By: Josh Lambert
August 14, 2020
Distinguishing Between the Security Architect and Security Engineer
By: Josh Lambert
August 14, 2020
Sometimes, the term engineer and architect are used interchangeably, especially in cybersecurity job postings. I submit that within the technology domains, especially cybersecurity, there is a distinction between the role of engineer and architect. The etymology of engineer points to someone who designs maintains, troubleshoots, and cares for an engine. I equate an engine to a cybersecurity capability within the enterprise, a capability such as a network security device, an endpoint security tool, or a centralized logging and analysis appliance. There are multiple engines across the threat landscape that are purpose-built. The architect, on the other hand, is one who designs or realizes ideas. Architects bridge the gap between an organization’s needs and the capabilities to satisfy those needs.
The Career Path of Technical Professionals
For the sake of conversation, I suggest the below diagram as a generalization of the types of careers available within cybersecurity, along with their associated relative salaries. Note that the salary levels are generalized based on a review of market salaries suggested by multiple sites (e.g., glassdoor.com and infosecinstitute.com).
- Operational professionals are the entry-level fields for a vast array of security specialties (limited functional and operational focus). Salaries are lower, even for line management, at this level.
- Engineers are hands-on and have technical depth in a specific area of focus (capability or domain focused). Salaries range from low to mid-range for all engineering roles.
- Architects are the visionaries overseeing a domain of expertise, increasing the area in breadth and complexity. These professionals bridge the gap between business requirements and technical capabilities. Salaries for architects range from the mid to high-range.
- Leaders pave the way for the operational, engineering, and architecture requirements to gain fair business representation and support. These are considered director and executive-level roles. Salaries for the leadership roles range from mid to the highest level in the field of cybersecurity.
The Educational Foundation of the Professionals
In the realm of cybersecurity, certifications and degrees can get you to a “mile wide, inch deep” basis of knowledge. This is extremely valuable because, as an individual contributor starting on your career path, you need to speak the same language. A common body of knowledge puts you on the same page to learn from others and determine where your strengths and interests lie. A degree can further jump start your career by removing the need for so many years of practical experience.
The Path of an Engineer (example)
In many cases, engineers will latch onto an area of expertise where there are a need and interest. They will spend hours gaining hands-on experience performing a function that optimizes one or more capabilities. This type of focus allows an engineer to become an expert with a history of focus on a defined scope of capability (i.e., engines or types of engines).
For example, a network security engineer started her career working as an operational support tech for a network operations center (NOC). During her first year on the job, she became fascinated with network protocols. She quickly learned the playbooks for making firewall modifications, dropping in DNS blackholes, making exceptions to proxy rules, and understanding the baseline of network traffic at the perimeter so that she could troubleshoot when there are protocol anomalies. In a matter of months, she gained a mastery of the “operational” tasks and began to seek more in-depth knowledge in the field of networking, focusing on security. A vacancy came up on the network security engineer team, and she jumped on it, as she had both a great performance history in the NOC and good relationships with the team members. The role was a junior engineer role, and she was happy to have taken this next step. She could easily spend the next few years maturing as an engineer, learning the processes and technologies within this organization’s domain of network security – and these roles are resume builders that could be leveraged if she wants to move up the chain faster than this organization will allow. Nonetheless, her interests and position will allow her to progress in the network security engineering domain and become a leader of the engineering division in the future. Now, let’s pause and look at another scenario.
The Path of an Analyst (example)
Let’s look at a different technician: he is a peer of the engineer. He takes a different path, one that leads to the role of a security analyst. We’ll pick up where he has the playbooks under his belt at the NOC, but his inclinations are more towards the defensive aspect of his work. The NOC and the security operations center (SOC) are co-located in the same space. He has a growing affinity for security monitoring, the impetus for the change requests and incidents that he responds to as a tech. Once he has reached a level of mastery as a technician, he socializes with the SOC personnel. He finds out that he will need a security certification to go along with his NOC experience to get a role within the SOC. So, he rolls up his sleeves, studies for, and passes a basic security certification exam. With his new credentials, he applies for an opening within the SOC and lands the job. After about a year, on the job as a SOC analyst, he has mastered the security playbooks for level one SOC analyst and level two analyst roles. Within the SOC, there are several cells of experts; vulnerability assessors, penetration testers, cyber threat intelligence analysts, malware and forensic analysts, security information and event management (SIEM) engineers, and security orchestration, automation, and response (SOAR) engineers. Over the next several years, he moves from cell to cell, mastering these technologies and processes. Let’s pause again.
The Divergence of the Architect
This broad and deep expertise has created a frame for both our engineers and analyst to become architects. However, I would suggest that those are not the only qualifications. There are also soft skills and business-related skills needed because the security architect serves the business’ needs. They may have most of the technical answers – or at least the capacity to get them – to answer how quickly. However, they also need to be able to understand and balance the why.
I envision the security architect as the right-hand of the CISO. I also envision the security engineer as the architect's best friend (most of the time). They form an extremely powerful team. One is not superior to the other – especially when talking about a senior engineer and a senior architect. But the architect does have the ear of the CISO. In a RACI matrix – the CISO is accountable (usually), the architect is consulted, and the engineer is responsible for the execution of the functional requirements.
The point is that there is a divergence when the engineer or the experienced analyst put the keyboard and mouse down (partially) and don a business leader’s cap. Often, there is a natural evolution of someone with tech-savvy and business acumen - they gracefully fit into the architect's role. In other cases, it is a more difficult decision. Some would agree that there are technical experts who loathe dealing with business decisions, possibly because they aren’t always binary decisions. However, some are born for this duality, and others must work their way into it. The architect, though, is a different breed than the engineer. They rise above the treeline, draw correlations between multiple capabilities and functional requirements, and layout a strategic plan for an organization’s cyber defense.
The engineer and architect paths both have great growth potential. The architect demands more top-end salary because they are closer to decision-making and helping an organization understand and mitigate risk. This type of consultation comes with greater personal risk and demands more compensation. Either of these paths can lead to leadership or management roles. A senior analyst, engineer, or architect can manage and lead a team. However, team managers may find themselves drifting away from technical hands-on and becoming more involved in the management of the team and ensuring business objectives are achieved.
Whether an engineer or architect, in the field of cybersecurity, it is critical that you have a strong desire to learn and stay abreast of the fast-changing landscape. Consistent on-going education - whether in technology, capability, or theory - is essential to staying sharp and competitive. Career-long learning is mandatory within cybersecurity. Engineers need to master their domain and pursue the depth of knowledge. Architects need to stay current across a broader range of domains and understand how the threat landscape is evolving and how emerging technologies are protecting organizations