Shauli Zacks
Published on: April 16, 2025
SafetyDetectives recently spoke with Arthur Chavez, President, Chief Security Architect, and Technical Master Fellow at ISAUnited.org, to explore the evolving role of security architecture in today’s complex digital landscape. Arthur Chavez began his career in IT support and infrastructure, gradually transitioning into cybersecurity and later becoming a leader in architectural design. As one of the founding members of ISAUnited, Arthur champions the principles of security-by-design and works to advance the discipline through standards, mentorship, and a focus on practical, systems-based defense.
Can you share your personal journey in cybersecurity and what led you to your role at ISAUnited?
My journey in technology began in 1994, starting on the IT help desk. That role taught me the fundamentals of user support and system troubleshooting. From there, I progressed into server and network administration, where I developed a deep technical foundation managing infrastructure and enterprise systems.
As cybersecurity began gaining prominence, I recognized the need to secure the systems I had spent years maintaining. I made a purposeful transition into cybersecurity, starting as a cybersecurity engineer. That phase of my career focused heavily on system hardening, control implementation, and hands-on defense. Over time, my role evolved into that of a security architect. I have been responsible for designing secure enterprise environments, aligning technical defenses with broader organizational strategies, and mentoring others within the discipline.
I became one of the original members of ISAUnited.org, the Institute of Security Architecture United. What started as a professional community dedicated to advancing the discipline of security architecture grew into something much more. That involvement led to the opportunity to serve as the organization’s President and Chief Security Architect. In that role, I help lead our efforts to define modern security architecture standards, promote security-by-design principles, and support the growth of cybersecurity engineers and architects who want to do more than follow compliance—they want to design security that works.
What is ISAUnited’s mission, and how does the organization support professionals in the cybersecurity field?
ISAUnited’s mission is to advance the discipline of security architecture and engineering by developing defensible standards, promoting security-by-design, and supporting the professional growth of those who work at the intersection of technology, design, and cybersecurity.
We operate as a member-driven organization, a core part of our identity. Members are not just passive participants—they help shape the future of the field through active involvement in Task Groups, where they contribute directly to the development of standards, research papers, licensing criteria, and more. This hands-on participation gives members a sense of ownership and a platform to bring their expertise.
ISAUnited exists for professionals who want to move beyond compliance and become the architects of secure, resilient systems—by contributing, leading, and shaping the future of cybersecurity architecture and engineering.
Security architecture is often misunderstood or undervalued in broader cybersecurity conversations. How do you define it, and why is it so critical today?
Security architecture is the strategic design of secure systems and environments—and it forms the core of any well-structured enterprise architecture. It is about how all the technical components and systems work with security controls and principles and how their connections form a defensible structure against threats. It is not just about individual tools or configurations—it is about understanding the entire system, identifying exposures, and ensuring the proper controls are in the right places by design, not by reaction.
What often gets misunderstood is that security architecture is not purely theoretical—it is profoundly technical and requires a high level of systems thinking. It asks questions such as: How does data flow between components? Where are the trust boundaries? What happens if one layer fails?
In today’s environment—with increased cloud adoption, decentralized applications, API-driven ecosystems, and the rise of AI—security architecture is more critical than ever. Complexity is growing, and with it, the attack surface. We need professionals who can step back, look across the system, and build security into the foundation, not just apply patches after the fact.
Without security architecture, organizations drift into “tactical hell”—a reactive cycle of chasing threats with tools but lacking a unified, defensible design. At ISAUnited, we treat security architecture as a discipline—with its principles, methods, and standards—and we believe it should sit at the core of any serious cybersecurity program.
One of your pillars is “security-by-design.” In practical terms, how can companies integrate this mindset early in their development process?
Security-by-design starts with treating security as a core design requirement, not an add-on. Companies must bring security architects and engineers into the planning process from day one. When teams make security part of their system’s foundation, they reduce long-term risks and avoid costly redesigns later.
To put this mindset into practice:
- Conduct threat modeling during the earliest design phases to uncover potential risks before writing code.
- Define secure design patterns and guardrails that development teams follow consistently.
- Integrate architecture reviews in the development lifecycle so teams catch weaknesses early—not during production.
- Use secure-by-default infrastructure templates when provisioning cloud resources or building CI/CD pipelines.
- Promote cross-functional collaboration, where security works alongside development and operations instead of reacting to them.
When companies adopt this approach, they build systems secure by intent, not just by inspection. Security-by-design helps businesses move faster because they have already anticipated and addressed the risks.
What are some common gaps or mistakes you see organizations make when it comes to building secure architectures from the ground up?
Organizations’ most common mistakes are treating security as a series of isolated fixes instead of a unified design discipline. They deploy tools, enforce policies, and run audits—but never establish a cohesive architectural foundation. As a result, they end up with fragmented environments, weak trust boundaries, and unnecessary complexity.
Here are a few consistent gaps I often encounter:
- Lack of technical architectural security standards—teams build quickly but do not follow consistent engineering design practices and principles.
- Poor visibility across environments, especially in hybrid or multi-cloud setups where teams lose track of exposed assets.
- Failure to address privilege and access control at the architectural level leads to lateral movement and escalation risks.
- No precise mapping between business risk and technical controls creates misalignment and inefficiencies.
- Skipping architectural reviews—organizations rush to deploy tools but do not evaluate the security posture of their design until something breaks.
Many organizations also over-rely on vendor tools, assuming those tools alone provide adequate protection. However, even the best tools cannot compensate for weak designs without defensible architecture.
If teams build from the ground up with architecture in mind, they can embed control points, enforce segmentation, and reduce attack surfaces by design—not by default. That is what separates secure organizations from reactive ones.
How do you see the role of security architects evolving with trends like AI, zero trust, and increased cloud adoption?
Security architects are no longer just technical advisors—they are becoming strategic designers who guide how systems are built, integrated, and defended. Their role now requires a proactive mindset and the ability to influence business and technical decisions.
With AI, architects must design systems that protect machine learning models, data pipelines, and automated decision-making processes. They must secure API interactions, detect anomalies, and address risks like data poisoning or unauthorized model access before they cause damage.
With zero trust, architects take the lead in creating environments where no user, device, or system receives implicit trust. They design identity-driven architectures that enforce authentication and authorization across every layer—from the network to applications to data access. They must build trusting boundaries in the architecture itself.
As cloud adoption expands, architects face increased complexity. They must design secure, scalable environments for decentralized services, third-party integrations, and multi-cloud infrastructure. They define shared responsibility models, enforce consistent security controls, and eliminate blind spots before exploiting them.
Across all of these trends, security architects must operate with a systems mindset. They guide engineering teams, design secure workflows, and build resilient environments ready for change. The more complex the environment becomes, the more essential the security architect is.
Closing
At ISAUnited, we support security architects and engineers in meeting these challenges by focusing on defensible design, professional licensing, and engineering-based standards that support real-world architectures.
