The Architect’s Dilemma: Why Security Design Keeps Failing (and How to Fix It)

Most security architects are not actually doing architecture. They are doing assurance work, following checklists, and hoping standards will save them. But as systems get more complex and attackers get faster, that approach is no longer good enough.

In this episode of Secured, Cole sits down with Ken Fitzpatrick, founder of Patterned Security and creator of securitypatterns.io, a resource built during the lockdown years that has since grown into one of the clearest frameworks for designing meaningful, context-aware security architecture.

Ken shares why so many architects fall into the trap of compliance thinking, how security design becomes a tick box exercise, and why threat modeling without understanding context is pointless. They unpack the four foundational steps every architect should follow, why traceability matters more than ever, and how modern teams can stop copying best practice and start solving the real problems in front of them.

The conversation also digs into secure by design in different industries, why the term has lost its meaning, and how modern defensible architecture is resetting expectations for what good looks like. Cole and Ken also dive into AI and its impact on the architecture function, separating hype from reality and exploring which roles are at risk as AI improves.

If you work in engineering, architecture, AppSec, risk, or are building a product and want a practical way to think about secure design, this is an episode you should not miss.

00:00 – Intro
00:48 – Chainguard Ad
01:20 – Meet Ken Fitzpatrick and Patterned Security
02:19 – How a cancelled Canada trip sparked securitypatterns.io
04:08 – Why architecture needs practical guidance, not more frameworks
05:18 – The four step method for real security architecture
07:23 – Moving beyond box ticking and why engineering experience matters
09:39 – Teaching architecture fundamentals and selecting the right controls
11:37 – Traceability and making defensible design decisions
13:14 – Architecture vs assurance and who securitypatterns.io is for
16:31 – Embedding secure by design into PMO processes and scale up use cases
19:58 – What secure by design means across different industries
23:05 – Inconsistent definitions in security and the need for clarity
23:50 – Modern defensible architecture and Zero Trust guidance
24:44 – AI’s role in architecture and which tasks get replaced
28:25 – AI in AppSec and reducing false positives with context
30:24 – AI sales bots, hype cycles, and the loss of human reciprocity
33:28 – Ken’s call for collaboration on repeatable architecture patterns
34:28 – Closing and how to connect with Galah Cyber

🐙 Secured is grateful to be sponsored and supported by Chainguard.
Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Get your free CVE Reduction Assessment at dayone.fm/chainguard and start shipping software with confidence.