What does a security engineer do?

[00:00:05] Chri Sienko: Welcome to the InfoSec career video series. This set of short videos will provide a brief look into cybersecurity careers and the experience needed to enter them. Today, I'll be speaking with InfoSec skills author Mike Meyers about the role of security engineers. So let's get into it. Welcome, Mike.

[00:00:21] Mike Meyers: Hey. How's it going, Chris?

[00:00:23] CS: Thank you for joining me today. So, Mike, let's start with the basics. What is a security engineer, and what does a security engineer do? What are the day-to-day tasks that people do?

[00:00:34] MM: Security engineer is a funny term, Chris, because it's more of a term that you see in a more mature organization. You tend not to see them in smaller organizations. So with change management, the security engineer is going to be the person going, “What are the security issues with our upgrade to this new operating system?” The security engineer is going to be the one. He's not going to be doing the penetration testing normally, but he's going to be administering it. He's going to be refereeing, and he's going to be dissecting the results of that stuff.

[00:01:09] CS: Setting the parameters of what it's for and things like that.

[00:01:12] MM: There you go. He's going to be the one who's going to be looking at your internal network and probably working with other security people. But the security engineer is going to define, okay, we're going to hire an intrusion prevention service come in, and they're going to start putting agents in our network and that type of stuff. Where do they go and why? What type of interfacing? What are we looking for? This is always the biggest question you get in security. What are we looking for to know badness has happened?

Like so many things in security, we know what the right answer to that question was five years ago. It's not so sure we know what the right answer is today. So they're going to be doing a lot of that stuff. I'm trying to think what other things. A security engineer might be working in terms of physical security. We need to put a guard here, and we need exterior cameras. So they, as a security engineer, will look outside of the pure IT and go into the perimeter as well. Then the last big thing that a security engineer is probably going to need to do is that if they're a security engineer for a particular company, if that company is writing code or building big databases, they have to have code security skills. They have to have database security skills.

Now, these are things that tend to get learned based on demand, based on the company you're working for. It's not at all uncommon, Chris, to see somebody who's been a screwdriver tech and has started to move up, and they're like, “We need somebody, security help.” In house, they can go in and start developing some skills there that make them attractive.

[00:02:58] CS: Okay. So, yeah, that's a really good distinction, especially when you think of someone who's like a security analyst who's just passively reading log files or just passively interpreting data. But at the engineer level, you're sort of deciding what all this means and how it all sort of ties together for your larger company.

[00:03:19] MM: The security engineer can often be a level two person for incident response. The analysts always take the grudge, right? But that security engineer in a good company, in my opinion, would hire internally and pull one of those people up.

[00:03:37] CS: Great. Well, that's perfect. So the next question, what how does one become a security engineer? It's obviously not an entry level position. But like what kind of experience type things do you need to sort of move into that comfortably? Also, what are some things you should be doing either on your job or outside of your job to show people, “Put me in. I'm ready to hit the next level here.”?

[00:03:58] MM: Well, I mean, certainly, a good, robust series of security certifications are always good. Chris, I tell everybody, the number one thing you can do to make sure you have a good job in IT is to have a bachelor's degree, okay? So I'm always a big push on the bachelor's degree. If you can't do a bachelor's degree, get a double A. Get a good associate's degree. Go to a good tech school. So those are important core pieces.

But even telling you that, Chris, demand is so ridiculously high right now for security people at any level that people who are classically possibly under qualified are being let in the door for jobs that traditionally they'd be blocked from, as long as there is an understanding that that person is going to come up to speed very quickly.

[00:04:51] CS: So you mentioned that you think a bachelor's degree is important. Is there a particular area of study that you recommend then also?

[00:04:58] MM: Not really.

[00:04:59] CS: Yeah. What are the certs?

[00:05:01] MM: It would be nice if you went with some kind of STEM degree. But I got to tell you, even Fine Arts people are getting in. But in terms of certifications, you’d probably be looking more at your security analyst type certifications. CompTIA is doing an amazing job providing core security skill sets that can be challenged via their certifications. Security+ CISSP, CySA, and maybe pen test have all proven themselves, it's certainly bang for the buck, are very, very attractive certifications these days and definitely a place I would go. I'd start that direction.

[00:05:48] CS: Moving aside from academic or certification requirements, what are some soft skills that security engineers need to do their job well?

[00:05:57] MM: Well, security engineers deal with a lot of people. As a security engineer, they're dealing with their analysts. They're going to be dealing with network engineers. They're going to be dealing with administrators. They're going to be dealing with governance folks. I mean, I just keep – The audit. It goes on and on. So good communication skills are so important. Because we're nerds, that's literally the hardest thing we have. That is –

[00:06:20] CS: Yeah.

[00:06:21] MM: I know lots of nerds –

[00:06:21] CS: Yeah, because you’re interfacing with people who aren't tech nerds, I imagine, a lot of the time. So you need to explain what you need from your C-suite or from your finance department or from other people in the company without using this sort of insider jargon.

[00:06:35] MM: Well, and that's the trick, right? Because usually, when I'm talking to somebody about technology, I pick three different levels, right? There's what I call the 10,000 feet cloud and boxes level.

[00:06:46] CS: There you go.

[00:06:46] MM: There's the give me enough facts because I've got to make a decision kind of level. There's the let's dismantle it and peel all the insulation off kind of –

[00:06:56] CS: Hope to poke every single piece of it. Yeah, yeah.

[00:06:59] MM: So as a security engineer, you have to be good at all three of those.

[00:07:03] CS: So where do security engineers work? Are there – It sounds like they're kind of everywhere. But you said that it's kind of like a mid-level or higher. If you're looking to be –

[00:07:11] MM: Mid-level or higher. Your little mom-and-pops, little small offices are not going to have network engineers. They can't afford them. Security engineers.

[00:07:19] CS: Or security engineers, yeah.

[00:07:20] MM: They can't afford them. So invariably, what will happen is as an organization begins to grow, they reach a point, usually because of a negative incident that took place that makes them recognize that they need somebody more of the security moniker. Keep in mind, security engineer is usually the first full-time security person to show up in any enterprise. Before that, you got nobody.

But after that, that's where you start seeing security architects. That's where you start seeing chief information security officers, that type of stuff. But it's the security engineer who tends to come in first, which is kind of cool because a lot of times as a security engineer, you have the ability to set the tone of the organization. Once an organization has a security, I call it tow, what's your attitude on security? Those are things that get very hard to change in an organization.

So you have a substantial amount of power, especially coming into a new organization that is looking to, for the first time, organize their security infrastructure properly.

[00:08:27] CS: Now, when you say mom-and-pop organizations can't afford a security engineer, do you mean that security engineers generally have a higher level of income, or that a mom-and-pop organization doesn't necessarily have enough yet for a security engineer to do in terms of –

[00:08:43] MM: I’d take a little column A and a little column B there. You got to keep in mind, Chris, that manage security providers like for my cloud stuff, I don't do any the IDS work or any of that. I pay somebody $25 a month, and I don't know who this – I could look it up for you and tell you. But if we actually have a denial of service attack or something like that, that's what I'm paying.

Now, there's a certain point where if my company got bigger and bigger, and we had our internal data centers and stuff like that, yeah, then I would start looking towards a security engineer. But early on, they're going to working – There's a lot of security engineers who work in the cloud, man. I tell you, if you were selling yourself as a security engineer, one of the top people who’s going to try to hire you is Amazon.

[00:09:37] CS: So what are some common tools that security engineers, whether they're proprietary or open source, like what do you need to sort of have a handle on to do this job well?

[00:09:48] MM: I don't think I could really list any particular. You need to be able to work with a number two Phillips screwdriver. No, I'm kidding. But, no, there's not anything really there. It's what come into your brain, and then you start to like stuff. As a security engineer, you tend to affect other people's choices in things. So SIEM type tools. One person is going to like this tool. Another person – But because you're the security engineer, you're the one who helps to define which tools are going to be used.

[00:10:22] CS: Just to sort of tease that out, it sounds like you need to know a little bit about what all the tools do without necessarily needing to be a master of any of them. Like you need to know when to use, to have someone else do something that requires, like you said –

[00:10:37] MM: But equally, you may not be the master of it. But either you have a master of that tool in house, or you can bring yourself up to speed very quickly.

[00:10:45] CS: Very quickly, okay.

[00:10:45] MM: You are fearless to attack that tool. What gets people in trouble with security engineer jobs is they get caught on technologies they weren't ready for. So it's not really the tool I'm worried about. What I'm worried about is one that got me not that long ago is I was trying to set up a mail server. But I was using this – The DNS was secure DNS, and I was like, “How hard could this be?” It’s hard, Chris. I mean, I’m writing PHP, DKIM listings into, oh, my God, forward look up zones. I'm literally starting to sweat. I’m having hard palpitations. But no one else was there to handle these security issues.

[00:11:35] CS: And you got it in the end.

[00:11:38] MM: Yeah, but I didn't know any tools. Do you understand?

[00:11:40] CS: Right. Yes.

[00:11:40] MM: But I understood how DNS works. I understood how email works. Then it was a matter of I didn't even know that there was a tool that allowed me to pre-align DKIM settings for secure DNS servers.

[00:11:58] CS: So it still comes down to problem solving ultimately.

[00:12:00] MM: Yeah. So I'm going to say it’s your cerebellum. That's –

[00:12:05] CS: That’s your open source tool right there, yeah. Constantly being updated. So can you move into other roles from security engineer? I know a lot people get worried about making the wrong decision in their career, and then they get locked into a role. But where do you – If you find you aren't into security engineer or the track that's taking you up to architect, what are some other directions that you could pivot into from a security architect job?

[00:12:29] MM: There's a lot. You can always become a teacher and a writer.

[00:12:34] CS: There you go.

[00:12:36] MM: Or work for me. No. Almost anything in security that’s security-related, you can fork into. Become a security engineer. That's probably the big thing you would be going for.

[00:12:51] CS: I think it's because it’s such a good hub role too, right?

[00:12:53] MM: Yeah. I don't think too many people would find themselves in a security engineer job discovering they don't like it. They’d probably be at a security analyst job or something. It could happen. But honestly, probably the place to go would be going more towards management, where you want to be a little less hands on, and you would definitely be a ringer for chief information security officer.

[00:13:15] CS: All right. So as we wrap up today, for our listeners who are ready to get started there with their job journey, what are some things they could do right now after they turn this video off that'll move them toward the goal of becoming a professional security engineer?

[00:13:27] MM: Okay. Well, assuming that they're very entry level in terms of where they're at, getting – It’s all about the education right now, kids, and looking towards some of these entry level CompTIA, sort of entry level security certifications, would definitely be the good way to go. Not being afraid to grab that first analyst job. Look, a lot of these security analyst jobs are not very exciting, and it's the midnight till eight in the morning shift. You can't do it from home. You got to drive to some building and stuff like that, and that can be a little bit irritating. But if you want to talk about the building blocks, those would be the things to do. Security analyst, you can go from zero, nobody, nothing to security analyst these days at a very, very attractive way to go.

[00:14:15] CS: Okay. It sounds like a probably fairly quick ramp up time, especially if you are good at problem solving.

[00:14:21] MM: A few months.

[00:14:22] CS: Yeah, nice. All right. Well, Mike Meyers, thank you for your time and insights today. This was really fun and exciting.

[00:14:27] MM: Always glad to help out with the InfoSec folks there, Chris. Feel free to give me a holler anytime. All you guys listening out there, get out there. These are exciting times to be in IT and IT security. Get out there. Get to work, man. It’s the most important thing we can do. What I'm hoping is our post-COVID environment because we all got to get back to work. Chris, get back to work, man.

[00:14:47] CS: I'm going to get back to work in just a moment before I say thank you to everyone watching this episode. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s career video series. I'll talk to you next time.