In the piece I wrote in December ("What the Sony breach means for security in 2015"), I noted that while a good CISO is important; great security architects are critical. While a CISO may get the glory; security architects are what most organizations need.About 95 percent of the firms in the U.S. are small-to-midsize businesses. These small firms with even smaller IT departments can\u2019t afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide security, privacy and risk management leadership. The bottom line is that good security design goes a very long way.With that, I\u2019d like to expand on the role of the cyber security architect.So what exactly does a cyber security architect (CSA) do? An architect is defined as a person who plans, designs and oversees the construction of buildings. To practice architecture means to provide services in connection with the design and construction of buildings and the space within the site surrounding the buildings.With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural guidance to apply a consistent set of information security principles, mechanisms and guidelines to ensure that the data, applications and devices are secure.The CSA will know the firm\u2019s business and technology drivers, security risk management strategy, risk assessment philosophy and the various technology components of its IT infrastructure, and provide technical security leadership. A good CSA will be seen as the firm\u2019s trusted security adviser.When designing a physical structure, the architect knows the component parts of the edifice, including electrical, plumbing, zoning laws, room size requirements, materials, and much more. The architect is not necessarily an expert in every area, but has the fundamental knowledge of all of them.Similarly, an effective CSA will be a jack-of-all-trades in information security, and master of a few. Some of the areas in which the CSA needs to provide oversight are:Risk managementSecurity engineeringSecure coding and secure software developmentAccess control and authenticationAnti-malware protectionLaws, standards and regulationsNetworks, routing, switching and network securityCryptography, encryption and key managementOperating systems and system securityIntrusion detection and change detectionIncident responsePolicies and proceduresHacks, attacks and defenseBusiness continuity planning (BCP) \/ disaster recovery planning (DRP)Physical securitySome of the responsibilities that a CSA will have include:Designing, reviewing and approving security configurations,Design and installation of security hardware and software such as VPN, firewalls, router, IDS, etc.Reviewing policies and proceduresHere\u2019s an example: A firm has created its environment around open source tools and frameworks, such as Groovy, Nginx, Git, Python, Atlassian, built on Amazon using their services such as AWS, RDS, ElastiCache, SES, Route 53 and more. It\u2019s the CSA who will be able to provide advice on how to securely use these technologies.The CSA needs to be there to identify areas where things may go wrong. From the architecture, software coding, poor cryptographic selections, and more, the CSA needs to be the one who is asking the right questions.Ben Tomhave, principal at Falcon\u2019s View Consulting, suggests that hiring a cyber security architect is a great starting point for SMBs, so long as the hiring organization provides them with the support and authority necessary to be effective. Most CSAs will need to balance the goal of designing and building the most secure environment possible against the costs and benefits, as well as helping to ensure that business, contractual and regulatory requirements are clearly understood and incorporated into all design decisions. A savvy CSA will help organizations optimize their security spend, limiting the number of tools and practices to those that maximize the desired risk management objectives without exposing the business to undue liability.As for the cloud, a CSA is equally crucial. Cloud service providers have significant economic incentives to maintain levels of security that are often financially or politically unaffordable to other organizations. That gives a firm an incredible foundation to build on; but if they fail to design an architecture tuned for the cloud platform they will be deploying, the odds are high that they\u2019ll actually increase their security risk. Rich Mogull of Securosis notes that architecture is inarguably the most important factor when moving to the cloud.He also notes that on the upside, as cloud providers continue to offer new features, firms can also take advantage of these for transformative security architectures. It\u2019s actually quite common to do things such as deploy throwaway servers with minimal network access and no SSH or other remote administrative access; leverage PaaS to wipe out common database exposures, and even use a cloud message queue and new deployment patterns to completely isolate sensitive application workers.When it comes to the cloud, it\u2019s truly about the economics. The cloud provider wipes out the lower level, highly expensive security costs, which frees an organization to focus more on securing their applications. And that, for the most part, comes down to architecture.Show me the architectThe Cisco annual security report states that modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country. That\u2019s the new reality every firm is dealing with. That means every firm, everywhere, needs a CSA.Ben Rothke CISSP is a Senior eGRC Consultant with Nettitude, Inc. and the author of Computer Security: 20 Things Every Employee Should Know.