As it exists IT architects responsible for thinking about the design of software, a network or an information system, cybersecurity also has its architects who specialize in security. “The idea is to choose all the security bricks that will need to be assembled to secure an information system” explains Abdembi Miraoui.
On behalf of Capgemini, he assists clients who come to consult him to choose the different solutions to implement: “Clients generally arrive with specifications, for example they want to secure part of their IS, or the whole, or even certain business applications, and our job is to transcribe this into security architecture, with precise solutions, which will then be implemented. This process is the heart of the security architect’s work, although as Abdembi Miraoui explains, he may need to return to a project to refine or modify his recommendations according to the client’s needs. This also sometimes involves demystifying certain buzzwords a little, such as Zero Trust: “It’s a philosophy that must be understood, and then translated into a technical solution. We sometimes come across customers who are very closed to this kind of concept marketing, but it is also our role to show them how in practice we were able to implement a similar approach with another client.”
“The objective is always to adapt to customer needs. For example, a company in the banking sector will have to meet greater regulatory constraints than a small local company” summarizes Miraoui. To demonstrate the relevance of his choices and to face companies that sometimes wish to cut back on the budgets allocated to security, the architect must often demonstrate a certain pedagogy to explain the issues: “We try to convince the client on the need to put this or that security brick in place. But we also know how to count on internal security teams who can also negotiate to try to release the necessary funds.”
Keeping up with the state of the art
This permanent adaptation requires security architects to maintain constant monitoring of the evolution of threats in security methodologies and tools, an activity which represents “around 30% of working time if not more” according to Abdembi Miraoui. And requires the architect to maintain close links with security solution providers: “We ask them a lot, for example to check certain characteristics or certain specificities but also on cost and licensing aspects. They generally have a dedicated contact person to answer our questions.” Obviously, because of their role in recommending certain products, security architects are highly sought after by solution providers who would like their products to be recommended.
“It’s a give and take in fact. They contact us regularly to promote their products, but our golden rule remains to be agnostic: it’s not because we have a partnership contract with a publisher that we will inevitably respond with products from this publisher” he summarizes.
The job of security architect cannot really be improvised: “It is an activity which still requires having had some prior field experience in much more operational professions, such as security engineer.” In essence, the security architect must be able to gain a little perspective and adopt a transversal approach, without being too specialized in a particular technology. If training exists in the field, Abdembi Miraoui believes that they do not replace the experience acquired in other roles. But in return for this, he encourages people working in cybersecurity to keep the profession in their sights: “it’s a super interesting role, which allows you to constantly learn and confront new contexts every day. Ultimately, there is never a routine.”