IT’s Hottest Jobs: Information Security Architect

[Randy Gross]

Job title or job role:

Information Security Architect

Key responsibilities for this individual:

Information security architects plan and carry out security measures to protect an organization’s computer networks and systems. Their responsibilities are continually expanding as the number of cyberattacks increases

The information security architect is responsible for analyzing information security systems and applications, and recommending and developing security measures to protect information against unauthorized data modification or loss. Access control, intrusion detection, virus protection, certification, audit, incident response, security engineering, development and implementation of security policies and procedures are some of the areas that this individual is engaged in on a regular basis. Typical job responsibilities can include:

• Designing security models; reviewing and approving security configurations and installation of firewall, VPN, routers, IDS scanning technologies and servers.
• Overseeing security awareness programs; educating staff on information security policies, procedures and practices.
• Monitoring industry security updates, technologies and best practices to improve security management.
• Participating in the development of hardware/software/network security procedures and guidelines that support information security policies.

Top industries or markets needing this position:

Demand for information security architects is high. As cyberattacks grow in frequency and sophistication, many organizations find themselves falling behind in their ability to detect these attacks. Security architects are needed to develop innovative solutions to prevent hackers from stealing critical information or creating havoc on computer networks.

The federal government is expected to greatly increase its use of information security architects to protect the nation’s critical IT systems. In addition, as the healthcare industry expands its use of electronic medical records, ensuring patients’ privacy and protecting personal data are becoming more important. More information security architects will likely be needed to develop the safeguards that will satisfy patients’ concerns. Financial services companies also have a growing need for information security architects.

Preferred job roles or work background desired in this job role:

Candidates for the position of an information security architect should have at least eight to 10 years of experience in the IT field, with a broad range of exposure to all aspects of business planning, systems analysis and application development. Additionally, three to five years of experience specifically devoted to information security is advisable.

A bachelor’s degree (or advanced degree) in information technology, information security, computer science, mathematics or a related field is also the norm for this job.

Many employers will also require or prefer that candidates have advanced security-related industry certifications. Examples include CompTIA Security+, CompTIA Advanced Security Practitioner, Certified Information Systems Security Professional (CISSP), Certified Network Security Professional (CNSP) and Certified Hacking Forensics Investigator (CHFI).

Technology, business and soft skills needed for success in this role

Technology skills for an information security architect should include:

• Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies and security attack pathologies
• Technical proficiency in security-related hardware and software, forensics and other security systems and tools.
• Technical proficiency in broader areas of IT, including networking, servers, desktops and mobile devices.

Desirable business and soft skills should include:

• Oral and written communication skills with the ability to present and discuss technical information in a way that’s understandable for non-technical audiences.
• The ability to lead both technical teams and project teams that cross multiple business functions.
• Problem solving and analytical ability.
• Strategic thinking and relationship management.

Top challenges of acquiring this talent:

Like many higher-level IT jobs, the role of information security architect is one that currently has more demand than supply. The Bureau of Labor Statistics reports that the employment outlook for security architects is expected to grow about 20 percent through the year 2018 as the need for information security and workers with security skills increases.

Best sources for recruiting individuals into this role:

Because the security architect is responsible for maintaining the security of a company’s computer system, they must think like a hacker would, anticipating the moves and tactics that hackers might use to try and gain unauthorized access to a computer system or network. Some IT experts feel that the best security architects are former hackers, making them very adept at understanding how the hackers will operate.

Best sources for developing internal staff into this role:

Many security architects begin their careers in entry-level positions as IT support specialists. This job provides the training necessary to become familiar with network systems, security and problem solving.

A lower level IT staff member often will demonstrate the aptitude and attitude to be trained and certificated for security-specific jobs. Someone in an entry-level position may operate software to monitor and analyze information, while a more senior-level position could be engaged in investigative work to determine whether a security breach has occurred.

Look for employees who demonstrate good organizational and problem-solving skills. They also need strong problem-solving and analytical skills

Time needed to train and “on-board” an individual into this role:

This is not an entry-level position. Many people venture into the occupation only after working in other IT roles such as computer technician.

Because of the critical nature of the information security architect, several years of experience in advanced security tasks is highly recommended. This experience may be gained by prepping an internal candidate for a senior security position; or recruiting an experienced security architect from another organization.

Candidates for the position of an information security architect should have at least eight to 10 years of experience in the IT field, with a broad range of exposure to all aspects of business planning, systems analysis and application development. Additionally, three to five years of experience specifically devoted to information security is advisable.

Competitive salary and benefits required to hire this individual:

The average pay for an information security architect is $106,974 per year, according to PayScale, a provider of data and insights around salary and career topics. Total pay for this position (salary and benefits) ranges from $82,714 to $157,556. Factors such as geographic location, known technologies, certifications and practical field experience can affect the salary level.

Best ways to measure success of the individual in this role:

The Information Security and Control Association has developed high-level guidance for information security governance and evaluation of security performance. They propose six areas that organizations should focus on when measuring the performance of security personnel and programs:

1. The strategic alignment of information security in support of business objectives.
2. Executing appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level.
3. Integration of all relevant assurance functions to maximize the effectiveness and efficiency of security activities.
4. Optimizing security investments in support of business objectives to achieve the best return on security investments.
5. Using information security knowledge and infrastructure efficiently and effectively.
6. Monitoring and reporting on information security processes to ensure that objectives are achieved.

About the author: Randy Gross is the Chief Information Officer for CompTIA, the ICT Industry Trade Association.