Engineers solve problems; a security engineer solves security problems.
One of the first things any engineer (in any discipline) should do is understand the problem, so in the world of security engineering, it helps to know what you are trying to protect and as such how and why people might want to attack it.
Whether the problem is protecting data or infrastructure, it is vital that the security engineer understands every facet of the asset to be protected and any vulnerabilities that may be associated with it.
Once the asset is understood, a risk assessment and threat analysis needs to be carried out that will determine the attack surface of the asset. Once the attack surface is determined, mitigating steps can be designed and implemented to reduce the attack surface and eliminate, or reduce risk.
All the time, the ideal security engineer will have to consider how to maintain the CIA triad (confidentiality, integrity, availability) with respect to the asset being protected.
Working out how to protect an asset effectively is not an easy task, so desirable properties any security engineer needs to have include:
- Logical problem solving
- Attention to detail
- Understanding of people, process, technology and physical security controls
- Good communication skills
An ideal security engineer will need to address the security needs of the business. For example, a security engineer may have to consider the following:
• Open ports on outward-facing servers, code listening on those ports
• Services available on the inside of the firewall
• Code that processes incoming data to a database
• Processing of data by a human or machine
• An employee with access to sensitive information being socially engineered
• Theft of devices
The above problems, in one way or another, involve people, process, technology and physical security. The question is, how does the engineer maintain the CIA triad around these?
The ideal security engineer needs to have an in-depth knowledge of many aspects of IT, including hardware, software and networking. He or she will not only have 'hands-on' skills, but should also be able to advise on the design of security policies which should work to protect the company and be robust enough to cope with the changing threat landscape.
The IT security engineer must also work on implementing and managing the business continuity and disaster recovery strategy. This will include working with key stakeholders to keep business continuity and disaster recovery documentation training up to date.
Testing that the controls put in place actually work is a key aspect of the security engineers' role, so security engineers need to know how to test new hardware, software, and networking systems before implementation and keep on top of them as a regular process of management.
Finally, the ideal IT security engineer should be able to fix problems both on and off-site. Engineers need to be able to examine, troubleshoot and fix security irregularities both at the office and remotely.
Mark Amory is a senior learning consultant at QA.
For more information visit qa.com/cybersecurity
Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.