Cyber Careers #16

Here we have Cyber Careers Number 16 - we're sharing the work of a Senior Information Security Engineer as we continue our series exploring a variety of Cyber positions. We've moved to the west coast of the US now, to a role within a software development company. The idea with my Cyber Careers project is to give you a broad sampling of cybersecurity options. If you're new to the cyber community it might help you decide which direction you'd like to go in your career. If you're already working in security you might want to align your path with another, or decide you want to move towards a different path based on what you see here. The whole point of this project is to provide information for you to use the way it works best for you.

Name? today's contributor prefers to remain anonymous

Where are you located? California

JOB

Who do you work for? a commercial software development company

Your job title? Senior Information Security Engineer

How many years have you worked in cybersecurity? 7 years full-time

What do you do in your job? A variety of things, listed below.

Primary task is Security Reviews

Review of 3rd party vendors:

• Gathering and review of 3rd party assurance documentation (SOC 2, Penetration Tests, etc.).
• Review of integrations to company systems and any related security concerns.
• Review of any optional configurations (e.g., encryption settings, log forwarding, etc.).

Review of internal development (non-product):

• Review of architecture, system configurations.
• Review of static code analysis.
• Review of any integrations to other internal or external systems.

Determine data classification and potential risks to help scope overall level of effort for each project. Recommend mitigating actions through partnership with stakeholder (e.g., if the security state of a product is not acceptable, can we reduce the data set classification without impacting the business results). Escalating any risks identified that are not within acceptable tolerances.

Secondary task is Compliance

• Review compliance requirements and identify gaps in the environment.
• Help SMEs understand compliance requirements for their area to address gaps.
• Provide guidance on remediating vulnerabilities (scanner detection based). This is a large knowledge gap when the solution is not a simple patch.
• Review proposed changes for acceptability, missing requirements (e.g. missing documentation).

What do you like most about your job? Making an impact on security culture at the workplace and making measurable improvements to the posture of the organization. Not ever being on-call is a huge plus for my role.

Least? Challenges in making progress for various reasons. I accept the business drivers but there is a lot of conflict within IT and too many attempts to get a perfect solution (which prevents making any progress on reducing risk).

What work did you do prior to this position? Information Security Engineer, AECOM. Started out in a “do everything IT related” type role and moved around a bit as the company matured. Similar line of responsibilities to what I do now, but a bit more of solution ownership (e.g. EDR, 2FA solutions).

What do you see as your next step? Management/decision maker role. Likely a few years as this will require moving to a new company.

Salary range for your position? I have an issue with this question, as salary is only part of a total compensation package. Example: by switching companies I shaved $12,000 in healthcare costs a year and gained a profit share. Someone being “paid” more may actually make less. That being said, rough salary range $110-130K, with total compensation at around $130-150K.

EDUCATION & GROWTH

Degree or no degree? Degree. Bachelors Information & Computer Science (as a side note I’ve used essentially none of what I learned)

Certifications held? CISSP, CRISC (with CCSP being next target)

What do you do to stay up-to-date or grow in cyber? Webinars, Reddit/other news, reading

Favorite cyber news source and/or podcast? Favorite source would be Brian Krebs, a little more general would be the Down the Security Rabbithole podcast

ANYTHING ELSE/OTHER COMMENTS

Something interesting that I think would be a question about whether people had relocated for their current position. I think companies off the beaten path are especially challenged to get staff to relocate.

Also as a comment, I find job titles in InfoSec to be all over the place in terms of actual job responsibilities, I’m sure you’ve found the same. It’s a bit of a frustration point. (author's note - another one of the reasons for this project - many with the same title do different work)