Frankly Speaking 6/14/22 - I'm back! What is a security engineer? (and some changes)
I’m back! As many of you know, I left my job as a cybersecurity investor at Dell Tech Capital and transitioned back into engineering at dbt Labs. I am now a staff security engineer and having a great time securing the coolest product in the modern data stack.
I’m a bit more settled in and have more opinions (mostly controversial ones) on security than ever having spent time as a VC and now as an engineer at a cloud-first tech company. By popular demand and as a way to share these opinions more broadly, I am bringing back my newsletter. However, there are a few changes:
This newsletter will be more consistent. I will be writing weekly instead of sporadically.
This will be a paid newsletter. I will have 1 free article every month, and 3 paid ones. The subscription will start at $10/month ($99/year). Think about it as buying me a coffee once a month (inflation is rough).
If you are super generous, you can be a founding member ($499/year suggested, but you can pay less or more). Depending on what you pay, we can discuss potential additional benefits in the future!
So, please support me in keeping this newsletter going by signing up for a paid subscription!
Most of the content will now be mostly from an operator/senior engineer standpoint with some VC thoughts mixed in.
Some of my old content is behind a paywall now.
I’m primarily going to talk about cloud security and my thoughts on how security should be done at a company with a “modern” tech stack.
Those are all the changes I have for now. But now off to the free article for this month.
LET’S BE FRANK
I get asked a lot, so what do you do as a security engineer? It’s a fair question because there’s a lot of confusion around the terminology and its use to describe roles in the industry. It’s partially the industry’s fault, and partially, the confusion is caused by the evolving role. Some common areas of confusion:
Is a security engineer a software engineer?
Do they sit in engineering, IT, or security?
Do they build security tools, or do they implement security tools?
Do they do incident response?
Do they analyze threats, or do they harden the product against threats, or both?
What skill sets should they have?
The list of questions goes on, and this creates a lot of ownership and role confusion both for the security engineer and executives/managers at a company. To be clear, the best way to describe my personal skillset is that I am a software engineer that specializes in security. My background is in building secure distributed systems, which requires me to have a deep understanding of the systems from an engineering perspective.
In my day-to-day work, I think like an engineer. I think about tradeoffs in our system design when applying security. One major difference is that I have to consider trade-offs between security risk and performance. I care about how changes affect the product and our customers. I also have to consider prioritization when it comes to customer demands.
In my opinion, I believe this is the right way to approach security engineering. We can boil this down to a simple framework. With the cloud, software engineers, namely devops engineers, manage the infrastructure. Security engineers are the response/corollary to this shift. However, unlike devops engineers/SREs, security engineers haven’t managed to find a new or descriptive name.
To elaborate, infrastructure management has shifted from IT to engineering. Previously, IT and security under the same organization made sense because security would assist IT when IT was managing infrastructure. However, now it makes less sense that traditional IT security is working with devops engineers. Unfortunately, it’s not fair to them because it’s not well-aligned with their skillsets and because they lack the engineering context to be successful. The security engineer is meant to bridge this gap and create better alignment in goals.
A security engineer, like a devops engineer, knows how to work with product managers. They understand the codebase and software engineering practices that devops engineer abides by. They also better understand how security changes will affect the engineering organization and the product. It’s possible for a traditional IT security person to learn this just in the same way that a traditional IT person can learn devops engineering. However, it’s up to the organization and manager to decide for a specific person whether it’s easier for him/her to develop software engineering or security skills. Historically, I’ve seen more software engineers shift into security engineering, but that doesn’t mean it’s not possible for other types of shifts.
With that said, IT security is not going away in the same way that IT is not going away. However, there is a shift in ownership and responsibilities for security. Cloud-first companies should focus on building out a security engineering organization with software engineers that work closely with infrastructure engineering as well as product development teams. Having been a VC and sharing notes with other engineering leaders, I believe that organizations tend to be more successful when this organizational structure exists.
Organizations will slowly realize this, and the need for security engineers will grow exponentially. If you have devops engineers, you need to have security engineers. Many organizations are already seeing this as hiring freezes and layoffs don’t apply to cybersecurity.
There are a lot of open and follow-up questions, which I might address in future posts:
Who owns security tools now?
How will security tools need to evolve to capture this new market of security engineers?
What role does IT security play?
How will the roles and responsibilities of infrastructure and application security evolve?
Will there be larger shifts in the market, or are these isolated shifts for SaaS-focused companies? If there is a larger shift, how fast will it happen?
How will the increase in security engineers affect the types of developer tools and infrastructure that organizations want to adopt?
It’s never been a better time to be a security engineer or develop that skillset. To be honest, the industry needs it as demand is quickly outgrowing supply.
To allow me to continue writing, please support me by signing up for a paid subscription!
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.