Security Engineering and Pancakes

Recently, I was asked my opinion regarding the most important role of a security engineer. This question made me think about the various jobs and functions I have come across related to security engineering. It also made me think about pancakes (more on that later). Anyway, as with most discussions related to cybersecurity, the answer is “it depends.” I decided to begin by reviewing the marketplace and job postings, and then check in with the International Information Systems Security Consortium (ISC2) to see what they might have to say. Finally, I consulted my pancake recipe.

Security Engineering: A Review of the Marketplace

The term security engineering can encompass a large variety of responsibilities and roles. The duties of a security engineer can vary greatly based on the industry and the company size. In companies with a large security department, security engineering functions may be distributed across several roles. A review of security engineering job postings demonstrated the wide-ranging, and often differing, views of security engineering within the marketplace.

Based on my review of current job postings with the title of “security engineer” or using the term “security engineer,” companies do not have a clear or widely-accepted definition of security engineering and what constitutes a security engineering role. My review did find, however, that the posted security engineering jobs tended to fall into one of the following four categories:

  1. A focus on the selection, implementation, and/or configuration of corporate-level security tools and processes, such as event monitoring, vulnerability management, access control, and data loss prevention. Specialized subsets included security engineers with a specific focus on network-based security tools (such as intrusion prevention, firewalls, and web content filtering) and those that focused on host-based security tools.
  2. Application security engineers focusing on secure software development practices within the software development lifecycle.
  3. Security engineers focused on the implementation of and adherence to security frameworks (such as NIST and CIS), compliance to corporate or industry-specific security standards (such as HIPAA or PCI), and processes.
  4. Security engineers who provide consulting services across any of the above to internal groups or third-parties.

Security Engineering: A Review of the CISSP

Next, I reviewed the curriculum for the Certified Information Systems Security Professional (CISSP) offered by ISC2 (2015). This review also demonstrated that security engineering could include many responsibilities and roles. The CISSP contains a security engineering domain, which includes the following topics:

  • The application of security models and design principles within security architecture;
  • Access control and the application of access control models;
  • The application of cryptographic controls for confidentiality and integrity;
  • The use of security models to evaluate products;
  • Database security;
  • Vulnerability management;
  • Identification and management of threats;
  • Identification of vulnerabilities within the security controls and architecture; and
  • Secure site and facility design.

Security engineering within application development requires special consideration. Security engineering focused on the product development lifecycle is critical to developing secure products. The CISSP curriculum contains a separate domain concerned with developing secure applications and incorporating security within the software development lifecycle.

What About the Pancakes?

So, what is the most important role of a security engineer? I do not understand how this question could be answered. You might as well ask me what is the most important ingredient in my famous (at least in my household) pancake recipe. Of course, I could remove some ingredients, perhaps the vanilla or the cinnamon, and still create a delicious pancake; however, the overall recipe would suffer. Other times, I might need to add a little extra, perhaps some diced apple. And if you want to destroy my pancakes, substitute some artificially-flavored maple syrup for the real Vermont maple syrup.

Much like the ingredients of my pancakes, each of the security engineering roles and duties is important. However, depending on the organization, including such things as company size and industry, certain aspects of security engineering will become more or less important. Each of the security engineering roles complements each other and are necessary. However, for the sake of the discussion, I will play along and choose the most important ingredient between the eggs, flour, and buttermilk.

I will argue for security engineering within the application development lifecycle. This selection may be influenced by my working for a technology company that develops software applications to support the financial services industry (and by my being a developer in the distant past). However, this choice is also because many security incidents result from the exploitation of a vulnerability within software systems. Limiting vulnerabilities introduced during the software development lifecycle will go a long way to securing systems.  Furthermore, security engineering can reduce costs and minimize risks by identifying and fixing bugs and vulnerabilities earlier in the software development cycle.

Are you hungry now? If you are ever in my neck of the woods, stop by, and I will fix you some pancakes!

About the author: Donnie Wendt is an information security professional focused on designing and engineering security controls and monitoring solutions. Also, Donnie is an adjunct professor of cybersecurity at Utica College. Donnie is currently pursuing a Doctorate of Science in Computer Science with a research focus on security automation and orchestration.