How to Write a Computer Security Engineer Job Ad
Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. This communication starts with a solid and detailed job description. It will be an important reference when hiring for the position and a point of contact for performance once the candidate is on board. The job description is also a baseline that helps security team leaders keep pace with the evolution of many roles.
Computer Security Engineer is a relatively new job title, with responsibilities and scope still evolving. It focuses on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; work on operational data center systems and networks; help the organization understand advanced cyber threats; and help create strategies to protect these networks.
These strategies typically include monitoring and protecting sensitive data and systems from intrusion. This person typically works as part of a larger IT team and reports directly to senior management.
- Develop and implement information security plans and policies
- Develop strategies to respond to and recover from a security breach
- Develop or implement open source/third party tools to aid in the detection, prevention and analysis of security threats
- Staff awareness of information security standards, policies and best practices
- Set up protections
- Installation and use of firewalls, data encryption and other security products and procedures
- Perform periodic network scans to find any vulnerabilities
- Perform penetration testing, simulating an attack on the system to find exploitable weaknesses
- Monitor networks and systems for security vulnerabilities, through the use of software that detects intrusions and abnormal system behavior
- Investigate security vulnerabilities
- Lead incident response, including steps to minimize impact, then conduct technical and forensic investigation into how the breach occurred and extent of damage
[Related: What it takes to become an IT security engineer]
Skills and competences
This section describes the required technical and general skills as well as the certificates or diplomas that a company can expect from an information security engineer. Key technical skills include:
- Expertise in antivirus software, intrusion detection, firewalls and content filtering
- Knowledge of risk assessment tools, technologies and methods
- Expertise in the design of secure networks, systems and application architectures
- Disaster Recovery, Computer Forensics Tools, Technologies and Methods
- Plan, research and develop security policies, standards and procedures
- System administration, supporting multiple platforms and applications
- Expertise in mobile code, malicious code and antivirus software
- The computer security engineer must also have experience and knowledge of:
- Endpoint security solutions including file integrity monitoring and data loss prevention
- AWS and Cloud Platform Security as a Service (PaaS)
- Automate security testing tools
- Chef – a configuration management tool
- Git – a tool that tracks abnormal changes to files
General skills include:
- The ability to multitask
- A keen eye for detail
- Strong organizational skills
- The ability to thrive in fast-paced and stressful situations
- The ability to communicate network security issues to peers and management
Possible studies/certifications that a company might need are:
- A BS or MS in Computer Science or related field, or equivalent experience
- One to three years of industry experience in an information security function.
- Certified Information Systems Security Professional (CISSP)
- CISA – Certified Information Systems Auditor (CISA)
- CEH – Certified Ethical Hacker (CEH)
- CISM – Certified Information Security Manager (CISM)
- ISSAP – Information Systems Security Architecture Professional (ISSAP)
- ISSEP – Information Systems Security Engineering Professional (ISSEP)
[Related: How to get a job as a security engineer]
The computer security engineer should also be familiar with compliance standards such as ISO 27000, ISO 9001, and FedRAMP.
Industry specific requirements
Experts say that, as is generally the case in information security, basic skills and qualifications requirements apply to all industries. The differences are usually about compliance.
Eric Cissorsky, senior IT security specialist at UBC, says that since working in healthcare, “my primary concern is HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health).
“Other industries may be more concerned with requirements such as Payment Card Industry-Data Security Standard (PCI-DSS) for those making payments over the Internet or FISMA for the government sector,” he says.
Chris Clark, Senior Security Engineer at Synopsys, explains that the need for different “soft skills” can vary by industry and company culture. “An individual’s ability to cope with the stresses and rigors of each industry and role within that industry can vary greatly,” he says. “A candidate with excellent technical acumen may not have the soft skills needed to move from health care to, say, education or finance and vice versa. If you can show your adaptability, you have a head start.
How to attract the best
According to Indeed, the average security engineer salary in the United States is $103,620. Other sources report the range to be between $60,000 and over $200,000 per year.
Money is important to good candidates, but they also want to know that the company supports their work. “Without a doubt, the most important thing I look for in an employer is a serious commitment to IT security from management,” Cissorsky says. “Many organizations talk about a good game when it comes to infosec, but lack follow through, so I look for policies and processes that show the organization is serious. Beyond that, a meaningful commitment to training continuing is very important to me.
Clark said that although such benefits as unlimited vacation days, scholarships and free meals are enjoyable, even they will not go that far, “before the real issues should be addressed: Am -I valued? the company cares does my contribution and my well-being? what’s next? can I grow? These are just a few of the questions that, if a company can respond it has a much better chance to eliminate and keep the best and brightest, “he said.
Copyright © 2017 IDG Communications, Inc.