Career roadmap

Security Architect

How to become a Security Architect — the senior technical role that designs secure systems end-to-end, typically £85k–£140k in UK enterprise.

Year-by-year milestones

  1. Year 0Senior Security Engineer (prerequisite path)£70k–£90k

    Hands-on engineer with 5+ years across cloud, IAM, network, or appsec.

  2. Year 1–2Security Architect£85k–£110k

    Own reference architectures, threat-model new services, partner with engineering leads, sit on Architecture Review Board.

  3. Year 3–5Senior / Principal Security Architect£110k–£150k

    Define security strategy across business units, lead architecture community of practice, mentor architect cohort.

  4. Year 5+Chief Security Architect / Distinguished Engineer£140k–£200k+

    Set 3–5 year technical security direction, brief board, represent the firm at industry standards bodies.

Security Architects own the secure design of systems, products, and platforms. They write reference architectures, threat-model new services, choose controls, and translate business risk appetite into technical patterns. The role splits roughly into Enterprise Security Architect (org-wide patterns, TOGAF/SABSA flavour) and Solution / Product Security Architect (per-system depth). ## Career milestones ### Year 0 — Senior Security Engineer (prerequisite path) _Salary: £70k–£90k_ Hands-on engineer with 5+ years across cloud, IAM, network, or appsec. ### Year 1–2 — Security Architect _Salary: £85k–£110k_ Own reference architectures, threat-model new services, partner with engineering leads, sit on Architecture Review Board. ### Year 3–5 — Senior / Principal Security Architect _Salary: £110k–£150k_ Define security strategy across business units, lead architecture community of practice, mentor architect cohort. ### Year 5+ — Chief Security Architect / Distinguished Engineer _Salary: £140k–£200k+_ Set 3–5 year technical security direction, brief board, represent the firm at industry standards bodies. ## Core skills - Threat modelling (STRIDE, PASTA, attack trees) - Reference architecture authoring - Cloud-native patterns (zero trust, BeyondCorp, defense in depth) - Cryptographic design (KMS, HSMs, mTLS, post-quantum readiness) - Network segmentation and east-west controls - Identity architecture (OAuth 2.0, OIDC, SAML, SCIM, FIDO2) - Risk-quantified decision making - Technical writing and ARB facilitation ## Recommended certifications - `cissp` - `ccsp` - `aws-security` - `azure-security` ## First 90 days in the role Read the last 12 months of your firm's architecture decision records (ADRs). Sit in on every ARB. Pick one high-risk service and produce a threat model that proposes 3–5 control improvements with business justification. ## Common pitfalls Becoming an ivory-tower architect. The architects who get promoted ship reference implementations, not just diagrams. Build a working sample of every pattern you propose.

Frequently asked questions

SABSA, TOGAF, or neither?

SABSA is the security-specific architecture framework; TOGAF is the general enterprise one. UK enterprise (banks, insurers, public sector) heavily favours SABSA Foundation.

Do Security Architects code?

Senior architects read code fluently and ship proof-of-concepts. They do not own production code, but 'I don't code' will cap you at mid-level.

Is the role being absorbed by Platform Security?

Partially in cloud-native scale-ups. In enterprise (banks, insurers, healthcare, public sector) Security Architect remains a distinct, growing role.

Can I go straight from engineer to architect without a senior engineer stint?

Rarely. ARBs need 5+ years of scar tissue to take you seriously.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related