Cookies on Government Digital and Data Profession Capability Framework

We’d like to use analytics cookies so we can understand how you use the framework and make improvements.

We also use essential cookies to remember if you’ve accepted analytics cookies.

View cookies
Skip to main content

Beta Complete our 3 minute feedback survey to help us improve the framework.

Security architect

Find out what a security architect in government does and the skills you need to do the role at each level.

Last updated 31 May 2024 — See all updates

Contents

What a security architect does

A security architect designs and builds secure solutions.

Security architect role levels

There are 3 security architect role levels, from security architect to principal security architect.

The typical responsibilities and skills for each role level are described in the sections below. You can use this to identify the skills you need to progress in your career, or simply to learn more about each role in the Government Digital and Data profession.

1. Security architect

A security architect creates and designs security for a system or service, maintains security documentation and develops architecture patterns and security approaches to new technologies.

At this role level, you will:

  • recommend security controls and identify solutions that support a business objective
  • provide specialist advice and recommend approaches across teams and various stakeholders
  • communicate widely with other stakeholders
  • advise on important security-related technologies and assess the risk associated with proposed changes
  • inspire and influence others to execute security principles
  • help review other people’s work

This role level is often performed at the Civil Service job grade of:

  • HEO (Higher Executive Officer)
  • SEO (Senior Executive Officer)
Skill Description

Analysis

Level: working

Working is the second of 4 ascending skill levels

You can:

  • apply the approach to real problems and consider all relevant information
  • apply appropriate rigour to ensure a full solution is designed and achieves the business outcome

Communication (security architect)

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • demonstrate a deep understanding of security concepts and can apply them to a technical level
  • effectively translate and accurately communicate security and risk implications to technical and non-technical stakeholders
  • successfully respond to challenges
  • manage stakeholder expectations and be flexible, adapting to stakeholder reactions to reach consensus

Designing secure systems

Level: working

Working is the second of 4 ascending skill levels

You can:

  • design and review system architectures through the application of patterns and principles

Enabling and informing risk-based decisions

Level: working

Working is the second of 4 ascending skill levels

You can:

  • work with risk owners to advise and give feedback
  • advise on risk impact and whether it's within risk tolerance
  • describe different risk methodologies and how these are applied, as well as the proportionality of risk

Research and innovation

Level: working

Working is the second of 4 ascending skill levels

You can:

  • advise on developments to security properties in technology
  • identify new technologies and design their use in a business context

Security technology

Level: working

Working is the second of 4 ascending skill levels

You can:

  • demonstrate knowledge of system architectures
  • understand and articulate the impact of vulnerabilities on existing and future designs and systems, and can articulate a response
  • demonstrate broad knowledge of a range of systems, but may specialise in one

Understanding security implications of transformation

Level: working

Working is the second of 4 ascending skill levels

You can:

  • interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist the development of technical solutions or controls

2. Lead security architect

A lead security architect undertakes complex work of a high risk level, often working on several projects.

At this role level, you will:

  • interact with senior stakeholders across departments
  • reach and influence a wide range of people across larger teams and communities
  • research and apply innovative security architecture solutions to new or existing problems and be able to justify and communicate design decisions
  • develop vision, principles and strategy for security architects for one project or technology
  • work out subtle security needs
  • understand the impact of decisions, balancing requirements and deciding between approaches
  • produce particular patterns and support quality assurance
  • be the point of escalation for architects in lower grade roles
  • lead the technical design of systems and services

This role level is often performed at the Civil Service job grade of:

  • G7 (Grade 7)
  • G6 (Grade 6)
Skill Description

Analysis

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • monitor the analysis of a technical solution and ensure analysis is reused for similar problem sets
  • review solutions and identify areas for change
  • drive the collection of information that is used and analysed
  • feed back on policy and requirements

Communication (security architect)

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • demonstrate a deep understanding of security concepts and can apply them to a technical level
  • effectively translate and accurately communicate security and risk implications to technical and non-technical stakeholders
  • successfully respond to challenges
  • manage stakeholder expectations and be flexible, adapting to stakeholder reactions to reach consensus

Designing secure systems

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • design and review system architectures through the development of patterns and principles

Enabling and informing risk-based decisions

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • work with higher impact or more complex risks, advising on the impact and whether it's within risk tolerance
  • apply different risk methodologies in proportion to the risk

Research and innovation

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • contribute to and inform developments on security properties in technology
  • identify new technologies and design the use of these in the business context across the organisation
  • engage with the broader security community

Security technology

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • demonstrate strong knowledge of system architectures
  • understand and articulate the impact of vulnerabilities on existing and future designs and systems, and how easy or difficult it will be to exploit these vulnerabilities
  • be recognised as an expert by peers in the broader security industry

Understanding security implications of transformation

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • interpret and apply understanding across a complex area
  • start influencing policy and process, business architecture, and legal and political implications

3. Principal security architect

A principal security architect works on services of high complexity and risk, making decisions to enable the business to achieve its needs.

At this role level, you will:

  • work on projects with high strategic impact, setting a strategy that can be used in the long term and across the breadth of the organisation
  • communicate with a broad range of senior stakeholders and be responsible for defining the vision, principles and strategy for security architects
  • recommend security design across several projects or technologies, up to an organisational or inter-organisational level
  • have a deep and evolving level of technical expertise, so you can act as an exemplar
  • make and influence important business and architectural decisions
  • research, identify, validate and adopt new technologies and methodologies
  • be a recognised expert and demonstrate this expertise by solving unprecedented issues and problems
  • further the profession, demonstrating and sharing best practice within and outside the organisation

This role level is often performed at the Civil Service job grade of:

  • G6 (Grade 6)
Skill Description

Analysis

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • provide direction and lead on change regarding factors that feed into analysis
  • monitor changes in the technical environment and assess whether risks are still at acceptable levels or whether previous decisions need to be revisited
  • direct and influence others on best practice and policy

Communication (security architect)

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • demonstrate expert understanding of security concepts and can apply them to a technical level, at the highest levels of risk complexity
  • effectively translate and accurately communicate security and risk implications at the most senior levels across technical and non-technical stakeholders
  • successfully respond to challenges
  • manage stakeholder expectations across high risk and complexity or under constrained timescales

Designing secure systems

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • lead design and review solutions to complex problems with system architectures by defining and challenging patterns and principles
  • create precedents and set direction

Enabling and informing risk-based decisions

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • act as a point of escalation
  • be trusted by senior risk owners as an expert in security
  • apply risk methodologies at the most complex levels of risk

Research and innovation

Level: practitioner

Practitioner is the third of 4 ascending skill levels

You can:

  • contribute to and inform developments on security properties in technology
  • identify new technologies and design the use of these in the business context across the organisation
  • engage with the broader security community

Security technology

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • demonstrate strong knowledge of system architectures
  • understand and articulate the impact of vulnerabilities on existing and future designs and systems, and how easy or difficult it will be to exploit these vulnerabilities
  • be recognised as an expert by peers in the broader security industry

Understanding security implications of transformation

Level: expert

Expert is the fourth of 4 ascending skill levels

You can:

  • challenge and lead changes to policy and processes to support business outcomes, business architecture, and legal and political implications
Role Shared skills
Data governance manager

Enabling and informing risk-based decisions

Updates

Published 7 January 2020

Last updated 31 May 2024

31 May 2024

  • The indicative job grades for the 'lead security architect' role level have been updated from 'SEO and G7' to 'G7 and G6'. This change is based on the latest data on the most common grades for these role levels across government.

31 July 2023

  • Security architect was moved to the new architecture role group.

30 August 2022

  • The ‘specific security technology and understanding’ skill has been renamed ‘security technology’ to ensure consistency across the DDaT Profession Capability Framework.

7 January 2020

  • First published.