Secure System Architecture & Design is the designing of an IT system to meet its security requirements, balancing this with its functional requirements.
Secure System Architecture and Design solves complex security problems by selecting the best available solutions from a range of technological components and structures. The decisions made fundamentally determine whether an organisation can manage its data, information systems, and communications networks securely. The recommendations made guide the work of developers, implementers and operators of the systems and networks.
While very technical, this role involves a substantial amount of co-operation with other specialists, including external suppliers. Although this specialism might not have the knowledge and skill need to solve all problems, it is important to consult with others, explaining the unresolved parts of the problem.
The primary responsibility is to ensure that the new systems or changes to existing ones are secure, taking into account higher, enterprise-level security requirements, and the broader requirements for any information processing system. When systems are being built or changed, reviewing the work periodically ensures that it conforms to the agreed designs.
The recommendations are then documented for development teams clearly and sometimes presented to senior managers. This is especially important if the recommended solutions are expensive or might compromise a system’s ability to meet other important requirements, such as transaction speed. Design documents must be produced, to ensure that they are available for reference should they be needed by other teams.
Secure System Architecture and Design decides on the essential security structure of the information systems which an organisation develops and runs, and verifies that the delivered systems conform to the design.
In this specialism, you may:
For Secure System Architecture and Design roles, titles include:
For more experience Secure System Architecture and Design roles, titles include:
A Secure System Architecture and Design role could earn between £50,000 and £90,000 a year. The median figure in March 2021 was £77,500.
A senior Secure System Architecture and Design role could earn between £60,000 and £130,000. The median figure in March 2021 was £83,000.
Salary ranges are based on job vacancy advertisements published online in March 2021. Only a small proportion of job vacancy advertisements for these roles included salary figures, so the sample size is small and may not be representative of jobs of all jobs in Secure Architecture & Design, especially in the public sector. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
Known categories of programming errors resulting in security bugs, & techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems
Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you will also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Related knowledge – you will need a solid understanding of these areas
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers.
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Wider knowledge – these areas will help to provide context for your work
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
C1 – Enterprise Security Architecture
C2 – Technical Security Architecture
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Roles at all levels in this specialism require the application of a thorough understanding of information technology, cyber security threats and effective controls. It is, therefore, very difficult to gain significant transferable skills in jobs other than those which already involve such knowledge.
However, other types of roles which require the application of deep, expert knowledge to analyse and solve complex design problems, may give some advantage in obtaining a job in Security Architecture and Design. There also needs to be the relevant IT and cyber security knowledge. Such roles include:
Given the very high level of technical knowledge required to work in this specialism, it's unlikely that you'd move into most other cyber security specialisms, with the exceptions of:
From a practitioner role, you might take a more senior role in Secure Architecture and Design, or transition from a role as a secure designer to a become a senior practitioner in secure architecture.
From a senior practitioner role, you might progress into an enterprise-level architecture role, or become a Chief Information Officer or CISO.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below:
If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Secure System Architecture & Design can be found here.