Security Architect job focus: “Adaptation remains the key word”
As there are computer architects responsible for thinking about the design of a software, a network or an information system, cybersecurity also has its architects who specialize in security. “The idea is to choose all the security bricks that will have to be assembled to secure an information system,” explains Abdembi Miraoui.
On behalf of Capgemini, he assists clients who come to consult him to choose the different solutions to implement: “Customers usually arrive with specifications, for example they want to secure part of their IT, or the whole, or even certain business applications, and our job is to transcribe this into a security architecture, with precise solutions, which will then be implemented”. This process is the heart of the security architect’s work, although as Abdembi Miraoui explains, he may have to revisit a project to refine or modify his recommendations according to the client’s needs. It also sometimes involves demystifying some buzzwords a little, such as, for example, Zero Trust: “It’s a philosophy that you have to understand, and then translate into a technical solution. We sometimes come across clients who are very closed to this kind of marketing concept, but it is also our role to show them how concretely we were able to set up a similar approach at another client.”
“The goal is always to adapt to the needs of customers. For example, a company in the banking sector will have to meet greater regulatory constraints than a small local company,” summarizes Miraoui. To demonstrate the relevance of his choices and to face companies that sometimes wish to cut budgets allocated to security, the architect often has to show a certain pedagogy to explain the issues: “We try to convince the customer of the need to put this or that security brick. But we also know how to count on the internal security teams who can also go to negotiate to try to release the necessary funds.”
Keeping up with the state of the art
This permanent adaptation forces security architects to maintain a constant watch on the evolution of threats from security methodologies and tools, an activity that represents “about 30% of working time if not more” according to Abdembi Miraoui. And obliges the architect to maintain close ties with security solution providers: “We ask them a lot, for example to check certain characteristics or certain specificities but also on cost and licensing aspects. They usually have a dedicated contact person to answer our questions.”Of course, because of their role in recommending certain products, security architects are highly coveted by solution providers who would like their products to be recommended.
“It’s a give-and-take, actually. They contact us regularly to promote their products, but our golden rule remains to be agnostic: just because we have a partnership contract with a publisher does not necessarily mean that we will respond with products from that publisher,” he summarizes.
The profession of security architect cannot really be improvised: “It is an activity that nevertheless requires having previously known a certain field experience in much more operational professions, such as security engineer.”In essence, the security architect must be able to take a little height and adopt a transverse approach, without being too specialized on a particular technology. Although training courses exist in the field, Abdembi Miraoui believes that they do not replace the experience gained in other roles. But in return for this, he encourages people working in cybersecurity to keep the profession in focus: “It’s a super interesting role, which allows you to constantly learn and face new contexts every day. Finally, there is never a routine. “