Skip to main content

Inside the mind of a security architect

Posted by: , Posted on: - Categories: Architecture, DWP Digital, Security, Work-life balance
Head and shoulders image of Sam Hehir
Sam Hehir

I’ve worked in security for around 12 years, having started my career as a Java programmer working on integrations for service orientated architectures. It seems funny to me now, but a lot of the principles I learned then, are coming back to haunt me now. That is in terms of security considerations in a move to a microservices, event-driven architecture.

My life is a busy one. I share custody of my 2 young children, so achieving a healthy work-life balance can be difficult. In my spare time I like to compete in triathlons, so balancing work, spending time with the kids and getting out for a bike ride or a run is challenging! I’m also a Newcastle United supporter, so I’m used to disappointment in that area of my life!

I joined DWP Digital 2 weeks before the first lockdown, working in the Health Product Delivery Unit. To say I had a baptism of fire is an understatement. However the technology enabling me to work from home has been nothing short of amazing.

Having worked in central government previously, I was aware that some tools such as Slack and Microsoft Teams might be off limits, but this isn’t the case in DWP Digital. I’ve found that collaborative working across the team has been equivalent to my time in a startup and my team are incredibly supportive. I feel as if I have access to some of the best brains in the business.

What does a security architect do?

I help design and review controls for a system and review how likely it is to be attacked. It’s about proportion and implementing security controls that are cost effective. You have to have various skills and a broad knowledge. I might be talking about a quantitative risk assessment in one meeting, scoring the risk, then moving to another to discuss how best to secure some microservices via mutual Transport Layer Security (protocols designed to provide communications security over a computer network). Or I might be advising on what risk to accept when a new vulnerability has been found in a Docker base image. So it’s really important for me to keep up to speed with changes and innovations in security.

The National Cyber Security Centre (NCSC) advise that we should work to 4r key design principles:

  • making compromise difficult
  • making disruption difficult
  • making compromise detection easier
  • reducing the impact of compromise

And in summary that’s what my job is!

What does a typical day look like?

Security has always had the 'bad guy image of saying “no” to everything, but I’ve found this to be the opposite in DWP Digital. We’re trying to move our applications to a DevSecOps approach, a methodology that works within an agile framework to break projects into smaller chunks. We’re deploying continuously and looking to shift left with our security functions, closer to the application code in a hybrid/multi cloud environment.

Typical activities might be:

  • looking at field level encryption for a No SQL DB
  • scoping IT health checks
  • performing a risk assessment on a new collaboration tool
  • reading documentation on how best to move the security architecture forward. For example: Is gRPC more secure? Why? What does a zero trust model mean for us? How are we going to go about implementing it?
  • how are we patching? What is our vulnerability status? How do I communicate that?
  • presenting to a Design Authority that the solution is proportionally secure
  • making sure that no personal information is out there in our open code

What makes security in DWP Digital different?

From a security perspective, the technology we’re using is leading-edge. Containerisation, continuous integration (CI) and continuous delivery (CD) pipelines, Gitops and multi/hybrid cloud all present new security challenges and paradigms.

I like to think of it as the Netflix of citizen-based services. If you can order a movie on demand you should be able to do the same with our services. We want to make claiming equally simple, transparent and secure.

Join us!

I can’t recommend working in security at DWP Digital highly enough. There’s a great balance of challenge and support. I’m not sure that joining any other organisation so close to a national lockdown would have been so easy! The support I’ve had from my line manager and team was amazing and the equipment I’m provided with has enabled effective remote working over the last few months.

I can manage my work-life balance well and explore leading-edge technology from a security perspective. I feel DWP Digital really has a startup mentality and an agile and innovative approach – but on a massive scale.

If you know your CISSP from your CRISC, your GDPR from your CVSS, your AWS from your Azure, aren’t afraid of typing “kubectl” into a command line and want to push the security boundary of what is possible, have a look at our latest vacancies and come join us!


Sharing and comments

Share this page


  1. Comment by Andy posted on

    Nice blog Sam and really glad you are enjoying it

  2. Comment by Lauren posted on

    Great blog Sam. Glad to see you have settled in well.

  3. Comment by Mark posted on

    Great read Sam and interesting to read about the work life balance side of things as well as well as the interests outside of work.

    I'm sure I'm not alone in having to google what 'kubectl' meant to ensure it wasn't a typo. I also confess I then had to google the answer to the first google as the response of 'The Kubernetes command-line tool, kubectl, allows you to run commands against Kubernetes' still didn't make sense to my inner geek 🙂

    • Replies to Mark>

      Comment by Sam posted on

      Within dwp we are actively exploring ways to explore hybrid and multi-cloud.

      Kubernetes is an orchestration layer that can help run containers (kind of light weight virtual machines .. ish .. that kind of abstract away from the traditional hardware layer)

      It “can” help create cloud and on prem environments that have little to no downtime.. and there are loads of security paradigms that come into play.

      Probably by typing your question into google you were in some way invoking a Kubernetes cluster in the back end!

      The “kubectl” command is used to mange and orchestrate those clusters

      Hope that helps the inner geek!

  4. Comment by Umeshwer Singh posted on

    The Kubernetes command-line tool, kubectl, allows you to run commands against Kubernetes clusters. It can also be used to deploy applications, inspect and manage cluster resources, and view logs.