The Future of Security Architecture Certification
Would you drive over a Bay Bridge built from an amateur building architect’s blueprints? What if the architect passed a multiple choice test first – is that good enough? Society’s answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking. As information gains value, and we move from “information security” to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing. A lack of certifications and standards for architecture could be one of the causes of security architecture fails I posted about a couple days ago.
The slides are from a webinar in which the Linked In Security Architecture Group participants collaboratively explored the Future of Security Architecture Certification. The following is a quick summary of the questions we discussed and some of the ideas aired by the participants.
What is a Security Architect and how does our practice relate to others?
Security architecture is very broad area, exceeding what is technical to encompass people, process and technology as well as exceeding what is informational to encompass our intertwined logical and physical worlds. The webinar had 15-20 registrants with “architect” in their Linked In job title. No two were the same, although 9 did actually have the words “security architect” somewhere in their title. One was a “process architect,” another a “network security architect,” and we had a “solution architect.” As well, we had 4 “enterprise security architects.”
A suggestion: go to sabsa.org and download their “Enterprise Security Architecture” white paper. In it you’ll find much discussion of the various facets of security architects. The paper also explains the diagram shown on slide 10 of the slideshare above.
What frameworks should be used for our practice?
Special guests Maurice Smit (SABSA) and Jim Hietela (The Open Group) discussed the SABSA security architecture framework, and the TOGAF enterprise architecture framework, as well as a white paper that describes how they map together. Mapping is good, since security architecture is a subset of a broader enterprise architecture. Fred Cohen from Management Analytics discussed the Standard of Practice (SoP) framework (see slide 13) which is available on his web site all.net under “protection.” For myself, I spent many years working on Burton Group and then Gartner’s Security and Risk Management Reference Architecture.
Many security architects don’t work from a comprehensive framework like SABSA, SoP or the Gartner Reference Architecture. However, most are familiar with the NIST 800-53, the ISO 27000-series and other control frameworks. These have lists of security controls covering people, process and technology and (arguably) contain an “implied architecture.” Auditors turn NIST, ISO, COBIT and other control frameworks into checklists and use them to audit organizations. We do something like that at Security Architects Partners with our qualitative Assessment service. Good auditors or assessors don’t just check off controls with yes or no answers, we ask how. With experience we learn to discern the architecture behind the answers. We learn how to tell when the “pieces” of a client’s security fit together in a good way to manage risk, and when they do not.
Should security architects be certified, and how?
This question led to the lively debate summarized on slide 14. One guest argued that “It’s too early for certification, the standards aren’t defined well enough.” But another guest retorted: “No, its too late.” I’m not sure if he was referring to the high level of breaches we’re experiencing in the industry, or to the fact that rival certification tests have already emerged from ISC2, SABSA and other sources. My personal opinion is that security architect certification is desirable but that relying parties should understand very well what the certification covers.
What training or tests should be required?
ISC2 has a multiple choice test which CISSP holders can take and pass to obtain an architecture certificate. SABSA has a set of increasingly difficult multiple choice tests; a candidate can only reach the most advanced level by presenting a mini-dissertation to a panel of experts. SABSA’s advanced levels are designed to measure “cognition” (or the ability to understand and apply architecture) as well as “knowledge” (or the ability memorize a great many facts).
Should security architects require a specialized Degree?
The future of security architecture certification will not really be driven by architects like ourselves, or even by groups like SABSA; instead, it will be driven by two forces: 1) top down mandates that may emerge over the next few years and 2) by the market. In terms of market-based drivers the subject of cyber-insurance came up again, but that’s another story. Finally, I’ll close by offering my thanks to special guest Bill Ross of INFOSECURE, without whom this webinar would not have occurred, and who contributed slide 16 comparing SABSA and ISC2 certification programs.