Secure Systems Architecture and Design
Role overview
Secure System Architecture and Design is the designing of an IT system to meet its security requirements, balancing this with its functional requirements.
Role level
Typical role level expectations
At this role level, you may:
• Embed ‘secure by design’ principles into application development, integrating security tools, standards, and processes into product life cycles
• Support the assessment of application resilience throughout an IT estate, generating regular application security reports to provide information about statistics and trends
• Follow processes, provide standardised advice on tooling for, and conduct dynamic and static analysis in the product development life cycle
• Work with development teams to embed secure development life cycle and security awareness, and ensure appropriate tools and skills exist
• Recommend security controls and identify solutions that support a business objective
• Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
• Inspire and influence others to execute security principles, communicating widely with other stakeholders
• Help review ongoing security architectural activities
• Recommend security controls and identify solutions that support a business objective
• Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
• Inspire and influence others to execute security principles, communicating widely with other stakeholders
• Help review ongoing security architectural activities
Typical role level expectations
At this role level, you may:
• Lead the technical design of systems and services, justifying and communicating all design decisions, applying research and innovative security architecture solutions to new
• or existing problems
• Communicate the vision, principles and strategy for security architects for one project or technology
• Decipher subtle security needs and understand the impact of decisions, balancing requirements and deciding between approaches
• Lead on quality assurance, and act as the point of escalation for Security Architects within a team
• Interact with stakeholders across organisations, teams, or communities
Typical role level expectations
At this role level, you may:
• Lead the embedment of ‘secure by design’ principles into application development by providing advice and internal consultancy on highly complex criteria and contexts
• Lead multi-team assessment of application resilience throughout an IT estate, reviewing regular application security reports, holding accountability and responsibility for
• secure design implementation
• Lead and assure processes, and provide SME thought leadership on tooling and dynamic and static analysis in the product development life cycle
• Lead development teams alongside senior cross-government decision makers to embed secure development life cycle and security awareness, and ensure appropriate tools
• and skills exist
• Lead projects with high strategic impact, setting a strategy that can be used in the long term and across the whole organisation
• Develop vision, principles and strategy for Security Architects for multiple projects or technologies
• Recommend security design across several projects or technologies, up to an organisational or inter-organisational level, solving unprecedented issues and problems
• Influence key organisational and architectural decisions, and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Security architecture | Working | Practitioner | Expert |
| Secure Design | Working | Practitioner | Expert |
| Secure Development | Working | Practitioner | Expert |
| Information risk assessment and risk management | Working | Working | Working |
| Protective security | Awareness | Awareness | Awareness |
| Threat Understanding | Awareness | Working | Working |
Core learning
Entry level
BCS Certificate in Information Security Management Principles (CISMP)
CompTIA IT Fundamentals
CREST Practitioner Security Analyst “
Secure by Design
Secure Programming Foundation Certification (S-SPF)
Foundation Certificate in Cyber Security
NIST Cyber Security Professional (NCSP) Foundation Certificate
CompTIA Server+
Associate level
SEC530: Defensible Security Architecture
GIAC Defensible Security Architecture (GDSA)
Certified Data Protection Foundation & Practitioner
CompTIA Security+
SEC573: Automating Information Security with Python
GIAC Python Coder (GPYC)
SABSA Chartered Security Architect – Foundation Certificate (SCF)”
Lead level
CREST Registered Technical Security Architecture (CRTSA)
GIAC Defensible Security Architecture (GDSA)
SABSA Chartered Security Architect – Practitioner Certificate (SCP)
SEC530: Defensible Security Architecture
Principal level
CompTIA Advanced Security Practitioner (CASP+)
SABSA Chartered Security Architect – Master Certificate (SCM)
(ISC)2 Certified Information Systems Security Professional Training (CISSP)