Collaborate on Architect Invoice Template for Security with Ease Using airSlate SignNow

Architect invoice template for Security

[Music] hello and welcome to InfoSec institute's video series this is the first in a series of videos that we'll be doing which will include several types of security information and discussion I hope you'll will check back regularly because we're we covering several different areas of security some weeks we'll be doing security awareness topic some weeks we'll be doing tools of the trade we will do an occasional tool deep dive and as we are doing this week we'll be looking at security career paths our aim is to break down the journey from security newcomer to an elite security practitioner so if you feel like you're sitting at the bottom of the security organizational ladder and aren't moving up as quickly as you'd like stay tuned our guest this week is Leighton Johnson and he'll be talking to us about the path to the role of security architect Leighton is the CTO and founder of the information security forensics management team a provider of computer security forensics consulting and certification training he's presented computer security cyber security and forensics classes and seminars all across the United States and Europe he has over 35 years in computer security cyber security software development communication equipment operation and maintenance Layton's primary focus areas include computer security information operations and assurance software system development lifecycle focused on modeling and simulation systems systems engineering and integration activities database administration business process and data modeling with InfoSec Institute he has taught cissp C is a sea risk CISM security plus cap daya cap anti-terrorism digital and network forensics security engineering security architecture and risk management courses around the u.s. for over the past 10 years so Leighton thank you very much for being here thank you glad to be here ok so I want to start with asking a little bit about just the very beginning points I'm I'm doing this with the assumption that people who are listening are maybe just kind of getting started in their security adventure and are looking at sort of eyeing the higher level business profession professional levels without knowing really where to start so what would be the major steps along the way in the progression of skillsets to become a security architect well first off you have to become a security practitioner so you need to have an introduction to the security world itself whether it be just information security or the subset we call cyber security these days either way you need to start with that type of background potentially through either starting out as an interim person just beginning in the security arena like getting your security plus or your first level certification just starting out that particular way then you need to spend a couple of years doing that type of activity getting used to the varying different types of security roles log-log reviews checking your management systems looking at what's going on from an IDs Alert alarm possibly working on firewalls those types of things starting out first and then gradually work your way into understanding the actual technologies behind them and as you begin to understand and work with the technologies and you gain some experience as well as some additional education you can then work your way towards becoming a security engineer once you do that and those are the people who are putting in the devices they're the ones who are installing the security components they're the ones who are hardening the systems and the servers and the software most types of things then you work your way to becoming a security architect after that okay so that's it sounds like you'd like any other sort of yeoman tradesman system you're you're you're sort of learning on doing all sorts of things until you start to find the sort of the areas that specifically pertain to this and then you get better at a narrowing set of skills ah true the only thing is is a security architect you need to know all of it and that's one that that's one of the big arenas around architect security versus being a security engineer security engineers tend to focus on firewalls uniquely or on routing or on servers or on networks whereas the security architect needs to understand all of them ok so you're you're really doing the top-down yes level thing at every every step of it right ok because I know many of our viewers have only minimal IT or security experience as related to that can you kind of walk me through the day-to-day activities of what a security architect does ok I can certainly do that no problem a security architect typically their daily activities would include things like reviewing the enterprise architecture for the organization from an IT perspective to determine where and what type of security components need to be put in what location based upon what is the organization doing what is its data flow where the informational access is coming in the architect is going to be looking at where best to put authentication mechanisms for the identities for the people coming onto the network and then how do they communicate with their systems that they're needing to do those activities and an architect would be the one who would be designing something like that at an overarching view one of the second things that an architect often does is look at the organizational risks and to determine what are the best ways to handle them what are the best types of technologies policies procedures operational activities and even managerial policy potential changes that are necessary in order for the risks to be appropriately handled for the organization from a security perspective and those are the two big areas that are an architect works with each particular day sometimes they get into details where they start actually developing an architectural construct and all of you or a technical view or a security view a component view of a particular path a particular information flow for an organ how does someone log in get to the network then get to their system then update their data on that particular system how does the application handle those authentications behind it and then how do they log off and what happens okay and I'm assuming that this is a fairly managerial position as well you're sort of your your your planning but you're also sort of delegating roles or are you doing it all you're advising you're doing an awful lot of advisory work as an architect most of the time architects don't necessarily have a lot of people working for them they may be in certain lines of business uniquely I know in my role as a chief security architect I had several lines of business architects who worked for me but for the most part it's relatively a singular role as as a as an adviser as a consultant to the orc to the lines of business as well as to the security and IT folks okay I see now do you have a does this also include kind of a role in sort of moving the sort of C suite in making decisions about security or definitely because one of the major roles that a security architect does do as I said earlier is advised how to handle risk which is where the C suite fits in okay naturally right up front and then as part of that we have to draft the recommendations the options for them to make their decisions about on how to deal with the risks both in the IT as well as in the line of business arenas okay thank you now what sort of activities are projects if you are a sort of a lower level security person you know they say if you're gonna you know move into a profession it should be something that you enjoy doing all the time so what what's right activities or projects should you be interested in or really enjoy doing if you're thinking of moving in the security architect as a profession figuring out what the other guys are doing the bad guys are doing and then how to build organizational security to keep that from happening and that's a day-to-day challenge understanding the variety of cyber arenas that are out there that each organization has some of which they may know some of which they may not know and then understanding organizationally in the infrastructure but with networks with the system so it's the servers with the activities what's going on and what needs to be where in order to handle the risks okay and so do you do a lot of sort of outside research to find to sort of keep up with these these trends or is it really actually I do probably two to three hours a day okay where do you where do you go what do you what are you looking at I go literally all over the internet I I do a lot of conferences so I always try to keep up to date on what's the newest latest greatest activities that are out there how are things being handling you know the you the new user based mechanisms for accessing computers with there you ve a and all those types of things so I stay up-to-date a lot in those arenas and so I do a lot of reading and I do a lot of listening to webinars I do a lot of going to conferences I probably go to five or six a year big ones and little ones both even once I'm speaking at I've never stopped I always go to other people's sessions just to to hear what's going on to see where things are going I have a couple of areas that I specialize in that I have over 30 years what are those Incident Response in forensics both and so you know those types of things I'm very interested in how organizations are handling all the new risks I've done a lot of work in the last few years in cloud and cloud architectures I've been a member of the cloud security line since I started about eight nine years ago whenever it was and so I do a lot of work in that arena as well okay so would you recommend lower level security practitioners do what they can to start sort of attending seminars or at least doing do the webinars do the stuff that you can get online do those types of things if you do it at home you do it in the evenings you do it on a weekend you know when you have some downtime that's probably the best way to keep yourself up to speed and up to date this is such a dynamic field it changes every day and since it literally changes every day you have to really understand that you have to be in a constant learning mode otherwise it isn't you're going to become static and your systems will become static and that's exactly what those bad guys want so you gotta be constantly changing and understanding the dynamics and step ahead all the time so you have to be absolutely now what certifications should people pursue on the path to becoming a service well the first level yes you got to get your basic security certifications so starting with the standard you know the security plus the initial introductory ones moving up a level to the the more detailed ones with cissp and with C ASP which are the two big major ones that are out there from a security perspective then you start looking at the architectural ones on top of that there is of course with cissp there's an there's a there's a follow-on one called ISS AP which is the architecture professional there are other ones that are architecture-specific that are out there Sabitha has one TOGAF which is the open frameworks architecture framework if you're working in a governmental vertical there's one called FAA C which is for the federal enterprise architecture DoD has their own underdo GAF which is the DoD architecture framework these are all arenas around architectural e getting in there but primarily you need to understand both how systems work and how networks work together and so understanding that architectural II those are the big areas you need to work for and getting your certifications that's looking at those try not to get too specific on vendor activities from devices and those types of things because you're going to have wide ranges of architectural options if you're working in an organization that's say a Cisco shop then go ahead and do the Cisco if they're juniper shop then go ahead and do the Juniper but understand that those aren't the only options either from an architectural standpoint there's so many different vendors in so many different ways that you can look at it you need to generically look at it from security perspective rather than from a vendor specific now if you were to get say some of the vendor neutral certifications would there be a benefit and also being sub specialized in the Cisco or juniper specific sure because then you you can focus on how does that fit into an architecture where are all the company's pieces and parts to it you know those types of things and certainly that's advantageous in a career path if you want to stick to being in that particular area and understand that all of them are great they're all super they all work you know right so they all have their advantages they'll get you so none of them are any better than any of the others they're all very focused on what they provide as far as their services as far as their equipment capabilities etc so if you you know most of the major network vendors once you learn the material from say one of them you can apply to others at least partially you know uniquely you know and our evolving network infrastructures over the years you know different vendors have provided whole protocols and whole methodologies that are that have advanced the entire networking world or the entire server world rather than just uniquely just from their perspective ok going to the other side of things what sort of hands-on work activities should you be good at and be doing regularly in your job to get on this path understand how servers are configured understand how you set up making you know the classic hardening of a server how do you do that what does that mean understand it from an operating system so you do need to know all the different kinds that are out there day to day what do you have to do to configure a UNIX box or Linux box versus a Windows box versus desktop versus a Windows server how do you handle sans Nazz storage that today's world you know security being one of the biggest users of big data ourselves just because they're looking for all the problems and all the apts that are out there those types of things you need to understand storage and how it works so day to day how do you do that how do you and then the other big thing is understanding what are the architectural elements those types of things so that's more hands-on building and architecture element is going to work digging down into the protocols potentially to see if that particular type of device works at that level whatever level it may be in the in the network and those types of things and what types of companies require security architects and what types of professions or companies should you try imagine it's kind of all of them right well for the most part people who are operating not people who are vendors okay okay service organizations people who are out there making money by providing services to other organization information brokerages service providers a variety of those types of companies financial institutions all those types of things would be where you would want to do that whereas you wouldn't necessarily have that uniquely with the in a vendor space you may and they probably do but I it's much more career path oriented towards the normal standard everyday business is going to need it the bigger they are the more likely they're gonna need an architect I was just working with a company that had 15,000 employees and they had 10 architects as an example and one in each line of business plus a couple of principles that were over them that type of thing so there's not a lot of Architects in a particular company typically because it is such a unique skill set because it covers everything that type of thing but they do have a lot of need for them and in today's dynamic privacy driven world coming with gdpr and a couple weeks those types of things international companies are needing them even more than anybody else right now we'll be talking about GDP are actually in our next as well here so you're transitioning us nicely now I'm imagining that security architects a fairly in-demand job and there's there's a lot more candidates than there are positions so what could a candidate do to sort of put themselves head and shoulder above other people who might be interviewing for the same position not that many people have professional certifications vendor-neutral type certifications in these arenas there just isn't that big area for it most people usually convert from being a security engineer or being an IT engineer over to being an architect especially infrastructure architect type things and they try to pick up the security part but it's it's unique subset of that generalized IT infrastructure view that is different and so learning the trade mechanisms around security architecture uniquely what the mechanisms are because of course since it permeates all parts of an enterprise from an architectural standpoint it's even a little bit more of specialties than say an Enterprise Architect even though they typically work together I know governmental e in the government vertical industry they usually have an Enterprise Architect shop for the whole organization one okay and then they'll have one per line of business or one for agency and then they'll have one or two security architects and that's it that type of thing so it is a unique area in that you can once you get the process and you're in being as a security architect you will always be employed number one number two you'll be employed well okay because it isn't unique Arina so it's a high demand and not many people can meet all the types of qualifications typically they're looking for because it is such a unique number of skill sets necessary rather than just one or two you gotta understand ITT you gotta understand security you got to understand the combinations but then you also have to understand how the lines of business do it so you got to be an analyst as well and some business and Lana Linux risk analytics come into play all sorts of different things also come into play in understanding security architectures and being a security architect that transitions nicely in my next question you said that a lot of people don't have you know this this understanding or that qualification what are some of the common pitfalls that people might make along the way they think they're you know on their way but they're studying the wrong thing or they're focusing too much on this or that or not staying abreast as you say of current trends and so forth the biggest things I've seen is not understanding the the business and its attack vectors what people come after them for okay number one and those who do do that they're an incident response they're not architects and so they miss how to handle the risks they can identify it but then they are missing the piece about what do you do after you've identified how do you handle it how do you fix it there's a lot of Network people who transition over to being architects in various different arenas and they miss the security piece or you'll have people who are really really good at doing general IT and server activities and they'll be trying to become an architect and they'll miss the network piece and so that's part of the issues and the big underlying problem I've seen for the most part in the 20 plus years have been a security architect is that there's a disconnect when someone approaches architectural II from only IT insecurity and misses the line of business or the other way around the two have to work together and that's why it's such a unique field is they absolutely require you to have both viewpoints all the time you can't just have one at one time and one another no you got to have them both you got to wear both hats simultaneously simultaneously and sort of keeping on top of both both industries right right both text so again speaking to the people who are you know in in their in their day job you might be you know in the cube farm and you're not really you know it might seem kind of daunting to jump from you know where you're at you know 10 steps up what's one thing in your current position or life that you could change to sort of put you on the path to security architect would you start taking a certification course would you ask for different responsibilities at work do some outside work anything like that the biggest thing is be inquisitive about what's going on and why the lines of business are doing what they're doing and how is IT supporting them and are they meeting the needs understand how the business is working and the IT is supporting it either yes or no I mean sometimes it's more successful than others certainly and then do some analysis and figure out why what's missing is it because the organization isn't set up appropriately procedurally is that a workflow issue is it a technology issue you know understand that all three have to be working together and that's what the architects ultimate goal is is to get all three of those to work together in supporting the business operations of the organization now how might the role of security architect change in the future based on sort of current and up-and-coming technologies I'm sure it's changed a lot since you got start yes I've been a security architect for 20 years I've been in the industry for 40 but an architect for 20 and it has changed a lot a lot of it has because of the technology changes and because of the people who are sitting behind the keyboard changes they're much more of adapt and adapted to working with computing activities so non-stop we're doing it per meet permeating of a sort of Technology and with younger people or technology with younger people and the fact that the businesses are now singing returns in those arenas which for a long time they were skeptical about but now they're seeing it and so you know I mean the top six companies in the world are now technology companies so and you know for years and years and years it certainly wasn't that way but now it is and so they're saying lots and lots of money they're seeing lots and lots of of advancement professionally personally for people in those arenas that have just dramatically shifted as we've had a series of technologies that came together with cloud with mobile with big data all basically hitting at the same time all hitting their stride simultaneously you know there was obviously technological components behind them with virtualization etc and moving from 3G to 4G and soon to be 5g in the cellular world and the advances of all the mobile devices with the smart phones and smart everything and IOT now is adding to all of this because of course now that means anything and everything that is electrical could potentially be with a CPU which means it could be computing which means it can be a device that kid is addressable from somewhere so on or not or not it goes so stay on top of the technology stay understanding of what's changing see where the issues are around them and how people are handling those issues today as technology advances the methodologies of handling the issues around those technologies advanced as well so it's a little bit of lag typically between the two but we're seeing people get caught up on what's happening in the in the back eye world you know with the hackers and the crackers and across the board what they're doing we're starting to take technologies today and advancing them with AI with machine learning and those types of things now of course those techniques generally have been around for a long time but they're more advanced now with the algorithmic based review systems that we got today with the machine learning activities where the systems are understanding and learning on their on their own as things are going on those are changing and those are creating another dynamic that will be back to being caught up and then the technology advanced again and you know understand it's a dynamic process it is never static if there's one thing in the cyber world is to understand it's always changing every day that seems like a fantastic place to end there so I think we will we'll wrap up thank you very much Leighton Johnson for being with us today and if you would like to know more about certification study you can visit InfoSec institute comm this INF OS ec institute comm and if you'd like to read a number of we have a we have a blog it is resources InfoSec institute comm there are a number of articles and labs videos such as this one and encourage you to visit those as well so again Leighton thank you very much for your time today and thank you very much everyone for watching thank you you [Music]