Secure System Architecture and Design solves complex security problems by selecting the best available solutions from a range of technological components and structures. The decisions made fundamentally determine whether an organisation can manage its data, information systems, and communications networks securely. The recommendations made guide the work of developers, implementers and operators of the systems and networks. 

While very technical, this role involves a substantial amount of co-operation with other specialists, including external suppliers. Although this specialism might not have the knowledge and skill need to solve all problems, it is important to consult with others, explaining the unresolved parts of the problem.  

The primary responsibility is to ensure that the new systems or changes to existing ones are secure, taking into account higher, enterprise-level security requirements, and the broader requirements for any information processing system. When systems are being built or changed, reviewing the work periodically ensures that it conforms to the agreed designs. 

The recommendations are then documented for development teams clearly and sometimes presented to senior managers. This is especially important if the recommended solutions are expensive or might compromise a system’s ability to meet other important requirements, such as transaction speed. Design documents must be produced, to ensure that they are available for reference should they be needed by other teams. 

Secure System Architecture and Design decides on the essential security structure of the information systems which an organisation develops and runs, and verifies that the delivered systems conform to the design. 

In this specialism, you may: 

• agree high-level business requirements with non-technical colleagues 
• plan, research and design secure software development and delivery systems, with objectives like security, speed, scalability and robustness at the core 
• create technical requirements and specifications for major software systems and subsystems 

• estimate costings related to new designs 
• ensure that systems are developed and implemented securely, according to the agreed design and relevant industry standards 
• report on and present recommended solutions to technical and non-technical stakeholders 
• review installations of new network devices 
• provide expert software security advice (on design, coding, testing, etc.) to software developers, system operators and other colleagues 

• research, including by consultation with specialist colleagues, potential cyber security threats 
• stay up to date with emerging cyber security principles, standards and technologies 
• oversee testing of final designs 
• develop roadmaps of future cyber security technology developments and the implications for the organisation’s systems 
• assist with capability, capacity, and operational planning activities 

Job Titles 

For Secure System Architecture and Design roles, titles include: 

• Security Architect 
• Secure Systems Architect 
• Application Security Architect 

• Software Cloud Architect 
• Software Applications Security Architect | Cloud 
• Software Security Architect 
• Cybersecurity Technical Architect 

For more experience Secure System Architecture and Design roles, titles include: 

• Chief Cloud Security Architect 
• Chief Security Architect 
• Senior Security Architect 
• Lead Cloud Security Architect 

Salaries 

A Secure System Architecture and Design role could earn between £50,000 and £90,000 a year. The median figure in March 2021 was £77,500. 

A senior Secure System Architecture and Design role could earn between £60,000 and £130,000. The median figure in March 2021 was £83,000. 

Salary ranges are based on job vacancy advertisements published online in March 2021. Only a small proportion of job vacancy advertisements for these roles included salary figures, so the sample size is small and may not be representative of jobs of all jobs in Secure Architecture & Design, especially in the public sector. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Secure System Architecture & Design.

Core knowledge – you will need a very good understanding of these areas 

Secure Software Lifecycle 

The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.  

Software Security 

Known categories of programming errors resulting in security bugs, & techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems 

Hardware Security 

Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness. 

If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you will also need: 

Cyber-Physical Systems Security 

Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures. 

Related knowledge – you will need a solid understanding of these areas 

Operating Systems & Virtualisation Security 

Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems. 

Distributed Systems Security 

Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers. 

Cryptography 

Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models. 

Wider knowledge – these areas will help to provide context for your work 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Skills 

Personal attributes 

• interpreting requirements of a wide variety of types 
• judging the relative importance of requirements 
• analysing complex problems 

• a logical and methodical approach 
• interpreting and applying formal standards 
• written, spoken and drawn descriptions of complex designs 
• confidence in defending ideas against challenges 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• creating an integrated view of business requirements, enterprise security plans, cyber security standards and regulatory constraints 
• understanding and applying vulnerability analyses to design decisions 
• thinking like an adversary 
• experience with PKI (Public Key Infrastructure) 

• producing system architecture specifications and designs 
• designing secure systems to run on cloud platforms 
• applying the Zero Trust principle 
• using the result of a risk assessment to design a management measure for the risk 
• complying with data protection and other regulations 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

C1 – Enterprise Security Architecture 

Principles: 

• working with Enterprise Architects, takes customer security requirements and assists in the development of an Enterprise Information Security Architecture 
• interprets relevant security policies and threat/risk profiles into secure architectural solutions that mitigate the risks and conform to legislation and regulations, and relate to business needs 

• applies common architectural frameworks (e.g., TOGAF, SABSA) 
• presents security architecture solutions as a view within broader IT architectures 
• maintains awareness of the security advantages and vulnerabilities of common products and technologies 
• designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks 
• develops and implements appropriate methodologies, templates, patterns and frameworks 

C2 – Technical Security Architecture 

Principles: 

• contributes to the development of Computer, Network and Storage Security Architecture, incorporating hosting, infrastructure applications and cloud-based solutions as covered by the role of Chief Security Architect 
• interprets relevant security policies and threat/risk profiles into secure architectural solutions that mitigate the risks, conform to legislation and regulations and relate to business needs 
• presents security architecture solutions as a view within broader IT architectures 

• applies security architecture principles to networks, IT systems, Control Systems (e.g., SCADA, ICS), infrastructures and products 
• devises standard solutions that address requirements delivering specific security functionality whether for a business solution or for a product 
• maintains awareness of the security advantages and vulnerabilities of common products and technologies; designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks 
• uses appropriate methodologies and frameworks 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Roles at all levels in this specialism require the application of a thorough understanding of information technology, cyber security threats and effective controls. It is, therefore, very difficult to gain significant transferable skills in jobs other than those which already involve such knowledge. 

However, other types of roles which require the application of deep, expert knowledge to analyse and solve complex design problems, may give some advantage in obtaining a job in Security Architecture and Design. There also needs to be the relevant IT and cyber security knowledge. Such roles include: 

• architecture 
• urban or transport planning 
• engineering (civil, mechanical, electrical, production) 

Linked Specialisms 

• Security Testing 
• Secure System Development 

Moving On 

Given the very high level of technical knowledge required to work in this specialism, it's unlikely that you'd move into most other cyber security specialisms, with the exceptions of: 

• Secure System Development 
• Security Testing 
• Secure Operations 
• Cyber Security Management 

From a practitioner role, you might take a more senior role in Secure Architecture and Design, or transition from a role as a secure designer to a become a senior practitioner in secure architecture. 

From a senior practitioner role, you might progress into an enterprise-level architecture role, or become a Chief Information Officer or CISO. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

Mark Buckwell is a Cloud Security Architect and Wayne Evans is a Security Architect.

In this recorded webinar, they take you through the Secure System Architecture and Design specialism and more about what it's like to actually work in it.

If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Secure System Architecture & Design can be found here.