A security engineer ensures that an organization’s software, networks, hardware, and data are safe from intrusion and theft. Let’s first look at the details of what a security engineer does and the skills needed, and then what training and career paths look like.
What does a security engineer do?
Security engineers ensure the network and IT engineers are using best security practices, such as keeping firmware and device software up-to-date with the latest security patches and minimizing what’s known as an attack surface. For instance, when dealing with software applications that require connectivity to a database server, it's essential to decrease the attack surface by limiting that database server’s unnecessary exposure to the internet.
Companies that build their own software also need security engineers to ensure software is secure as it’s being built; the security engineer will work with the developers on best practices to harden the software against potential attacks. This includes using proper password techniques, as well as ensuring the software doesn’t inadvertently provide an intruder with access via backdoors.
Security engineers work full-time. This is not a job that an application developer does a little bit on the side. A security engineer needs to devote his or her entire work to security, becoming an expert in its impact on their company and industry. An organization shouldn’t simply trust its security requirements to application developers or project managers who know a little bit of security. They need either an expert on staff full time, or a part-time consultant from a firm that hires full-time security engineers.
What kinds of skills does a security engineer need?
Security engineers help test existing systems for vulnerabilities, as well as advise the IT team as they’re building such systems. Here are some skills needed for that:
Penetration testing: This refers to the task of intentionally breaking into a system from the outside. Security engineers typically have a set of software tools that assist in this. The tools will attempt to break into the software through multiple means, including using different software ports. Some tools are run manually by the security engineer; other tools the security engineer must install and configure to run automatically on a regular basis.
Vulnerability and security assessment: Once penetration testing is complete, the security engineer will put together an assessment showing where all the problems are, and what needs to be done to correct the problems.
Intrusion detection: Security engineers install software that detects an active intrusion and immediately notifies the security engineers and other people in the organization, and possibly even the regular security staff or even police. (Note that this could mean being awakened in the night!)
Setting up new systems securely: In addition to testing existing systems, security engineers will help the IT team build networks that are secure. The security engineer meets with the IT team before the network is built and advises them on the steps to build a secure network, the best software and devices to use, and the best way to configure everything. The security engineer will also work with them as the network is being built, doing penetration testing early on to catch problems before the system goes live. After going live, the security engineer will continue doing penetration tests on a regular basis afterwards.
Security policies: Security engineers will help the IT team put together policies to be enforced, such as lists of the only software allowed to be installed on computers; lists of software that’s blacklisted; rules on password management, and so on. They will also likely train employees on how to keep their passwords safe and how to not fall for phishing scams.
Compliance: Companies that work with certain organizations such as government agencies typically need to meet regulatory compliance. The security engineer is the one who needs to understand such regulations, how to implement them correctly, and how to report that the system is compliant.
Assisting application developers: For companies that build software, security engineers work in a specialized field called application security engineer, whereby they help the software developers follow best security practices. This requires skills in addition to the above, such as:
- Programming: The security engineer will typically not be writing code, but will analyze the code for problems. As such, they need to be competent in reading code in the language the company uses. If the security engineer works for a consulting firm, they might need to know most of the most popular programming languages.
- Continued Integration: The security engineer will provide guidelines on how to make the software integrate with existing systems securely. For example, the security engineer might determine that an application running on the cloud needs to be run only within a virtual private network (VPN) and not accessible outside the VPN.
- Continued Delivery (CD): Today’s software is often delivered to cloud systems on a regular basis as small builds are complete, such as every two weeks. This involves using automated tools that collect the latest source code, build it, and deliver it to a cloud server. This process is also prone to security holes. The code will typically be hosted on a source code repository such as GitHub. Many employees across the organization may have access to this code. The security engineer would teach the team the best practices for ensuring the code is safe. The build system that obtains the code and compiles and delivers it also needs to have limited or no access to different servers.
How can a security engineer get a first job?
There are some steps to landing the first job:
Training. Training is vital. While some IT professions you can learn on your own, security requires as much training as you can stand to get. The reason is liability. Organizations trust the people they hire. An organization can usually survive if their software crashes and restarts. There might be some annoyed users, but if no data is lost, there’s likely little financial liability.
Security engineers, on the other hand, need to ensure that intruders won’t break in and steal millions of customer records; such an intrusion can result in the company getting sued for tens of millions of dollars or even more. There’s a high risk in hiring the right security engineer.
If you want a recruiter or hiring manager to be totally comfortable with the idea of you as a security engineer, it helps to have a collection of courses, certifications, and degrees on your resume and other application materials. If you already have a bachelor’s degree in a related field such as computer science, another option is to go back and get a master’s degree in security.
People networking. As with most jobs these days, it’s important to grow your network. Large corporations will typically hire teams of security engineers. A software development firm might hire just one, compared to dozens of software developers. And security firms will typically be hiring multiple people. That means finding these companies, and ideally, meeting people who work there who can get your resume to the top of the list. You can meet people through job networking sites such as LinkedIn, as well as by attending conferences and meetups.
But remember, because competition is tight, you’ll need to be ready to prove yourself, both with your certification and your skillset. Plan to be the best you can and shine above the others.
What does a security engineer career path look like?
As with many tech careers, there are junior, mid-level, and senior level security engineers. In large companies and security consulting firms that hire multiple security engineers, you would be starting out at a junior level working under people with years of experience who can help teach you additional skills beyond your training.
Medium-sized companies that have an opening for one security engineer are likely to go with somebody with more experience than a junior level. When you reach such a position, you would have a great deal of autonomy.
Senior engineers at a large corporation or security firm might not be doing so much hands-on work and might be managing teams of security engineers. Or as you advance in your career, instead of managing, you can become more specialized. You might focus on only cloud security, network security, or the application security we already mentioned.
And as you advance, plan to keep training and learning through your entire career. With every new version of operating systems and software, you need to update your skills to know the new features and security risks of those features. You also need to learn about new methods of attacks and intrusion and how to prevent them, and what to do if an intrusion happens.
Note finally that some security engineers start out as software developers. Such people are in demand as they can take on the job of security application engineer. But again, since security is a full-time job (with very solid pay), this is a full career change, not just a side gig for an application developer.
Security engineering is a difficult field and requires continual training and certification updates. But it can be exciting and rewarding. Plan to work hard, and soon you’ll find yourself getting your first position.