Help?! I want to Be a Great Security Architect — Part II

Welcome back to this article series that dives into what it is that a Security Architect does and what tools in the shed are needed to achieve ‘greatness’. In part I of this article series I talked about what tasks, knowledge, skills and abilities a Security Architect needs. This part II brings you useful learning resources that match these requirements.

In our Cyber team at Deloitte Netherlands we use Gallup’s CliftonStrengths test. The test gives you insight in your ‘Top 5 strengths’. Instead of focussing on where people need to improve, we focus on their strengths. Strengths are things that give you energy and that you often excel at that. The reason I mention this is my strengths are the reason I have created this article (or my previous COSAC session for that matter).

My profile consists of 1) Learner, 2) Intellection, 3) Achiever, 4) Responsibility and 5) Input. Looking at my top 5 it is very clear to me why I am fascinated by the question of how to become a great security architect. I love learning, so what feels better than having a long list of things to learn to fulfill your role? My ‘intellection’ strength explains my need to find a structured, logical method to decide what to learn. The ‘achiever’ in me loves to get results, so I’d like to have a book, MOOC, training or certificate. As long as I can get it DONE. My ‘responsibility’ causes that I feel I should not be calling myself a security architect unless I’ve put in the work. ‘Input’ simply means I love collecting all kinds of information and so that’s what I’ve done here for you. Disclaimer: I am a ‘book person’ — if you hate books, you’ll find this list somewhat disappointing.

Looking back at my Part I article, NIST SP800–181 offers 66 knowledge(s?), 15 skills and 14 abilities for a Security Architect. Picking individual learning resources for 95 elements is something I’d love to do from an ‘input’ perspective. But my ‘achiever’ thinks that is very unwise if I want to get rid of any lingering impostor syndrome anytime soon. Instead I have used my ‘intellection’ strength to map the KSAs to categories and we can divide it up into seven categories:

Category 1 — Soft Skills

Why does it matter?

I am starting with this one to be nice and controversial. But I find that it is something that many architects seem to lack — and it is not a fault that is easily remediated. Being able to transfer your thoughts and work well to others is just as important as being able to do the work in the first place.

How do you know whether you should still improve?

NIST SP800–181 only has five KSAs that I would consider to be on soft skills. They are clearly underestimating this category! My pet project ‘attractive visual design of architecture artefacts’ isn’t even in there. If ever you feel you can’t convince people on security architecture or explain your work well enough, look into improving these skills.

What are the resources I recommend?

  • Communication skills, with a focus on writing. I always think the most important part of being a good communicator is knowing your audience. One of the university study books I’ve kept is Ancient Rhetorics by Sharon Crowley and Debra Hawhee. I promise you it is so much better than all that ‘management book’ nonsense to try and sell to you nowadays. Thank you for Arguing by Jay Heinrichs is a slightly more modern and ‘popular’ read. A nice tool that I like to use for blogs like these is Hemingway (also as desktop app) — it forces my writing to be simple and succinct.
  • Presenting information. A good place to start is all the work by Presentation Zen and the books that they have written. Their website also includes a swath of recommended books of which I have read many. I know you might be tempted to follow some fancy InDesign technical tutorials instead of reading. But good design always starts offline. Whiteboard animation is an excellent next step if you got the theory down. It will allow you to explain your work in concepts and make it easily accessible. Try this article for a starter and maybe take a (online) course in it — I took an online one with Flatland Agency. If you can’t draw it, it shouldn’t end up in something presentable! I will be doing a webinar for The SABSA Institute soon on visual design & architecture. For the visitors to COSAC 2020, I’ll be hosting a full-day Masterclass on visual design on Monday as well!

Category 2 — Security

Why does it matter?

Security follows next as I consider it to be the most important basis for a Security Architect. After all, how can you design for security if you don’t know anything about risks, controls and tooling?

How do you know whether you should still improve?

Let’s face it, unless you have worked in the industry forever, there is always something to learn. Many of us have a natural sweet spot, and some things they’re not great at. I don’t have an informatics background, so network security has always been a bit of a difficult topic for me. I have been working hard at it with certifications in e.g. cloud architecture & firewalls. As security professionals, I think many of us feel that we need to be omnipotent and have difficulty admitting we don’t know it all. So be honest with yourself — does any of these topics make you somewhat squeezy?

What are the resources I recommend?

  • Security Tooling & Vendors. There are many tools out there and it can be difficult to keep track of the latest and the greatest. That moment that somebody says “you know tool/vendor XYZ?”, and you nod your head but are actually clueless? The best way to keep abreast of what’s hot and happening is to keep track of Gartner’s magic quadrants. I know not all companies have a subscription with them, but at the very least you get the names and can do some research yourself. And yes, I know many of you are not Gartner fanboys and fangirls, but trust me — this is a very effective method!
  • Privacy (law). What gave me a wonderful basis for law was the book Law: A Very Short Introduction. It’s not actually that short, the font size is just tiny. Of course reading GDPR is a good effort as well. If you want something more interactive this free uPenn course on Privacy Law & Data Protection might be for you.
  • Standards. They best way to learn more about standards is to learn standards themselves, I’m afraid. Some of them cost quite a bit of money, so if you can’t get your hands on them you can try and read about them. It will depend on your geography and industry which ones apply. The core ones are ISO27001/2, NIST SP800–53, CSA CCM, NIST CSF, GDPR, ISF SoGP, NIS Directive, PCI-DSS, HIPAA and the CIS Critical Security Controls. I almost fell asleep just listing them — good luck with actually reading them.
  • Identity & Access Management. This part of the industry seems all about the tools nowadays. But maybe that’s just me. If you want a light-weight introduction, this PluralSight course is nice. The Identity Management Institute offers a variety of certifications and video trainings. And at some point you have to look at those tools — try CyberArk, ForgeRock, Okta, and SailPoint.
  • Business Continuity & Disaster Recovery. Surprising lack of training and resources in this area! Especially if you want it specifically for cybersecurity, the CISSP material on BC & DR is all there is. Here’s quite a good list of general BC & DR certifications (don’t forget to bring your money!). After an arduous search I found one book that might be good, but it’s from 2005 so it’s bound to be out of date on technology. There is also a book titled A Manager’s Guide to Business Continuity Management for Cybersecurity Incident Response. Consider me a sceptic — managers should be ‘managing’, so who’s doing the actual execution?! And how are they supposed to do their work if there’s no resources to learn it from? If all else fails, try getting your hands on standards ISO22301, ISO22313, ISO27031, NIST SP800–34 and NIST SP 800–84. And if you don’t mind poorly formatted text (hint: I do), check out https://www.disasterrecoveryplantemplate.org/. I am mystified, baffled and even offended by the lack of interesting resources in this area. Surprise me with your comments!
  • Threats & vulnerabilities. When it comes to web application vulnerabilities, OWASP has got your back — their Top 10 is infamous. Want to know about the latest attack techniques? Look no further than the MITRE ATT&CK framework. Then there’s the Cyber Kill Chain. If you combine the two, you get the Unified Cyber Kill Chain (made by a classmate from my Executive Master, how cool is that? He’s even on Wikipedia with it #lifegoals). You’ll also need to know about CVSS and CVE — the concept is neatly summarized here. Lastly, NIST SP800–181 makes no mention of acquiring hacking skills at all. Now, I do not think every architect should go and get their OSCP. But, being able to think like an attacker whilst you’re defending seems pretty convenient to me. I will not sum up hacking learning resources here (that’s a whole new blog post), but look into CEH and OSCP if you’re into certificates. True 31337 hackers learn online via courses and CTF platforms. My gripe is that many of these do not seem to appreciate UX, visual design or even human language. A refreshing beginners example that proves it can be done is Hacksplaining (the feminist in me is laughing out loud about the name). The new platform Hacker House looks nice as well, but you need to bring a $1000 with you to go beyond the opening demo. Again, any resources that you can recommend that do not make my eyes bleed are truly appreciated.

As you may have noticed, this was only category 2 out of 7 and we’re 2000 words in. So, there will have to be a part III and maybe even a part IV in this article series. I hope this has been useful to you so far — leave your feedback in the comments! And let me know whether you have great learning resources on some of these topics. I’ll have a look at them and may add them to the list. I will also continue to add to this list as I encounter more interesting resources. That way we can all study together towards becoming great Security Architects!

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account