be unique to each company.

In the case of information security architects, the current overall description, while it can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain and support an organization’s computer and network security infrastructure that is responsive to changes in regulations and risk. This requires knowing the business – a comprehensive awareness of its technology and information needs – which is used to develop and test security structures to protect its systems.

Key duties

The duties outline the tasks and goals for which the information security architect is responsible. That may vary depending on your company’s needs or industry.  They include:

  • Design, build and implement enterprise-class security systems for a production environment
  • Align standards, frameworks and security with overall business and technology strategy
  • Identify and communicate current and emerging security threats  
  • Design security architecture elements to mitigate threats as they emerge
  • Create solutions that balance business requirements with information and cyber security requirements
  • Identify security design gaps in existing and proposed architectures and recommend changes or enhancements
  • Use current programming language and technologies to writes code, complete programming and performs testing and debugging of applications
  • Train users in implementation or conversion of systems

[Related: What it takes to be a security architect]

Skills and competencies

This section outlines the technical and general skills required, as well as any certificates or degrees that a company might expect an information security architect to have.

Key technical skills include:

Five or more years’ experience in:

  • Security architecture, demonstrating solutions delivery, principles and emerging technologies - Designing and implementing security solutions. This includes continuous monitoring and making improvements to those solutions, working with an information security team.
  • Consulting and engineering in the development and design of security best practices and implementation of solid security principles across the organization, to meet business goals along with customer and regulatory requirements.
  • Security considerations of cloud computing: They include data breaches, broken authentication, hacking, account hijacking, malicious insiders, third parties, APTs, data loss and DoS attacks.
  • Identity and access management (IAM) – the framework of security policies and technologies that limit and track the access of those in an organization to sensitive technology resources.

Experience with and knowledge of:

  • VB.NET, Java/J2EE, ColdFusion, API/web services, scripting languages and a relational database management system (RDBMS) such as MS SQL Server or Oracle. These are some of the technical elements needed to build security into an organization.
  • Relevant National Institute of Standards and Technology (NIST) standards. A system that is not in compliance with the standards set by NIST, along with ISO27001, COBIT and COSO (below), will lack both compliance and adequate security architecture.
  • ISO27001 – specifications for a framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s risk management
  • Control Objectives for Information and Related Technologies (COBIT)
  • Committee of Sponsoring Organizations (COSO) of the Treadway Commission, a joint initiative to combat corporate fraud
  • Windows, UNIX and mainframe

General skills include:

  • Exceptional communication skills with diverse audiences - Strong critical thinking and analytical skills
  • Strong leadership, project and team-building skills, including the ability to lead teams and drive projects and initiatives in multiple departments
  • Demonstrated ability to identify risks associated with business processes, operations, information security programs and technology projects
  • The ability to be the enterprise security subject matter expert who can explain technical topics to those without a technical background

Possible certification requirements are:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Information Systems Security Architecture Professional (ISSAP)
  • Information Systems Security Engineering Professional (ISSEP)
  • SANS-related certifications Education requirements can vary, but most require a BA or BS in information security, engineering, mathematics, or related area. A Master’s degree in an IT field is a plus, and a Master’s in cybersecurity is an even bigger plus.

[Related: Essential certifications for smart security pros]

Matt Mellen, security architect, healthcare, at Palo Alto Networks, says experience and a proven track record can sometimes outweigh certification requirements. “Typically at least CISSP is required,” he says, “but if your background clearly shows a significant amount of experience in building security solutions – as mine did – you may be able to make a compelling case with experience and education alone.”

Industry-specific requirements

Certain industries might have unique requirements that need to be addressed in the information security architect job description. That is especially true in healthcare, which requires in-depth knowledge of Electronic Health Records (EHR) systems and protecting patient information in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Axel Wirth, healthcare solutions architect at Symantec, says the “complexity of the ecosystem” means a security architect needs a very broad range of skills. “I don’t think there is any other industry out there with as many systems running different platforms from different manufacturers,” he says.

Beyond that is the challenge of creating a security system that doesn’t inhibit patient care. Wirth notes that an ATM will shut down a person who enters the wrong PIN multiple times. “But you can’t treat a doctor, who’s just worked an 18-hour shift, like that,” he says. “Also additional security layers have to be applied very carefully so they don’t affect productivity. They have to be regularly reassessed.”

How to attract the best

According to PayScale, the salary range is $84,000 to $160,000, with the median at $109,794. In addition to money, Wirth says there are, “human factors – a desire to learn,  to develop and be challenged” – that are also important. He says in healthcare, the mission is important as well. “You find a lot of people who are idealistic, in a good way, about the work they do. They figure, ‘If I keep the doors open, I’m doing good for my community.’ That’s one thing that healthcare can offer.”

Show Comments