Listen to the audio version and subscribe to the CyberSpeak with InfoSec Institute podcast here.
Chris S., InfoSec Institute: Hello and welcome to InfoSec Institute’s video series. This is the first in a series of videos that we’ll be doing which will include several types of security information and discussion. I hope you will check back regularly because we’ll be covering several different areas of security. Some weeks we’ll be doing security awareness topics, some weeks we’ll be doing tools of the trade. We will do an occasional tool deep dive and as we are doing this week, we’ll be looking at security career paths.
Our aim is to break down the journey from security newcomer to an elite security practitioner. So if you feel like you’re sitting at the bottom of the security organizational ladder and aren’t moving up as quickly as you’d like, stay tuned.
Our guest this week is Leighton Johnson and he’ll be talking to us about the path to the role of security architect. Leighton is the CTO and founder of the Information Security Forensics Management Team, a provider of computer security, forensics, consulting and certification training. He has presented computer security, cybersecurity and forensics classes and seminars all across the United States and Europe. He has over 35 years in computer security, cybersecurity, software development and communication equipment operation and maintenance. Leighton’s primary focus areas include computer security, information operations and assurance, software system development life cycle focused on modeling an simulation systems, systems engineering and integration activities, database administration, business process and data modeling. With InfoSec Institute, he has taught CISSP, CISA, CRISC, CISM, Security+, CAP, DIACAP, antiterrorism, digital and network forensics, security engineering, security architecture and risk management courses around the U.S. for over the past 10 years.
Chris: So, Leighton, thank you very much for being here.
Leighton: Thank you. Glad to be here.
Chris: Okay. So, I want to start with asking a little bit about just the very beginning points. I’m doing this with the assumption that people who are listening are maybe just kind of getting started in their security adventure and are looking at sort of eyeing the higher level business, professional levels without knowing really where to start. So, what would be the major steps along the way in the progression of skills sets to become a security architect?
Leighton: Well first off, you have to become a security practitioner. So you need to have an introduction to the security world itself, whether it be just information security or the subset we call cybersecurity these days. Either way, you need to start with that type of background. Potentially through either starting out as an interim person, just beginning in the security arena like getting you Security Plus or your first level certification, just starting out that particular way. Then you need to spend a couple of years doing that type of activity, getting used to the varying, different types of security roles, log reviews, checking your management systems, looking at what’s going on from an IDS alert alarm. Possibly working on fire walls, those types of things, starting out first.
Then gradually work your way into understanding the actual technologies behind them. And as you being to understand and work with the technologies and you gain some experience as well as some additional education, you can then work your way towards becoming a security engineer. Once you do that, those are the people who are putting in the devices. They’re the ones who are installing the security components. They’re the ones who are hardening the systems and the servers and the software, those types of things. Then, you work your way to becoming a security architect, after that.
Chris: Okay, so it sounds like any other sort of tradesman system. You’re sort of learning on doing all sorts of things until you start to find the areas that specifically pertain to this, and then you get better a narrowing set of skills.
Leighton: True. The only thing is as a security architect you need to know all of it. And see that’s one of the big arenas around architect security versus being as security engineer. Security engineers tend to focus on firewalls uniquely, or on routing or on servers or on networks. Whereas a security architect needs to understand all of them.
Chris: Okay, so you’re really doing the top down, top level thing at every step of it.
Chris: Okay. Because I know many of our viewers have only minimal IT or security experience, this is related to that. Can you kind of walk me through the day to day activities of what a security architect does?
Leighton: Okay. I can certainly do that, no problem. A security architect typically their daily activities would include things like reviewing the enterprise architecture for the organization from an IT perspective to determine where and what type of security components need to be put in what location. Based upon, what is the organization doing, what is it’s data flow. Where are the informational accesses coming in? The architect is going to be looking at where best to put authentication mechanisms for the identities for the people coming onto the network. And then, how do they communicate with their systems that they’re needing to do those activities and an architect would be the one who would be designing something like that at an over arching view.
One of the second things that an architect often does is look at the organizational risks and determine what are the best ways to handle them. What are the best of technologies, policies, procedures, operational activities and even managerial policy potential changes that are necessary in order for the risks to be appropriately handled for the organization from a security perspective.
Those are the two big areas that an architect works on each particular day. Sometimes they get into details where they start actually developing an architectural construct, an all view or a technical view or a security view, a component view of a particular path, a particular information flow for an organization. How does someone login, get to the network, then get to their system, then update their data on that particular system? How does the application handle those authentications behind it and then how do they logoff and what happens?
Chris: Okay, and I’m assuming that this is a fairly managerial position as well. You’re sort of, you’re planning but you’re also sort of delegating roles, or are you doing it all yourself?
Leighton: Well, you’re advising. You’re doing an awful lot of advisory work as an architect. Most of the time architects don’t necessarily have a lot of people working for them. They may be in certain lines of business uniquely. I know in my role as a Chief Security Architect, I had several lines of business architects who worked for me. But, for the most part it’s relatively a singular role as an advisor, as a consultant to the lines of business as well as to the security and IT folks.
Chris: Okay. I see. Now, do you have … Does this also include kind of a role in moving the C-Suite in making decisions about security or …
Leighton: Definitely, because one of the major roles that a security architect does do as I said earlier is advise how to handle risk, which is where the C-Suite fits in.
Leighton: Naturally, right up front. Then, as part of that, we have to draft the recommendations, the options for them to make their decisions about on how to deal with the risks, both in the IT as well as in the line of business arenas.
Chris: Okay. Thank you. Now, what sort of activities or projects if you are sort of a lower level security person, they say if you’re going to move into a profession, it should be something that you enjoy doing all the time. So, what sort of activities or projects should you be interested in or really enjoy doing if you’re thinking of moving into security architect as a profession.
Leighton: Figuring out what the other guys are doing, the bad guys are doing and then how to build organizational security to keep that from happening. That’s a day to day challenge. Understanding the variety of cyber arenas that are out there, that each organization has, some of which they may know, some of which they may not know. Then, understanding organizationally in the infrastructure, but with the networks, with the systems, with the servers, with the activities, what’s going on and what needs to be where in order to handle the risks.
Chris: Okay, and so do you do a lot of outside research to find, to sort of keep up with these trends or is it really just …
Leighton: Actually, I do probably two to three hours a day.
Chris: Okay. Where do you go? What are you looking at?
Leighton: I go literally all over the internet. I do a lot of conferences, so I always try to keep up to date on what’s the newest, latest, greatest activities that are out there. How are things being handling, the new user based mechanisms for accessing computers with their UVEA and all those types of things. So, I stay up to date a lot in those arenas. So, I do a lot of reading and I do a lot of listening to webinars.
Leighton: I do a lot of going to conferences. I probably go to five or six a year. Big ones and little ones both. Even ones I’m speaking at, I’m never stopped. I always go to other people’s sessions just to hear what’s going on, to see where things are going. I have a couple of areas that I specialize in that I have over 30 years.
Chris: What are those?
Leighton: Incident response and forensics, both. So, those types of things. I’m very interested in how organizations are handling all the new risks. I’ve done a lot of work in the last few years in cloud and cloud architectures. I’ve been a member of the Cloud Security Alliance since they started about eight, nine years ago whenever it was. So, I do a lot of work in that arena as well.
Chris: Interesting. Okay, so would you recommend lower level security practitioners do what they can to start sort of attending seminars or at least doing preliminary research?
Leighton: Do the webinars. Do the stuff that you can get online. Do those types of things. If you do it at home, you do it in the evenings. You do it on a weekend, when you have some downtime. That’s probably the best way to keep yourself up to speed and up to date. This is such a dynamic field. It changes everyday. And since it literally changes everyday, you have to really understand that you have to be in a constant learning mode, otherwise, you’re going to become static and you’re systems will become static and that’s exactly what those bad guys want. So, you’ve got to be constantly changing and understanding the dynamics.
Chris: One step ahead all the time.
Leighton: You have to be.
Chris: Absolutely. Now, what certifications should people pursue on the path to becoming a security architect?
Leighton: Well, the first level is you gotta get your basic security certifications. So, starting with the standard, the Security Plus, the initial introductory ones. Moving up a level to the more detailed ones with CISSP and with CASP which are the two big, major ones that are out there from a security perspective. Then you start looking at the architectural ones on top of that.
There is of course, with CISSP there’s a follow on one called ISSAP, which is the architecture professional. There are other ones that are architecture specific that are out there. SABSA has one, TOGAF, which is the open frameworks, architecture framework. If you’re working in the governmental vertical, there’s one called FEAC which is for the federal enterprise architecture. DOD has their own under DODAF which is the DOD architecture framework. These are all arenas around architecturally getting in there.
But, primarily, you need to understand both how system work and how networks work together. So, understanding that architecturally, those are the big areas you need to work for and getting your certifications, is looking at those. Try not to get too specific on vendor activities from devices and those types of things, because you’re going to have wide ranges of architectural options.
If you’re working in an organization that’s say a Cisco shop, then go ahead and do the Cisco. If they’re a Juniper shop, then go ahead and do the Juniper. But understand that those aren’t the only options either, from an architectural standpoint. There’s so many different vendors and so many different ways that you can look at it, you need to generically look at it from a security perspective rather than from a vendor specific.
Chris: Now if you were get say, some of the vendor neutral certifications, would there be a benefit in also being sub-specialized in the Cisco or Juniper specific ones?
Leighton: Sure because then you can focus on how does that fit into an architecture? Where are all the company’s pieces and parts to it? You know, those types of things. And certainly, that’s advantageous in a career path if you want to stick to being in that particular area. And understand that all of them are great. They’re all super. They all work.
Leighton: So, they all have their advantages. They’ll get you there. So, none of them are any better than any of the others. They’re all very focused on what they provide as far as their services, as far as their equipment capabilities, etc. So, if you … Most of the major network vendors, once you learn the material from say one of them, you can apply to others, at least partially, you know, uniquely. And our evolving network infrastructures over the years, different vendors have provided whole protocols and whole methodologies that are, that have advanced the entire networking world, or the entire server world rather than just uniquely just from their perspective.
Chris: Okay, going to the other side of things, what sort of hands on work activities should you be good at and be doing regularly in your job to get on this path?
Leighton: Understand how servers are configured. Understand how you set up making you know, the classic hardening of a server. How do you do that? What does that mean? Understand it from an operating system. So you do need to know all the different kinds that are out there, day to day, what do you have to do to configure a Unix box, or a Linux box versus a Windows box versus desktop versus a Windows server? How do you handle S NAS storage. That today’s world, security being one of the biggest users of big data ourselves, just because we’re looking for all the problems and all the APTs that are out there and those types of things.
You need to understand storage and how it works. So, day to day, how do you do that? How do you, and then the other big thing is understanding what are the architectural elements, those types of things. So, that’s more hands on, building an architecture element. Is it going to work? Digging down into the protocols potentially to see if that particular type of device works at that level, whatever level it may be in the network and those types of things.
Chris: What types of companies require security architects and what types of professions or companies should you try? I imagine it’s kind of all of them, right? At this point.
Leighton: Well, for the most part, people who are operating, not people who are vendors.
Leighton: Service organizations, people who are out there making money by providing services to other organizations. Information brokerages, service providers, a variety of those types of companies, financial institutions. All those types of things would be where you would want to do that. Whereas you wouldn’t necessarily have that uniquely with in a vendor space. You may and they probably do, but it’s much more career path oriented towards the normal, standard, everyday business is going to need it. The bigger they are, the more likely they’re going to need an architect.
I was just working with a company that had 50,000 employees and they had 10 architects.
Leighton: As an example. One in each line of business plus a couple of principals that were over them. That type of thing. So, there’s not a lot of architects in a particular company typically because it is such a unique skill set, because it covers everything. That type of thing, but they do have a lot of need for them, and in today’s dynamic, privacy driven world coming with GDPR in a couple weeks, those types of things. International companies are needing them even more than anybody else right now.
Chris: And we’ll be talking about GDPR actually in our next video as well here, so you’re transitioning us nicely. Now, I’m imagining that security architects a fairly in demand job and there’s a lot more candidates than there are positions. So, what could a candidate do to sort of put themselves head and shoulder above other people who might be interviewing for the same position?
Leighton: Not that many people have professional certifications, vendor neutral type certifications in these arenas. There just isn’t that big area for it. Most people usually convert from being a security engineer, or being an IT engineer, over to being an architect. Especially infrastructure architect type things and they try to pick up the security part but it’s a unique subset of that generalized IT infrastructure view that is different. So, learning the trade mechanisms around security architecture uniquely what the mechanisms are, because of course, since it permeates all parts of an enterprise from an architectural standpoint, it’s even a little bit more of a specialty than say an enterprise architect, even though they typically work together.
I know governmentally, in the government vertical industry, they usually have an enterprise architect shop for the whole organization. One. And then they’ll have one per line of business or one per agency. Then, they’ll have one or two security architects and that’s it. All right, that type of thing. So, it is a unique area in that once you get the process and you’re in being as a security architect, you will always be employed, number one. Number two, you’ll be employed well. Okay? Because it is a unique arena, so it’s a high demand and not many people can meet all the types of qualifications typically they’re looking for because it is such a unique number of skill sets necessary rather than just one or two. You gotta understand IT. You’ve got to understand security and you’ve got to understand the combinations. But then you also have to understand how the lines of business do it. So you’ve got to be an analyst as well and some business analytics, risk analytics come into play, all sorts of different things also come into play in understanding security architectures and being a security architect.
Chris: Well that transitions nicely into my next question. You said that a lot of people don’t have this understanding or that qualification. What are some of the common pitfalls that people might make along the way? They think they’re on their way, but they’re studying the wrong thing, or they’re focusing too much on this or that or not staying abreast as you say of current trends and so forth.
Leighton: The biggest things I’ve seen is not understanding the business and its attack vectors. What people come after them for. Number one, and those who do do that, they’re in incident response, they’re not architects. So, they miss how to handle the risks. They can identify it, but then they are missing the piece about, what do you do after you’ve identified. How do you handle it? How do you fix it?
There’s a lot of network people who transition over to being architects in various different arenas and they miss the security piece. Or you’ll have people who are really, really good at doing general IT and server activities and they’ll want to become an architect and they’ll miss the network piece. So, that’s part of the issues and the big underlying problem I’ve seen for the most part in the 20 plus years I’ve been a security architect, is that there’s a disconnect when someone approaches architecturally from only IT and security and misses the line of business or the other way around. The two have to work together and that’s why it’s such a unique field, is they absolutely require you to have both viewpoints, all the time. You can’t just have one at one time, and one at another. No, you’ve got to have them both. You’ve got to wear both hats simultaneously.
Chris: Both hats simultaneously and sort of keeping on top of both industries, I imagine, both texts.
Chris: So, again, speaking to the people who are in their day job, you might be in the cube farm and you’re not really … It might seem kind of daunting to jump from where you’re at to 10 steps up. What’s one thing in your current position or life that you could change to sort of put you on the path to security architect. Would you start by taking a certification course? Would you ask for a different responsibilities at work? Do some outside work, anything like that?
Leighton: The biggest thing is being inquisitive about what’s going on and why the lines of business are doing what they’re doing, and how is IT supporting them, and are they meeting the needs? Understand how the business is working and the IT is supporting it, either yes or no. I mean, sometimes they are more success than others certainly. And then, do some analysis and figure out why. What’s missing? Is it because the organization isn’t set up appropriately procedurally? Is is a workflow issue? Is it a technology issue? You know? Understand that all three have to be working together and that’s what the architect’s ultimate goal is, is to get all three of those to work together in supporting the business operations of the organization.
Chris: Now, how might the role of security architect change in the future based on current and up and coming technologies. I’m sure it’s changed a lot since you got started.
Leighton: It has. I’ve been a security architect for 20 years. I’ve been in the industry for 40, but I’ve been an architect for 20. It has changed a lot. A lot of it has because of the technology changes and because of the people who are sitting behind a keyboard changes. They’re much more adept and adapted to working with computing activities non stop.
Chris: So, just because of the sort of permeating of technology with younger people or …
Leighton: Well, technology with younger people and the fact that businesses are now seeing returns in those arenas, which for a long time they were skeptical about. But now they’re seeing it.
Chris: I see.
Leighton: So, the top six companies in the world are now technology companies. So, for years and years and years it certainly wasn’t that way. But now it is. So, they’re seeing lots and lots of money. They’re seeing lots and lots of advancement professionally and personally for people in those arenas that have just dramatically shifted as we’ve had a series of technologies that came together, with cloud, with mobile, with big data, all basically hitting at the same time.
Leighton: All hitting their stride simultaneously. There was obviously technological components behind them with virtualization, etc. And moving from 3G to 4G and soon to be 5G in the cellular world and the advances of all the mobile devices with the smartphones and smart everything. And IOT not is adding to all of this because of course, now that means anything and everything that is electrical could potentially be with a CPU, which means it could be computing, which means it can be a device that is addressable from somewhere. So on and on and on it goes.
So, stay on top of the technology. Stay understanding of what’s changing. See where the issues are around them and how people are handling those issues today. As technology advances, the methodologies of handling the issues around those technologies advance as well. So, it’s a little bit of lag typically between the two, but we’re seeing people get caught up with what’s happening in the bad guy world, with the hackers and the crackers and across the board, what they’re doing. We’re starting to take technologies today and advancing them with AI and with machine learning and those types of things.
Now of course, those techniques generally have been around for a long time. But they’re more advanced now with systems that we’ve got today, with the machine learning activities where the systems are understanding and learning on their own as things are going on. Those are changing and those are creating another dynamic that will be back to being caught up and then the technology will advance again and you know. Understand it’s a dynamic process. It is never static. If there’s one thing in the cyber world is to understand it’s always changing every day.
Chris: That seems like a fantastic place to end there. So, I think we will wrap up. Thank you very much, Leighton Johnson for being with us today. And if you would like to know more about certification study, you can visit InfoSecInstitute.com. And if you’d like to read a number of, we have a blog that is Resources.Infosecinstitute.com. There are a number of articles and labs and videos such as this one. And I encourage you to visit those as well.
So, again, Leighton, thank you very much for your time today and thank you very much everyone for watching.
Leighton: Thank you.
Chris: Take care.