What Does a Security Engineer Do?
The Short Version
A Security Engineer builds and maintains IT security solutions for an organization.
In this intermediate-level position, you will be developing security for your company’s systems/projects and handling any technical problems that arise.
Security Engineer Responsibilities
On any given day, you may be challenged to:
- Create new ways to solve existing production security issues
- Configure and install firewalls and intrusion detection systems
- Perform vulnerability testing, risk analyses and security assessments
- Develop automation scripts to handle and track incidents
- Investigate intrusion incidents, conduct forensic investigations and mount incident responses
- Collaborate with colleagues on authentication, authorization and encryption solutions
- Evaluate new technologies and processes that enhance security capabilities
- Test security solutions using industry standard analysis criteria
- Deliver technical reports and formal papers on test findings
- Respond to information security issues during each stage of a project’s lifecycle
- Supervise changes in software, hardware, facilities, telecommunications and user needs
- Define, implement and maintain corporate security policies
- Analyze and advise on new security technologies and program conformance
- Recommend modifications in legal, technical and regulatory areas that affect IT security
In a large organization, you will typically report to a Security Manager.
Security Engineer vs. Security Analyst
To put it in Sesame Street terms, Security Engineers like to fix systems and Security Analysts try to break them. Analysts are more concerned with probing for risks and weaknesses (pentesting, auditing, etc.); engineers are more intent on building robust security solutions (firewalls, IDS, etc.).
Having said that, we’ve seen a lot of crossover in job descriptions. Postings for “Security Analyst/Engineer” are pretty common.
Security Engineer Career Paths
Once you’ve made a name for yourself as a Security Engineer, you might be interested in positions with more managerial oversight and career flexibility:
From there, you could work your way into a C-suite position such as:
The term “Security Engineer” has a few immediate siblings in the job market:
- Network Security Engineer
- Information Assurance Engineer
- Information Security Engineer
- Information Systems Security Engineer
Security Engineer Salaries
According to Payscale, the median salary for a Security Engineer is $85,177 (2014 figures). Overall, you can expect to take home a total pay of $55,338 – $127,123. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Security Engineer Job Requirements
The job of a Security Engineer is a highly technical one, so employers will expect you to have a bachelor’s degree in Computer Science, Cyber Security or a related field.
Don’t have an undergraduate degree? You may wish to consider gaining a master’s degree with a concentration in IT Security. You can supplement this qualification with work experience, training and certifications.
Work experience requirements depend a good deal on the size of your organization and the scope of your responsibilities. We’ve seen everything from 1-10 years of experience required. Senior Security Engineers tend to fall in the range of 5-10 years.
The more tools you have in your arsenal, the more attractive you will be as a job candidate. So you may wish to get familiar with:
- IDS/IPS, penetration and vulnerability testing
- Firewall and intrusion detection/prevention protocols
- Secure coding practices, ethical hacking and threat modeling
- Windows, UNIX and Linux operating systems
- Virtualization technologies
- MySQL/MSSQL database platforms
- Identity and access management principles
- Application security and encryption technologies
- Secure network architectures
- Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP and other network routing methods
- Network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
- Advanced Persistent Threats (APT), phishing and social engineering, network access controllers (NAC), gateway anti-malware and enhanced authentication
Generally speaking, Security Engineers are known for their complex problem-solving abilities and creative minds.
You’ll be spending a fair amount of time working an IT team, so employers will be looking for evidence of strong oral and communication skills. They also want to see that you’re capable of working long hours and dealing with stress.
Certifications for Security Engineers
We’ve listed a variety of certifications you may wish to consider as you build your career. None of these are necessarily mandatory – check current job descriptions for a sense of what’s popular:
- CEH: Certified Ethical Hacker
- CCNP Security: Cisco Certified Network Professional Security
- GSEC / GCIH / GCIA: GIAC Security Certifications
- CISSP: Certified Information Systems Security Professional