Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.
IT security engineer is a relatively new job title, with the responsibilities and scope still in flux. Its focus is on quality control within the IT infrastructure. This includes designing, building and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.
Those strategies generally include monitoring and protecting sensitive data and systems from intrusions. This person usually works as part of a larger IT team and reports directly to upper management.
- Develop and carry out information security plans and policies
- Develop strategies to respond to and recover from a security breach
- Develop or implement open-source/third-party tools to assist in detection, prevention and analysis of security threats
- Awareness training of the workforce on information security standards, policies and best practices
- Implement protections
- Installation and use of firewalls, data encryption and other security products and procedures
- Conduct periodic network scans to find any vulnerability
- Conduct penetration testing, simulating an attack on the system to find exploitable weaknesses
- Monitor networks and systems for security breaches, through the use of software that detects intrusions and anomalous system behavior
- Investigate security breaches
- Lead incident response, including steps to minimize the impact and then conducting a technical and forensic investigation into how the breach happened and the extent of the damage
Skills and competencies
This section outlines the technical and general skills required as well as any certificates or degrees that a company might expect an information security engineer to have. Key technical skills include:
- Expertise in anti-virus software, intrusion detection, firewalls and content filtering
- Knowledge of risk assessment tools, technologies and methods
- Expertise in designing secure networks, systems and application architectures
- Disaster recovery, computer forensic tools, technologies and methods
- Planning, researching and developing security policies, standards and procedures
- System administration, supporting multiple platforms and applications
- Expertise with mobile code, malicious code, and anti-virus software
- The IT security engineer should also have experience with and knowledge of:
- Endpoint security solutions, including file integrity monitoring and data loss prevention
- AWS and cloud platform as a service (PaaS) security
- Automating security testing tools
- Chef – a configuration management tool
- Git – a tool that helps track anomalous changes to files
General skills include:
- The ability to multi-task
- A keen eye for detail
- Strong organizational skills
- The ability to thrive in fast-paced, high-stress situations
- The ability to communicate network security issues to peers and management
Possible education/certifications that a company might require are:
- A B.S. or M.S. in Computer Science or related field, or equivalent experience
- One to three years of industry experience in an information security function.
- Certified Information Systems Security Professional (CISSP)
- CISA – Certified Information Systems Auditor (CISA)
- CEH – Certified Ethical Hacker (CEH)
- CISM – Certified Information Security Manager (CISM)
- ISSAP – Information Systems Security Architecture Professional (ISSAP)
- ISSEP – Information Systems Security Engineering Professional (ISSEP)
[Related: How to get a job as a security engineer]
The IT security engineer is also expected to know compliance standards such as ISO 27000, ISO 9001 and FedRAMP.
Industry specific requirements
Experts say that, as is usually the case in information security, the core skill and qualification requirements apply to all industries. The differences are generally in regard to compliance.
Eric Cissorsky, senior IT security specialist at UBC, says that since he works in healthcare, “my primary concern is HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) compliance.
“Other industries may be more concerned with requirements such as PCI-DSS (Payment Card Industry-Data Security Standard) for those taking payment over the Internet or FISMA for the government sector,” he says.
Chris Clark, Principal Security Engineer at Synopsys, says the need for different “soft skills” can vary by industry and company culture. “An individual's ability to cope with the stresses and rigors of each industry and the job role within that industry can vary greatly,” he says. “A candidate with excellent technical acumen may not have the soft skills necessary to transition from health care to let's say education or finance and vice versa. If you can show your ability to adapt you are ahead of the game.”
How to attract the best
According to Indeed, the average salary for a security engineer in the U.S. is $103,620. Other sources report the range to be as low as $60,000 to more than $200,000 a year.
Money is important to good candidates, but they also want to know the company supports their work. “Without a doubt, the most important thing I look for in an employer is a serious commitment to infosec from the executive level,” Cissorsky says. “Many organizations talk a good game when it comes to infosec, but lack follow through, so I look for policies and processes that show the organization is serious. Beyond that a meaningful commitment to continuing education is very important to me.”
Clark says that while perks such as unlimited vacation days, educational stipends and free lunch are nice, even they will go only so far, “before the real questions need to be addressed: Am I valued? Does the company care about my contribution and well being? What is next? Can I grow? These are just some of the questions that if a company can address they stand a much better chance of culling and keeping the best and brightest,” he says.