The document discusses the need for security architecture certification, highlighting the lack of consensus on definitions and requirements for security architects in a rapidly evolving tech landscape. It raises critical questions about the qualifications, frameworks, and training necessary for security architects and suggests that certification could support hiring and training efforts, despite potential challenges regarding standardization. The findings are based on contributions from various industry experts and organizations, including frameworks like SABSA and TOGAF.

1. The Future of
Security Architecture Certification
By Dan Blum, Managing Partner
March 18, 2015
1Copyright (c) 2015 Security Architects, LLC

2. About Us
• We are a consulting firm dedicated to helping
organizations plan, specify and develop security
programs, policies and technology solutions.
Copyright (c) 2015 Security Architects, LLC 2
About
Us
Clients
Enterprise Security Teams
Cloud service providers (CSPs)
Other Audiences
Areas of Expertise
Cloud
Security
Identity and
Privacy
Endpoint
Security
Cyber
Security

3. Our Services
Security
Assessments
Security
Architectures
Custom
Consulting
Security
Workshops
Consulting Services
3Copyright (c) 2015 Security Architects, LLC

4. Special Guests
Copyright (c) 2015 Security Architects, LLC 4
Guest Organization Framework
Bill Ross INFOSECURE, LLC N/A
Jim Hietela The Open Group TOGAF
Fred Cohen Management Analytics Standard of
Practice (SoP)
Maurice Smit SABSA SABSA

5. Problem Statement
“Would you drive over a Bay Bridge built from an
amateur architect's blueprints?
What if the architect passed a multiple choice
test first - is that good enough?”
Society’s answer to these questions is clearly “NO.”
Depending on the state, practicing architects need:
• University Degrees
• Licenses and Certifications
• Separation of Duty
• Liability
5Copyright (c) 2015 Security Architects, LLC

6. Problem Statement
• As the information economy and the Internet
of Things (IoT) matures, a Security Architect’s
practice becomes more consequence-laden
• Industry lacks consensus on exactly what a
Security Architect is or should be
• One non-attendee challenged this webinar
– “I think the basic assumptions of this proposal are
not sufficiently defined or developed to the level
required for meaningful result.”
Copyright (c) 2015 Security Architects, LLC 6

7. Questions to Consider
• What is a Security Architect and how does our
practice relate to others?
• What frameworks should be used for our
practice?
• Should security architects be certified, and
how?
• What training or tests should be required?
• Should security architects require a specialized
Degree?
Copyright (c) 2015 Security Architects, LLC 7

8. What is a Security Architect and How
does our Practice Relate to Others?
Actual Titles
• Cyber Security Process Architect
• Enterprise (Security) Architecture
• Technical Architect (Security)
• Chief Security Architect
• Security Architecture & Cyber Security Lead
• Director/Information Security Architect
• Senior Security Architect/Consultant
• Senior Technical Advisor/Enterprise Architect
• Senior Security Architect
• Network Security Architect
• Solution Architect
• Enterprise Security Architect
• Enterprise Security Architect
• Managing Architect
• Information Security Architect
• Information Security Architect
Copyright (c) 2015 Security Architects, LLC 8
Types of titles
• Process architect (1)
• Enterprise security architect (4)
• Security architect (9)
• Network security architect (1)
• Solution architect (1)

9. We’re International
Copyright (c) 2015 Security Architects, LLC 9

10. We’re Multi-Faceted
Copyright (c) 2015 Security Architects, LLC 10
Source:
SABSA White Paper: Enterprise Security
Architecture

11. Our Work May be Contained Within
Enterprise Architecture Frameworks
Copyright (c) 2015 Security Architects, LLC 11
SABSA and Open Group have
been working to integrate
enterprise security
architecture into TOGAF
Architecture Development
Method (ADM)
Source: The Open Group

12. What Frameworks Should be
Used for Our Practice?
Copyright (c) 2015 Security Architects, LLC 12
Source:
SABSA TOGAF Integration
White Paper

13. What Frameworks Should be
Used for Our Practice?
Copyright (c) 2015 Security Architects, LLC 13
Source: http://all.net

14. Should Security Architects be
Certified, and How?
Copyright (c) 2015 Security Architects, LLC 14
PROS CONS NICE TO HAVES IN CERT /
TRAINING PROGRAMS
Supports hiring and
training efforts
Too early, no equivalent of
“building” standards
Open source materials, low
barriers to entry
Facilitates
compliance
Too late, questionable
frameworks in place(s), no
consensus
High standards for qualification,
but low barriers for already-
qualified experts
Works for practice
subsets that are
mature
Standards and mutual
recognition of similar
certifications
Regulatory acknowledge
Operate at the enterprise level
Audience Supplied Answers

15. What Training or Tests Should
be Required?
Copyright (c) 2015 Security Architects, LLC 15
Source: ISC2
http://blogs.lt.vt.edu/sequencingscott
/2013/12/10/you-have-a-choice/

16. Comparing SABSA and ISC2
Copyright (c) 2015 Security Architects, LLC 16
Source: http://www.slideshare.net/infosecforce/security-architecture-brief

17. Additional Certification
Programs
Copyright (c) 2015 Security Architects, LLC 17
CREST Registered Technical Security
Architect Examination (CRTSA)
Examination Format
The examination is assessed in both Written
Multiple Choice and Written Long Form.
Syllabus
The syllabus for this examination is
available here
Practitioner Certificate In Information
Assurance Architecture (PCiIAA)
Council of
Registered
Ethical
Security Testers
What format is the exam?
Two hour ‘closed book’
Two sections with 85 multiple
choice questions
Pass mark is 65%

18. Beyond Multiple Choice Tests
• SABSA applies Benjamin Bloom “Taxonomy of Educational
Objectives” to measure cognition as well as knowledge
– SABSA Chartered Foundation (SCF) Certificate
– SABSA Chartered Practitioner (SCP) Certificates
• Per architecture domain
– SABSA Chartered Master (SCM) Certificates
• Master level certification requires a candidate to pass three further
test modules, each of 60 minutes duration and consisting of 40
multiple choice questions. In addition Master candidates must
demonstrate advanced capabilities through either interview with a
panel of experts appointed by SABSA Institute or through submission
of an Enterprise Security Architecture dissertation / case study. The
test modules required depend upon the chosen career stream most
suited to the needs of the Architect and their employer.
Copyright (c) 2015 Security Architects, LLC 18

19. Should Security Architects
Need a Specialized Degree?
Copyright (c) 2015 Security Architects, LLC 19
PROS CONS NICE TO HAVES IN DEGREE
PROGRAMS
Dramatically improve skills
of new architects
Too early – no agreement
on standards
Accredited, tiered and specialized
curriculums
Fundamentals of security
don’t change dramatically
Technology changes too
fast, degrees get obsolete
Work study program
Practical experience may be
more valuable than degree
Code of ethics
Life long training
Audience Supplied Answers

20. Open Q&A
Security Architects, LLC
http://security-architects.com
info@security-architects.com
Copyright (c) 2015 Security Architects, LLC 20