Help?! I want to Be a Great Security Architect — Part II

Welcome back to this article series that dives into what it is that a Security Architect does and what tools in the shed are needed to achieve ‘greatness’. In part I of this article series I talked about what tasks, knowledge, skills and abilities a Security Architect needs. This part II brings you useful learning resources that match these requirements.

In our Cyber team at Deloitte Netherlands we use Gallup’s CliftonStrengths test. The test gives you insight in your ‘Top 5 strengths’. Instead of focussing on where people need to improve, we focus on their strengths. Strengths are things that give you energy and that you often excel at that. The reason I mention this is my strengths are the reason I have created this article (or my previous COSAC session for that matter).

My profile consists of 1) Learner, 2) Intellection, 3) Achiever, 4) Responsibility and 5) Input. Looking at my top 5 it is very clear to me why I am fascinated by the question of how to become a great security architect. I love learning, so what feels better than having a long list of things to learn to fulfill your role? My ‘intellection’ strength explains my need to find a structured, logical method to decide what to learn. The ‘achiever’ in me loves to get results, so I’d like to have a book, MOOC, training or certificate. As long as I can get it DONE. My ‘responsibility’ causes that I feel I should not be calling myself a security architect unless I’ve put in the work. ‘Input’ simply means I love collecting all kinds of information and so that’s what I’ve done here for you. Disclaimer: I am a ‘book person’ — if you hate books, you’ll find this list somewhat disappointing.

Looking back at my Part I article, NIST SP800–181 offers 66 knowledge(s?), 15 skills and 14 abilities for a Security Architect. Picking individual learning resources for 95 elements is something I’d love to do from an ‘input’ perspective. But my ‘achiever’ thinks that is very unwise if I want to get rid of any lingering impostor syndrome anytime soon. Instead I have used my ‘intellection’ strength to map the KSAs to categories and we can divide it up into seven categories:

Category 1 — Soft Skills

Why does it matter?

How do you know whether you should still improve?

What are the resources I recommend?

  • Presenting information. A good place to start is all the work by Presentation Zen and the books that they have written. Their website also includes a swath of recommended books of which I have read many. I know you might be tempted to follow some fancy InDesign technical tutorials instead of reading. But good design always starts offline. Whiteboard animation is an excellent next step if you got the theory down. It will allow you to explain your work in concepts and make it easily accessible. Try this article for a starter and maybe take a (online) course in it — I took an online one with Flatland Agency. If you can’t draw it, it shouldn’t end up in something presentable! I will be doing a webinar for The SABSA Institute soon on visual design & architecture. For the visitors to COSAC 2020, I’ll be hosting a full-day Masterclass on visual design on Monday as well!

Category 2 — Security

Why does it matter?

How do you know whether you should still improve?

What are the resources I recommend?

  • Privacy (law). What gave me a wonderful basis for law was the book Law: A Very Short Introduction. It’s not actually that short, the font size is just tiny. Of course reading GDPR is a good effort as well. If you want something more interactive this free uPenn course on Privacy Law & Data Protection might be for you.
  • Standards. They best way to learn more about standards is to learn standards themselves, I’m afraid. Some of them cost quite a bit of money, so if you can’t get your hands on them you can try and read about them. It will depend on your geography and industry which ones apply. The core ones are ISO27001/2, NIST SP800–53, CSA CCM, NIST CSF, GDPR, ISF SoGP, NIS Directive, PCI-DSS, HIPAA and the CIS Critical Security Controls. I almost fell asleep just listing them — good luck with actually reading them.
  • Identity & Access Management. This part of the industry seems all about the tools nowadays. But maybe that’s just me. If you want a light-weight introduction, this PluralSight course is nice. The Identity Management Institute offers a variety of certifications and video trainings. And at some point you have to look at those tools — try CyberArk, ForgeRock, Okta, and SailPoint.
  • Business Continuity & Disaster Recovery. Surprising lack of training and resources in this area! Especially if you want it specifically for cybersecurity, the CISSP material on BC & DR is all there is. Here’s quite a good list of general BC & DR certifications (don’t forget to bring your money!). After an arduous search I found one book that might be good, but it’s from 2005 so it’s bound to be out of date on technology. There is also a book titled A Manager’s Guide to Business Continuity Management for Cybersecurity Incident Response. Consider me a sceptic — managers should be ‘managing’, so who’s doing the actual execution?! And how are they supposed to do their work if there’s no resources to learn it from? If all else fails, try getting your hands on standards ISO22301, ISO22313, ISO27031, NIST SP800–34 and NIST SP 800–84. And if you don’t mind poorly formatted text (hint: I do), check out https://www.disasterrecoveryplantemplate.org/. I am mystified, baffled and even offended by the lack of interesting resources in this area. Surprise me with your comments!
  • Threats & vulnerabilities. When it comes to web application vulnerabilities, OWASP has got your back — their Top 10 is infamous. Want to know about the latest attack techniques? Look no further than the MITRE ATT&CK framework. Then there’s the Cyber Kill Chain. If you combine the two, you get the Unified Cyber Kill Chain (made by a classmate from my Executive Master, how cool is that? He’s even on Wikipedia with it #lifegoals). You’ll also need to know about CVSS and CVE — the concept is neatly summarized here. Lastly, NIST SP800–181 makes no mention of acquiring hacking skills at all. Now, I do not think every architect should go and get their OSCP. But, being able to think like an attacker whilst you’re defending seems pretty convenient to me. I will not sum up hacking learning resources here (that’s a whole new blog post), but look into CEH and OSCP if you’re into certificates. True 31337 hackers learn online via courses and CTF platforms. My gripe is that many of these do not seem to appreciate UX, visual design or even human language. A refreshing beginners example that proves it can be done is Hacksplaining (the feminist in me is laughing out loud about the name). The new platform Hacker House looks nice as well, but you need to bring a $1000 with you to go beyond the opening demo. Again, any resources that you can recommend that do not make my eyes bleed are truly appreciated.

As you may have noticed, this was only category 2 out of 7 and we’re 2000 words in. So, there will have to be a part III and maybe even a part IV in this article series. I hope this has been useful to you so far — leave your feedback in the comments! And let me know whether you have great learning resources on some of these topics. I’ll have a look at them and may add them to the list. I will also continue to add to this list as I encounter more interesting resources. That way we can all study together towards becoming great Security Architects!

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store