In today’s interview, Art Chavez, President of ISAUnited, shares the journey of the organization from its beginnings as IT Alliance in 2019 to becoming a global leader in cybersecurity architecture and engineering. Speaking with Website Planet, he explains how ISAUnited’s Defensible 10 Standards set a new benchmark for practical, auditable security, how their Professional Licenses maintain rigor in a fast-changing threat landscape, and how the institute integrates security by design into its programs. Art also discusses ISAUnited’s strategy for scaling impact globally while preserving the depth and quality of mentorship, research, and community-driven standards development.
How did ISAUnited begin in 2019 and how has its mission and scope evolved since then?
ISAUnited began in 2019 as IT Alliance, a practitioner-led forum created to reset how IT and cybersecurity teams communicate and collaborate so organizations could deliver secure systems more efficiently. As the community grew, interest concentrated around cybersecurity architecture and engineering (CAE), and we formalized that focus by adopting the name Institute of Security Architecture United (ISAUnited.org).
From there, our mission sharpened: advance the profession through a structured, engineering-driven approach grounded in clarity, discipline, and practicality. Today, ISAUnited operates as both a technical standards and learning institute, driving defensible architecture, hands-on education, and professional licensing that yield measurable and auditable outcomes. Our latest evolution is our commitment to grow as a standards-development organization (SDO) for cybersecurity architecture and engineering, and we’re proud of that accomplishment.
What makes ISAUnited’s “Defensible 10 Standards” unique compared to other cybersecurity frameworks?
ISAUnited’s Defensible 10 Standards are unique because they’re engineered for building and proving security—not just checking boxes. Each standard follows a clear lifecycle—from defined inputs, through concrete technical specifications and verification, to flow-downs that drive day-to-day operations—so teams know precisely what to build, how to validate it, and how to sustain it over time. That engineering-first discipline makes the work repeatable, auditable, and ultimately defensible.
We also align our standards with ISO and NIST, but we treat them as foundational, broad-stroke guidance rather than the destination. ISAUnited delves deeper into the craft, exploring the configurations, integration methods, and operating practices that establish a true “gold standard” for how practitioners work and how organizations operate. By keeping architecture primary and mapping control catalogs into that architecture—rather than the other way around—we help organizations narrow vulnerabilities, reduce real attack opportunities, and achieve measurable improvements in resilience.
How does ISAUnited ensure that its certifications like CPL (Professional Licenses) maintain both rigor and relevance in fast-changing threat environments?
We anchor our licensing to practice—not test prep. We’re not a “read and memorize a book for two weeks and take a multiple-choice test” program. Cybersecurity Professional License (CPL) candidates don’t pass a quiz; they demonstrate capability through a portfolio of applied work and a capstone reviewed by an institute committee. This evaluation-based approach verifies how a practitioner reasons about risk, designs and integrates controls, and proves results—the hallmarks of real engineering.
Our rigor remains current because the Defensible 10 Standards serve as the backbone of everything we teach and evaluate. Those technical standards are reviewed, challenged, and updated annually; they reflect how we study vulnerabilities and threats, as well as how we expect engineers to work on a day-to-day basis. As the standards evolve, our competency rubrics and course materials evolve in lockstep, ensuring that license requirements always mirror the current state of the practice, not last year’s syllabus.
Relevance is reinforced through renewal. License holders periodically demonstrate current practice—updated designs, improved pipelines, and measurable outcomes—so the credential signals ongoing proficiency. We recognize diverse, high-signal experiences, including formal degrees, military service, and substantial real-world engineering outputs, all of which count, provided they meet our standards for clarity, discipline, and practicality.
In what ways do you integrate security by design and enterprise architecture principles into the learning programs and standards you offer?
We start with principles, not tools, and we make them consistent. Cybersecurity principles have too often been cherry-picked or renamed, which fragments the craft. ISAUnited has adopted and refined a clear, cohesive set of core principles for security-by-design and enterprise architecture, then embedded them across everything we do: our Defensible 10 Standards, our curricula, our evaluations, and our mentorship. That provides practitioners with a common language and a disciplined approach to working—clarity of intent, discipline in execution, and practicality in outcomes.
From there, we operationalize the principles through an architecture-first lifecycle. Learners and teams move from requirements to design decisions to verification, using the same structured templates and flow-downs they’ll use on the job. Case work and capstones mirror real enterprise contexts from component to system to system-of-systems—so decisions are tied to business objectives, constraints, and traceable evidence. The result is a unified experience. Whether you’re a student, early-career entrant, or seasoned professional tackling a complex project, you encounter the same principled approach, the same terminology, and the same engineered path from design intent to defensible results.
How does ISAUnited plan to scale its impact globally while preserving the depth and technical quality of mentorship, research, and volunteer task-group contributions?
We’re scaling through a Fellow Ambassador model, respected practitioners in each region who grow local communities, mentor candidates, and surface on-the-ground lessons we call the good, the bad, and the ugly. Their role is to keep us honest about what’s working in the field today and what’s coming tomorrow, and to channel that insight into ISAUnited’s global standards, education, and licensing.
To expand participation without diluting rigor, we run an annual “Open Season” for the Defensible 10 Standards. Practitioners across Cyber, IT (including cloud), and Software Development, as well as members and non-members alike, are invited to propose and develop engineering sub-standards that extend each D10S parent standard. Fellow Ambassadors organize and encourage their regional communities to participate, while our Technical Fellow Society centrally reviews, harmonizes, and publishes versioned updates with clear migration notes.
Mentorship and research scale by design, not by speed. Candidates submit real artifacts against familiar checklists; trained reviewers deliver high-signal feedback; and accepted work becomes reference implementations and teaching cases that others can adopt. This loop enables us to grow globally—broadening our voices and reach—while preserving the depth and discipline that define ISAUnited.
Jennifer Goforth Gregory can almost always be found writing content for B2B technology companies, rescuing dachshunds from local shelters, refereeing teenage drama in her house or drinking as much Diet Mountain Dew as possible. After years of swearing she wouldn’t ever write a book, Jennifer gave in to pressure from her friends and family and published a bestselling book for freelance writers – The Freelance Content Marketing Writer: Find Your Perfect Clients, Make Tons of Money and Build a Business You Love.
Thank you, - your reply was submitted successfully!your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
