cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ahmed_akl
Newcomer I

What are the best sources to learn about architecture security?

Hi Everyone,

 

Based on your experience, what are the best sources (i.e. books, channels, blogs, websites) to learn about architecture security?

 

P.S.: I am already CISSP, CCSP, CRISC, CISM, CISA, CEH, ISO27001 Lead Auditor, ISO27001 Lead Implementer certified.

 

Thanks, 

3 Replies
dcontesti
Community Champion

 


@ahmed_akl wrote:

Hi Everyone,

 

Based on your experience, what are the best sources (i.e. books, channels, blogs, websites) to learn about architecture security?

 

P.S.: I am already CISSP, CCSP, CRISC, CISM, CISA, CEH, ISO27001 Lead Auditor, ISO27001 Lead Implementer certified.

 

Thanks, 


My two cents.  With your certifications, I believe you have a strong basis already in place but you may want to look at the ISSAP from (ISC)2.  This certification is intended specifically for architects.

https://www.amazon.ca/Official-ISC-Guide-ISSAP%C2%AE-Second/dp/1466579005/ref=pd_bxgy_img_2/133-1081...

 

Architecture is a strange animal as one also has to also consider the business side to effectively develop one.  Try:

 

https://www.amazon.ca/Enterprise-Security-Architecture-Business-Driven-Approach/dp/157820318X/ref=as...

 

Also, I would do some investigation on the various models available to determine which applies to your need or organization.

 

@Caute_cautim any advice for Ahmed?

 

Best regards

 

Diana

 

 

Caute_cautim
Community Champion

@dcontesti @ahmed_akl Diana is absolutely correct, the key thing here is you must be become a consultant, good communicator and have the ability to solve problems and importantly translate them back and forth depending on the readship.  Which means developing over a time a set of skills, which include consulting, communications, presenting, solving problems and being able to write and articulate your ideas clearly and concisely.,    These are life time skills, that you need to develop.   There are several means and methods of doing this:  go to the Open Group web page - known for ToGaF - https://www.opengroup.org/;

 

They key here is the ability to understand how a business functions, and being able to translate a business problem into a technical issues or vice versa - this takes practice, and there is no magic bullet, that will make you a magician.  

 

I would say to you at the outset, I fortunately did a Soft Thinking course within the Open University within the UK, which helped me tremendously to come away from being a serious technology geek, to thinking how things really work:  https://www.ukessays.com/essays/information-systems/soft-systems-methodology.php

 

https://www.burgehugheswalsh.co.uk/Uploaded/1/Documents/Soft-Systems-Methodology.pdf

 

I fortunately was lectured by Peter Checkland the originator of Soft Systems Thinking Methodology - which helped me think totally differently about the world about me, and to ask the important questions.

 

My thoughts, are you can attend courses, but you really need to get into a coaching/mentoring relationship, to assist you - being a mentor myself as part of my professional giveback responsibilities - it is about guiding, and introducing people to architectural design as a discipline.   Now add security from a Governance, Risk and Compliance perspective - and applying the ISSAP, which helps you to fully understand the level required within security architecture and the depth of knowledge you need to know, so you can really stand up to C series, who are stating why should I pay for your advice, why should I be listening to you etc.

 

I am lucky enough to be belong to an organisation which produces methodologies, and applies them, with full acceptance with the Open Group certifications and alignment.   From experience, following a methodology, like Sabsa, or the Zachman framework within security provides a reference and an approach to solving problems.  

 

But remember you have to apply it, don't just follow a methodology by route, because life in reality cannot afford for you to dot every i or cross every t, you have to learn what is practical, and remembering that certain work products, are about protecting your own credibility and integrity as well - you have to make decisions, and you have to do this in an informed way.   So essentially you will need to record your Risks, Assumptions, Issues and Dependencies (RAID) in a RAID log or what we call a Viability Assessment and the other one is recording your Architectural Decisions as mandatory items, which protect you and your company - as people change their minds, or back track to trap you or tip you upside down. 

 

You absolutely need to know how to articulate and obtain the real business requirements - my thoughts along that line is look at Design Thinking, (https://en.wikipedia.org/wiki/Design_thinking) and put the onus to the organisation, the business people with the problem to illustrate, articulate their problems along with the emotional baggage it can contain as well - do it as a work shop, get them involved from the outset.  Also ensure you fully understand the scope of the project - make sure you document it, clearly so, the client cannot then come back to you and state but I thought this was in scope etc.     Visually drawing, using architectural tools or as many do use Visio or learn a discipline such as UML.  This is essentially where you become both a consultant and an architect.

 

https://en.wikipedia.org/wiki/Unified_Modeling_Language 

 

It is a journey, so don't expect ISSAP the concentration to teach you these skills - but it will definitely make you think about solving problems for security, risk, identity and access management etc.

 

I hope this helps?

 

Regards

 

Caute_cautim

ahmed_akl
Newcomer I

Thank you @Caute_cautim and @dcontesti for your very helpful replies.