The role of a Security Engineer

A security engineer is a subjective term to describe a role in the cybersecurity industry. Different companies define it differently.

A very engineering-driven company would hire a security engineer who is also a software engineer building and shipping product features. But as security engineers, they pay close attention to nuances that might relate to the security aspects (e.g. confidentiality, user PII, potential frauds) of the products that they are building.

On the other hand, a cybersecurity team that is not a part of the engineering department might hire a security engineer to build internal integration and tooling to support the adoption and improvement of security programs within the company.

But some rebrands security analysts, penetration testers, incidence responders, and pretty much any other non-managerial cybersecurity role under the sun as a security engineer, simply because it is a new term in the industry.

Subjectivity aside, a security engineer takes pride in ensuring minimal friction in adopting security hygiene across engineering practices. It is easy to propose implementing OWASP Top 10 prevention activities across the entire organisation. But given the scale and the different ways the teams work, how would a security engineer drive the program to make it successful?

An excellent security engineer continues to enable teams to innovate and be creative in their engineering work without introducing too many blockers and obstructions in the workflow. They achieve this by building guardrails along the workflow, ensuring the teams operate freely within the safe security boundary. By designing sane security defaults and keeping them lightweight to follow, a security engineer increases the likelihood of engineering teams adopting the practices.

For example, a security engineer would introduce abstractions for all the security static scanning tools and surface the results in a single contextual interface. Or, while writing code to perform checks for underwriting, a security engineer chooses to use simple if-else clauses over complex interfaces and structure designs, ensuring the overview of the rules are still comprehensible for future engineers before enhancing with modifications. It is an example of a deliberate decision to keep things simple so subsequent enhancements would follow suit. Therefore, minimising underwriting errors that might stem from complex implementations.

A security engineer designs solutions that minimise security flaws while keeping them simple to ensure low-friction adoption. It is a skill set that applies regardless of whether an engineer is building a product feature or a security tooling. It is a mix of deep technical knowledge with an entrepreneurial mindset in designing security as a service to an organisation.