Author: Joann Anderson, Head of Engineering at Latacora
Thinking of a career in cybersecurity? Here’s what you need to know.
When people think about security, they often envision something like Mr. Robot — a lone engineer wearing a hoodie, sitting in a dark room with a terminal window open at a monitor casting a bluish tint. Images of corporate espionage and numbers stream across a screen. While many technology careers can be intimidating to pursue, security careers can feel exceptionally inaccessible, especially if one doesn’t relate to the stereotypical hacker.
In reality, there are many different kinds of security engineers, and while some may be reminiscent of the characters we see on television, many (if not most) work within a company, protecting its assets from compromise. There are security engineers who work in learning and development, training employees to be resilient to social engineering attacks such as phishing. Others work on developing secure software, protecting a company’s cloud infrastructure, or responding to cybersecurity attacks. Still, others work on the compliance and policy side to provide a framework within which the company operates to reduce exposure to risk. Though there are many different roles within security engineering, successful security engineers often possess the following skills.
Understand how attacks work
First and foremost, a successful security engineer needs solid technical skills: they need to understand how attacks are designed to exploit different vulnerabilities. Start by learning how various attacks work. These books are good initial reading; they provide frameworks to find vulnerabilities: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, The Tangled Web, and The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Next, working on online security training exercises like Portswigger Labs, crypto101.io, cryptopals, flaws.cloud, PentesterLab exercises, and XSS puzzles can help solidify knowledge. From there, security engineers can specialize into various areas, like the cloud, mobile applications, or web applications, based on interest. Understanding how, from a technical perspective, these attacks work provides a solid foundation to build a career as a security engineer.
Think like an adversary
The best security engineers are open-minded and creative thinkers. They are able to easily shift their perspectives to think like adversaries when evaluating new features or a piece of software. In software development, it is common to assume products will be used in a specific way, only to have users completely surprise us. Security flaws and vulnerabilities are often found by manipulating products in ways that their designers did not intend. Keep an open mind when evaluating products for security flaws and think about creative ways to use various aspects of the product. Read about past security flaws found in a wide range of products (mobile, web, consumer, and enterprise) to get a better sense of different exploits. This approach applies to social engineering attacks as well; sophisticated attackers ask creative open-ended questions to induce unsuspecting people to reveal information. Read and learn from past attacks to understand different attackers’ mindsets. Thinking like an adversary helps security engineers build robust defenses against them.
This term is often referenced as a successful skill of people management; however, it is exceptionally relevant for security engineers as well. Security engineers need to build trust and create a safe environment for developers and product managers to seek out their guidance when building features and products. To build psychological safety, proactively build positive relationships with developers, ask them what they’re working on (or will be working on), and show genuine interest by asking follow-up questions. When giving feedback on features, present findings as areas for improvement and not as engineering failures. No engineer intends to write security vulnerabilities into their code. After the conversation, express appreciation for their answers and time. If there’s any follow-up required, be accountable by communicating progress and submitting deliverables on time. Security engineers are sometimes viewed as different from other software engineers, or worse, as roadblocks to getting features built. In reality, they are simply engineers with a different domain expertise — like a database engineer — and their goal is to decrease risk, allowing safe and successful deployment of features. Establishing this distinction removes the mystique around security engineering and helps others become more comfortable when engaging with them. Successful security engineers are partners, not adversaries.
This list is certainly not exhaustive, but these three skills are a starting point for exploring a career as a security engineer. Security engineering is in high demand, and the supply of security engineers is relatively low. According to the Bureau of Labor Statistics, job demand for Information Security will grow by 31%, compared to 4% overall job growth. One forecast predicted there could be 3.5 million unfilled cybersecurity roles in 2021. Security engineering is akin to playing a game in which one treasure hunts for holes and weaknesses and then strengthens defenses in response. While it may not involve sitting alone in a dark room surrounded by multiple monitors or days of investigating internal espionage (though it might!), security engineering is a challenging yet fun and exciting career, with endless opportunities.
Joann Anderson is currently the Head of Engineering at Latacora, a retained security team for startups. Previously she was the VP of Engineering at Scoop Technologies and at Slack where she managed several Core Product teams. Joann honed her skills in streamlining engineering processes to accelerate release delivery at Adobe and Symantec. In her free time, she trains Muay Thai and gardens.
This blog post was sponsored by our friends at Latacora. Thank you Latacora for sponsoring ACT-W Conference 2021, powered by ChickTech. Latacora is a retained security team for startups—learn more about Latacora at https://www.latacora.com