We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber security: advisory

Published
9 September 2021
Directorate
Digital Directorate
Part of
Business, industry and innovation, Economy

Find out about the DDaT job roles that comprise the cyber security advisory family practice.

This document is part of a collection

Security Architect

Role summary

The Security Architect advises and enables technical teams to make security decisions. They provide advice and guidance to ensure common tools and patterns are used effectively to deliver secure systems, and they implement proportionate controls to enable business outcomes.

Role levels are:

Entry route

Internal: Suitable for an individual from a technical role within the Government Security Profession or Digital, Data and Technology Profession

External: Suitable for an individual who has worked in the private sector in both a managerial and a technical capacity, especially from the technology sector

Skills required to be a security architect

Security architecture. Security architecture relates to the secure design of computer systems. It combines technical architecture and risk management, along with knowledge of how systems can be compromised to help design systems that (among other things) are sufficiently hard to compromise or disrupt while being sufficiently easy to monitor and maintain.

Applied security capability. Applied security capability is formed of a set of complementary security skills. Individual roles may have a requirement for a different profile across these skills. Applied security capability involves 4 elements:

  1. Security requirement elicitation: gathering and deriving meaningful security requirements to support an identified need
  2. Application of security capabilities: apply standardised or unique security capabilities to address security needs
  3. Provision or assurance and confidence: provide confidence that business priorities are appropriately protected
  4. Security and risk reporting: communicate security and risk effectively

Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.

Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.

Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.

Security architect associate

Typical role level expectations

  • Recommend security controls and identify solutions that support a business objective
  • Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
  • Inspire and influence others to execute security principles, communicating widely with other stakeholders
  • Help review ongoing security architectural activities

Skills needed for this role

  • Security architecture (Relevant skill level: working). At this level you:
    • Support the design and/or review of common system architecture problems (e.g. typical website architectures or remote access solutions), using knowledge of common vulnerabilities, threats and methods of attack to identify recommended security controls, working under supervision
    • Have broad-ranging Technical Security knowledge necessary to understand system architectures that include common technologies (e.g. Windows and Linux servers, end user compute platforms, databases, common server roles, cryptography, security technologies, load balancers, cloud services)
    • Understand the application of security architecture in one or more domains – digital services, enterprise IT, operational technologies etc., as well as the other relevant inputs to architectural design in those domains (regulatory, government policy, standards etc.)
  • Applied security capability (Relevant skill level: working). At this level you:
    • Are aware of the need to provide traceability between business need and security requirements.
    • Gather and derive simple or obvious security requirements for highly standardised use cases, using well-established guidance that is unlikely to be contentious
    • Provide basic security advice to address standard security needs. Advice could be written or verbal. Knows the limitations and scope for what advice can be given and when to draw on others’ expertise
    • Are aware of and follows appropriate process such as quality control arrangements
    • Understand and can apply a range of basic approaches to assurance and understand their applicability
    • Able to meaningfully describe straightforward security concepts and their business applicability
    • Ensure security recommendations and risk statements developed are reasonably and well contextualised to the business need under consideration
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation

Security architect lead

Typical role level expectations

  • Lead the technical design of systems and services, justifying and communicating all design decisions, applying research and innovative security architecture solutions to new or existing problems
  • Communicate the vision, principles and strategy for security architects for one project or technology
  • Decipher subtle security needs and understand the impact of decisions, balancing requirements and deciding between approaches
  • Lead on quality assurance, and act as the point of escalation for Security Architects within a team
  • Interact with stakeholders across organisations, teams, or communities

Skills needed for this role

  • Security architecture (Relevant skill level: practitioner). At this level you:
    • Have experience of reviewing system architectures to: identify single points of vulnerability and common architectural flaws, identify security issues relating to configuration of components in an architecture, validate and explain how common attack methods are mitigated by the design identify areas where detailed technical analysis will be required to understand important nuances that could have significant security implications
    • Articulate security issues identified, proposes and prioritise appropriate mitigation options, taking into consideration other potential constraints (functional impact, cost etc.)
    • Contribute to the design of system architectures that solve common business problems, including specifying required security controls
    • Understand the context and has required domain knowledge to tailor advice to the specific need of the customer
  • Applied security capability (Relevant skill level: practitioner). At this level you:
    • Elicit security requirements based on straightforward approaches such as threat/vulnerability/impact analysis. Security needs will include an understanding of the user as part of the overall system
    • Help organisations to derive and reason about their security needs, such as understanding and applying security principles to particular business scenarios
    • Interpret and clarify management or organisational intention with regards to security, such as described in risk appetite statements. This includes interpreting such statements into meaningful and appropriate security requirements
    • Provide security advice to non-standard use cases, drawing on and using experts in specific topics or technologies
    • Use standardised control frameworks (such as 27001/2) appropriately, with awareness of their strengths and limitations
    • Understand when security measures might impact on users or business needs and provides effective advice to help the business make an appropriate decision
    • Apply a range of assurance approaches, with a clear understanding of the strengths and limitations of each approach. There is a clear ability to map the assurance options recommended directly to the security need to be addressed
    • Assurance and confidence is not limited to a point in time, but seeks to address confidence across the system/service life cycle
    • Provide meaningful security and risk communication in a range of scenarios. Understands and takes account of the limitations of various risk communication mechanisms such qualitative v quantitative approaches
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation

​​​​​​​Security architect principal

Typical role level expectations

  • Lead projects with high strategic impact, setting a strategy that can be used in the long term and across the whole organisation
  • Develop vision, principles and strategy for Security Architects for multiple projects or technologies
  • Recommend security design across several projects or technologies, up to an organisational or inter-organisational level, solving unprecedented issues and problems
  • Influence key organisational and architectural decisions, and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities

Skills needed for this role 

  • Security architecture (Relevant skill level: expert). At this level you:
    • Design and review system architectures for a broad range of complex or uncommon requirements to identify security weaknesses and recommend mitigations
    • Designs(or significantly influence) the technical design of a system to enforce security properties that have been derived from first principles to meet a complex or uncommon set of requirements
    • Follow a methodical and repeatable approach to reviewing the security of a system architecture, and can describe that approach
    • Advise on security architecture implications of technological trends when applied to existing systems, such as migration to the cloud. Can explain how those technologies change the security approach required
    • Contribute to new and innovative security architecture guidance for others to re-use
    • May have one or more technology specialisms where you are regarded as an expert in how the specialism supports security architecture design (e.g. telecoms, power, micro service architectures, identity)
  • Applied security capability (Relevant skill level: expert). At this level you:
    • Provide direction and lead on change with regards to factors that feed into analysis.
    • Monitor changes in the technical environment and assesses whether risks are still at acceptable levels or whether previous decisions need to be revisited.
    • Direct and influence others on best practice and policy.
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation

Contact

ddat@gov.scot

Back to top