+ Reply to Thread
Page 2 of 2 First 12
Results 26 to 45 of 45
  1. Senior Member
    Join Date
    Sep 2013
    Location
    Southern California
    Posts
    156

    Certifications
    CISSP-ISSEP, CRISC, MCSA
    #26
    Quote Originally Posted by Thechainremains View Post
    NO.
    If they wanted a real security engineer, they would have asked for more Certs like Microsoft/Linux/Cisco. Then at that point.. it makes sense.. but the combination of all those random certs, just doesnt make sense at all..
    I have to disagree with your comment about "real security engineer". I work with CCIE's, Linux guys, and Microsoft consultants and they aren't security engineers. They can certainly address security requirements but they don't know how to identify risk and security laws and regulations. They spend their time building a solution and I advise on how to create it securely. I do the risk assessment and recommendations, they do the clicking and required research to build security into the solution. Together we get it ready for certification. It's also part of the SoD. They focus on functionality and security focuses on risk. I have some knowledge and experience in servers and networking but I look at networks from a different perspective then they do. This has been my security engineering and IT audit experience in commercial and Federal work.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2014
    Posts
    199

    Certifications
    CISSP, PMP,CISA, MBA-MIS, Six Sigma (WhiteBelt), MCITP, MCSA, MCTS, VCA-Cloud, VCA-DCV, VCA-WFM, IBM DB2 Administrator, IBM Filenet Administrator
    #27
    Quote Originally Posted by Thechainremains View Post
    So i just came across this.. and when i read it...I was just stunned. You really gotta watch out for stuff like this.. Googling some of this description, listed a few Staffing agencies who have " tried to fill the position. " Which further tells me, this post is even more questionable..

    a few things...

    1) Who in the world is experienced in Coding or basically a Programmer, and has Security experience?

    2) Why would anyone with a Security related certification, have any know-how of Active Directory? I mean the 2 just dont mix.

    3) On top of all of that, who would have Unix, Linux, BSD, or Cisco iOS experience to go along with it?

    4) No mention of a Linux+, Cisco Cert or Microsoft Cert, which in reality is what they are really after?

    5) They want someone with HIPPA and SLA experience but they dont even mention ITIL?

    Just a terrible, horrible job posting.


    JOB SUMMARY
    Designs, develops, configures, and implements solutions to resolve complex and highly complex technical and business issues related to related to information security, identity management, user access authentication, authorization, user provisioning, and role-based access control.
    Designs, develops, and implements solutions to successfully integrate new information security and identity management systems with the existing architecture.
    Provides end-user support as directed by management and works on multiple functions of high complexity. Identifies and recommends functional, technological and/or control solutions.
    May drive one or more projects as part of a Security or Security Risk Management team.
    Acts as a subject matter expert (SME) for one or more security, IDM, or risk management areas.
    May act as team-lead for other security or risk management personnel.

    ESSENTIAL FUNCTIONS
    Coaches and trains engineers integration of systems, including but not limited to databases, applications, network elements and devices, and data storage
    Guides an mentors engineers on the development of custom scripts, programs, and application interfaces to enhance existing monitoring infrastructure as part of project team efforts
    Pursue continuing education to maintain advanced knowledge of best practices, compliance requirements, and threats and trends in identity management and information security, translating into operational action items, policies, procedures, standards and guidelines as part of the IT Security team
    Develop root-cause analysis strategies to determine improvement opportunities when failures occur. Contribute as lead and SME on incident research and resolution when appropriate, mentoring incident team members
    Assist in Continual Service Improvement efforts by identifying, and sometimes leading, opportunities for process improvement
    Manage workload, prioritizing tasks and documenting time, and other duties.
    Provides training, coaching, and mentoring for Engineers and Senior Engineers in the IT Security organization
    Assists management in the definition of cross-platform information security and/or identity management policies and procedures as well as a senior contributor on departmental (IT Security) standard operating procedures, processes and guidelines.
    Drive and participate in the collection and documentation of departmental knowledge artifacts; key participant in the development, population, and championing of knowledge management and collaboration systems for the IT Security team.
    Communicates complex technical information to team members and all levels of management.
    Provides identity management advice and support for network systems and applications



    Act as a security advocate for IT operations team"s adherence to Dignity Health policies and industry best practices

    Mentors and guides fellow engineers in the selection, installation, integration, configuration, and maintenance of information security systems.
    Defines Information Security frameworks for existing and new systems.
    Review and perfect diagrams, maps, and documentation of interrelated architecture and systems, pro-actively review solutions to determine possible failure points, coaching engineers accordingly.



    EXPERIENCE


    6+ years" experience in enterprise-scale information security engineering and operations required.

    Experience evaluating and implementing new hardware and software solutions and managing vendor support/SLA required.

    Experience with UNIX/Linux/BSD operating systems preferred.
    4+ years technical project experience designing, developing, integrating, and implementing solutions to resolve complex technical and business issues preferred.
    Coding experience and proficiency (e.g. Python, Perl, Ruby, PowerShell, Java, bash, etc) preferred
    Experience in Windows Office (Work, Excel, etc) required.
    Experience in UNIX/Linux OS and/or Cisco IOS strongly preferred.

    EDUCATION
    Bachelor"s Degree in Computer Science, Information Security, Information Systems, or related field, or equivalent professional experience required.

    TRAINING/CERTIFICATIONS
    Two or more relevant technical/professional security certifications (such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific) required.

    SPECIAL SKILLS
    Proficient understanding of regulatory and compliance mandates, including but not limited to HIPAA, HITECH, PCI, Sarbanes-Oxley preferred.
    My profile fits for the position you mentioned. I have the experience and skills they require and I have been working on Python, Powershell and Java. I used to code my own versions of tools in .Net.
    OSCP: Loading . . .
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    993

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #28
    I'm very good with AD, multi-site, multi-domain forests design for 15 years. CISSP, other certs and worked in security. Know assembly language, can do malware analysis. Wrote some hundreds of lines of powershell code/windows CMD/BAT shell/AIX Korn shell. And finally I work in healthcare, went through HIPAA trainings, participated in incident response in healthcare and can help with HIPAA compliance.

    I kinda suck with cisco, but can do simple admin level stuff.

    So it's not totally BS, I can imagine some guys who could fit, especially if the pay is good.
    Last edited by gespenstern; 03-05-2015 at 05:26 AM.
    Reply With Quote Quote  

  5. Senior Member impelse's Avatar
    Join Date
    Dec 2006
    Location
    Houston, TX
    Posts
    1,211

    Certifications
    CISSP, CEHv7, CCNA, Security+ 70-290, 70-291 CCNA:S
    #29
    I think a lot of security guys are coming to be like a generalist, doing a lot of stuff and then going deep until begin to learn more security.

    Security is very difficult and wide, just look CISSP, it is a bunch of knowledge, that you need, then you begin to choose your specialization.

    If you work for a consulting IT company for small and medium customer then you will need to acquire a lot of those skill and more. In my case I wonder that new things will I get tomorrow, LOL
    Reply With Quote Quote  

  6. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,363

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #30
    Quote Originally Posted by beads View Post
    Sounds like my job a couple of years ago to be frank about it. Nothing wrong with the description at all other than some of the wording does appear to be boiler plated in from another source.

    As an engineer you should really have a decent idea as to how to write and run a script, sheesh. Sounds like a fairly small shop with intent to grow. ...

    impressive experience you have. How many years did it take you to reach that level? What kind of job gave you the chance to learn all this? a service provider/ISP/financial services? Did you change jobs a lot or did you stay for years in some jobs? Any advice ?
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  7. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #31
    Speaking just for my own experience, I'd say having a generalized background and some specialization really helps in making a good security engineer. Virtually everything stems from fundamentals, and being able to deep-dive requires seeing things from the ground up and recognizing the moving parts and mentally compartmentalizing them as needed. That's where being detail-oriented stems from in regards to having a wide array of exposures and understanding the bigger picture because everything's dependent on each other.

    Risk management and providing justification requires being able to research, figure things out, and demonstrating or relaying the gritty details in a way that's relateable. Having that flexibility/adaptability requires 1) a keen interest and curiosity in general, 2) maintenance and self-refreshes as the larger world evolves, and 3) mental tenacity.

    In general, the security professionals that I've known don't see themselves as "having a job" but rather being part of a larger mission. There are some IT professionals who are really dedicated to their craft, but there's also a lot more who just want to do their shift and go home. Security is going to be really, really tedious work for someone who just wants to get a paycheck.
    Reply With Quote Quote  

  8. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,363

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #32
    @docrice: thanks for the great answer.

    Just so we can learn something from this thread, seeing that we established that to be a good security ninja you need ninja experience in multiple domains, how did you go on about getting experience in multiple domains? Did you work in different sysadmin roles before moving to security? or did you get a junior-ish security position where you got a chance to learn multiple things?

    Sharing personal journeys helps a lot.
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  9. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #33
    In my own case (and I'm not implying this is the path everyone should take), I started out as a desktop support/sysadmin for Windows environments back when NT 4.0 was finally moving up to NT 5.0 (known as Windows 2000). My first exposure to "security" was when a senior admin was doing a domain password audit and mine was easily cracked (LM hashes, yup). He explained password complexity and how they relate to security requirements, domain identity theft, and so on.

    He also nudged me to attend DEFCON and I think that's what started my traction and interest.

    I eventually moved onto a lab support role involving Windows, Unix/Linux, and eventually networking. Didn't really know what I was doing in many cases, but it all started falling in place after being exposed to many different areas. I think my first Linux install was Red Hat 7.3 and while I was comfortable working on the CLI from my old DOS days, Linux took some getting used to. In the new environment I was also prepping endpoints, client software, managing AD, setting up Linux hosts, running the PIX, deploying new VPNs, writing lots of documentation, working with lots of customers (doing some customer support as a product specialist allows you to get a sense of how other environments large and small operate), etc.. Lots of opportunities to install and try things out. Break, fix, break some more, troubleshoot...

    I've been somewhat lucky to have landed the roles that I have, and a lot of it was due to good personal connections that had an "in" at different places. Very rarely have I gotten employment offers by going through the front door with a resume in hand or via a recruiter. However, a lot of it also has to do with the amount of effort I've put in, the results I've produced, my work ethic, and the impressions I've made. Without the latter, I'm certain the professional recommendations from others wouldn't have come. It required a lot of sacrifices and setting aside what many would consider a normal life. I've always had my home network structured like a simple corporate environment with DCs, firewalls, routers, switches, Windows domain members, Linux hosts, access points (with 802.1x configured), and whatever else so if something breaks, my Internet connection stops working and I have to fix it. This really forces you to invest in your ability to figure things out.

    I took a CCNA bootcamp with a friend back in 2009 and while I already had Cisco device configuration experience back then, the bootcamp really did help in some ways. I didn't get any certs until then and have been on a roll since. I went from having no certs to being a paper tiger in no time (I've never failed an exam ... yet). I can now speak from experience about certifications and their relative worth as someone who has studied enough to pass exams and also someone who interviews and evaluates candidates for hire.

    Something else I should mention which I think has helped me grow professionally - working in smaller shops of around a few hundred employees rather than working in a large bureaucracy with thousands or more. You're thrown in a fire at smaller shops and wear many hats by necessity, forcing you to adapt. When you stress a muscle, you either make it or break it. Just have to be smart about how much exhaustion you allow yourself to take on.

    I currently run internal network security at a network security vendor. Our company runs, evolves, and changes fast. It's the nature of the industry and there's no room for complacency. I also interview candidates, interact with vendors, perform product evals, and whatever else that comes in my way (including the occasional rack-and-stack). Having a sense of all layers really helps put the links together.

    If there's one thing I've learned, complexity is the nature of the business with the additional requirement of keeping up or being left out due to being ineffective. Results matter, effort isn't always recognized unless you can deliver value. If you want to know why so many companies get breached, it's partly due to lack of awareness at the senior management level (and the apprehension of the technology/manpower costs to protect assets) but it's also too many professionals drinking the vendor Kool-Aid and blindly trusting the fancy NextGen Cyber Threat Mitigation™ technology to do their job. Our job as security professionals is to scrutinize by setting aside our assumptions, recognize the limits of what the vendor sells, assess the ongoing/changing risks, and employ compensating controls as your management dictates by finding the right balance at a given point in time. This is why when vendors come into a meeting with me, I'm very terse about skipping the marketing bull and getting straight to the engineering. I don't have enough minutes in the day for excess and I no longer do vendor lunches.

    To anyone thinking of entering into the security realm because of the fancy green text on black background (with anything malware-related highlighted in fixed-width red text), realize that there is some digital sexy involved in the work ... but it can be an agonizing, frustrating, supremely detail-oriented endeavor with a lot of explaining of each step, rummaging through incomplete/incorrect documentation, many false assumptions from your peers or management, increasing scale of things to monitor/protect, lack of budget, lack of staff, lack of good candidates in the resume pool, never-ending patching cycles, constantly cleaning up after sloppy configurations, technology shortcomings with vendor claims that don't always live up, and dynamically changing environments both internal and public. The real world looks nothing like what the textbook implies in the training courses.

    So now that I've exhaled a bit of a rant, I assure you it's not realistic for everyone to know everything. There's too much ground and minutia to cover. What does help is if you're motivated to learn how things really work under the hood and how the parts fit together, you understand what personally drives you into this role, and a commitment to keep improving with a willingness to stay on top as much as you can. Everyone has specializations, but having those strong fundamentals really help you see what the sysadmin/network admin/DB admin/user/application/business partner is perceiving. Without that perception, doing security effectively is hard.

    If you really like this stuff, you will never stop reading and tinkering. That's what makes you stand out because your intuition and technological sense will outgun the person next to you. You must always compete with yourself, not just others. Not everyone in security will have all the fundamentals, but the common security practitioner will need to be versed in the obvious areas.

    Don't expect security certifications to teach you everything. They are merely the first step into a larger world, and security is based on existing domains like managing Windows networks or web applications. Applying what you've learned and the discovery of the gritty oil between the gears of the moving machine helps you realize how a simple valve in an engine can hold so many other things together. Part of the experience of growing is banging your head against the wall until you realize there's another way. That's why it's so important to Try Harder.

    Oh yeah, and learn to type fast. It really helps to get things done.
    Reply With Quote Quote  

  10. Member
    Join Date
    Jun 2013
    Location
    Bucharest, Romania
    Posts
    80

    Certifications
    eCPPT, CCNP, CCNA Sec, CCNA, Security+, Linux+
    #34
    Hey docrice! Thank you for your time to write this awesome post!
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Feb 2015
    Location
    Tampa, FL
    Posts
    279

    Certifications
    GPEN/GCIH/CEH
    #35
    Quote Originally Posted by Thechainremains View Post
    So i just came across this.. and when i read it...I was just stunned. You really gotta watch out for stuff like this.. Googling some of this description, listed a few Staffing agencies who have " tried to fill the position. " Which further tells me, this post is even more questionable..

    a few things...

    1) Who in the world is experienced in Coding or basically a Programmer, and has Security experience?

    2) Why would anyone with a Security related certification, have any know-how of Active Directory? I mean the 2 just dont mix.

    3) On top of all of that, who would have Unix, Linux, BSD, or Cisco iOS experience to go along with it?

    4) No mention of a Linux+, Cisco Cert or Microsoft Cert, which in reality is what they are really after?

    5) They want someone with HIPPA and SLA experience but they dont even mention ITIL?
    Some parts of this make a lot of sense. A security person should have an understanding of programming at some levels, so it's not out of the range of desired qualities. They should also have SA/NA experience to get into security, so they should understand and have worked with AD and Cisco. If you are a security person who doesn't have linux experience, you are in management. Outside of the HIPA/SLA experience, i'd fit those qualities. I spent years as an SA with AD. CCENT Certified, was well prepared for CCNA/CCNA:S. Experience with linux including BT/Kali. Studying Python/C/ASM in prep for the CREA.
    Reply With Quote Quote  

  12. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,363

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #36
    Thanks for the great contribution docrice!

    I think it all comes down to personal internal motivation, and nailing down WHY you even study or bother.
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Apr 2013
    Posts
    2,413
    #37
    my co-worker at work is the perfect person for this role. he's been in IT since he was 16 and he's 44 now. He's the best programmer/developer and oracle/SQL administator I know with a strong understand of Security and System Administration in Unix and Linux. His problem is he can't do it all so hes just the programmer/developer of the Syteline ERP and I do system/network administration. It's the perfect match and the amount I've learned in one month from him is immense; plus were both Trekkies like comon'!!!!

    To put his level of madness into perspective hes currently doing his MCM in SQL.
    Last edited by Deathmage; 03-07-2015 at 01:41 AM.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Sep 2013
    Location
    Southern California
    Posts
    156

    Certifications
    CISSP-ISSEP, CRISC, MCSA
    #38
    Quote Originally Posted by docrice View Post
    Speaking just for my own experience, I'd say having a generalized background and some specialization really helps in making a good security engineer. Virtually everything stems from fundamentals, and being able to deep-dive requires seeing things from the ground up and recognizing the moving parts and mentally compartmentalizing them as needed. That's where being detail-oriented stems from in regards to having a wide array of exposures and understanding the bigger picture because everything's dependent on each other.

    Risk management and providing justification requires being able to research, figure things out, and demonstrating or relaying the gritty details in a way that's relateable. Having that flexibility/adaptability requires 1) a keen interest and curiosity in general, 2) maintenance and self-refreshes as the larger world evolves, and 3) mental tenacity.

    In general, the security professionals that I've known don't see themselves as "having a job" but rather being part of a larger mission. There are some IT professionals who are really dedicated to their craft, but there's also a lot more who just want to do their shift and go home. Security is going to be really, really tedious work for someone who just wants to get a paycheck.
    Well said! Articulate and on point!
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Apr 2013
    Posts
    2,413
    #39
    Quote Originally Posted by dou2ble View Post
    Well said! Articulate and on point!
    in this industry you really gotta have it as a passion.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #40
    Quote Originally Posted by dou2ble View Post
    I have to disagree with your comment about "real security engineer". I work with CCIE's, Linux guys, and Microsoft consultants and they aren't security engineers. They can certainly address security requirements but they don't know how to identify risk and security laws and regulations. They spend their time building a solution and I advise on how to create it securely. I do the risk assessment and recommendations, they do the clicking and required research to build security into the solution. Together we get it ready for certification. It's also part of the SoD. They focus on functionality and security focuses on risk. I have some knowledge and experience in servers and networking but I look at networks from a different perspective then they do. This has been my security engineering and IT audit experience in commercial and Federal work.

    Identifying risk, security laws, regulations is important but that's not "engineering" that's Information Assurance. It's sad that everyone calls themselves an engineer but honestly anyone can read up a NIST documentation, STIG document, and IA controls to review a configuration. A true engineer will know how to build, design, and configure it to meet those controls and after doing it for so long they will also know the laws and regulations. Not to mention it's the engineers that originally found those risks to mitigate (create a patch) them anyways.
    Last edited by higherho; 03-09-2015 at 06:40 PM.
    Reply With Quote Quote  

  17. Senior Member Chivalry1's Avatar
    Join Date
    Mar 2005
    Location
    127.0.0.1
    Posts
    554

    Certifications
    CISSP, CICSP, MCSE, C|EH, MCSA, MCITP: EMA 2K7/2010, MCTS:Exchange 2K7/2010, Sec+, Net+, CCA-XENAPP, ITIL-V3, MCDST, MOS
    #41
    Interesting thread....I think you will find it common that most IT Security Professionals have a broad background in various IT technologies. Particularly in my circle most come from networking and/or system administration; not many programmers or app developers. I come from a consulting background so you had to be a JOAT. I would venture to say most of the IT Security person I know, including myself, could comfortable apply for this job without issue. What would be unreasonable if this job only paying $20,000 annually.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    May 2012
    Location
    Montreal
    Posts
    210

    Certifications
    MSCE NT4, MCSA 2008, MCITP:SA, ITIL F 2011, JNCIA JunOS, 70-480 HTML5/CSS/JS, MCSA 2012, Cloud+
    #42
    It seems like a fairly standard job description for a skilled security engineer, not sure why you take exception to it.

    I feel like security jobs have become somewhat watered down in the past 15 years, I remember when I was starting out in IT, the people involved in security were Unix/BSD/Linux experts, windows experts, they could code in C++/Assembly and write their own exploits or patches, there was few and far between security roles available, the guys in them were superstars.

    Now days I feel like security roles are more regulatory than technical, I work with a CISSP and yes he definitely knows all the laws etc, but when it comes down to configuring IPTables on a Linux machine he isn't too good at that.
    Then you have the security analysts who all they do is monitor logs and make firewall or application adjustments.

    The fact that the guy who started this topic finds it outrageous that a security engineer is expected to code, shows how watered down these roles are now.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Sep 2013
    Location
    Southern California
    Posts
    156

    Certifications
    CISSP-ISSEP, CRISC, MCSA
    #43
    Quote Originally Posted by higherho View Post
    Identifying risk, security laws, regulations is important but that's not "engineering" that's Information Assurance. It's sad that everyone calls themselves an engineer but honestly anyone can read up a NIST documentation, STIG document, and IA controls to review a configuration. A true engineer will know how to build, design, and configure it to meet those controls and after doing it for so long they will also know the laws and regulations. Not to mention it's the engineers that originally found those risks to mitigate (create a patch) them anyways.
    It's funny that you mention NIST and then say that "A true engineer will know how to build, design, and configure it to meet those controls and after doing it for so long they will also know the laws and regulations". That is a true statement but incomplete. You might want to check your NIST documents (since you're most likely in DOD) because you're mixing a system engineer with a security engineer into 1 position. These are 2 different roles that are often held by only one. You're also making it sound like security engineering and IT audit are the same. They both "Identifying risk, security laws, regulations" but the purpose for doing these steps is different. One is to build correctly and the other is to assess if it was built correctly. Some of the security engineer functions are assessing the desired solution to be engineered, identifying threats and security controls, which then lead to security requirements and making specific recommendations (Technical background really helps here). The system engineer then builds a solution, with the help of a security engineer (again this is where a technical background really helps), to address those security requirements. For information assurance this is where C&A or IT audit (SOX, ISO27001, etc) is most likely done. You certify that it's been built correctly, all policies are met, and if an accreditation is desired you proceed to obtaining that.

    Information Security focuses on the security infrastructure and building it correctly with security in mind. Information Assurance is more concerned with policies and if they're implemented. I've heard so many interpretations of this but this is the one that most makes sense to me. DOD likes to confuse the 2 and make them interchangeable.

    One of the big reasons DIACAP and FISMA so far have failed is because they primarily focus on Information Assurance/C&A only, they check the box with no desire to actually find the risks early on as part of Security Engineering and then build the right security infrastructure.

    I'm assuming in your last statement you mean system or network engineer. Either way it would be inaccurate. A system engineer might find the vulnerability through a scanning tool or news, but rarely do they find the risk. Vulnerability and risk are not the same thing. The risk is determined by assessing the vulnerability, threat and impact to your environment. Patches are also created by programmers, not engineers. When a system engineer, security engineer, vendor or any other worker identifies a vulnerability it then has to be assessed for your environment to find the risk.

    We could go on and on about what a Security Engineer used to be or should be but that doesn't change what a Security Engineer is required to do today and the job descriptions seeking one.
    Last edited by dou2ble; 03-10-2015 at 09:03 PM.
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #44
    programmers are engineers, software engineers I guess it's just my personal belief that the C&A, A&A, RMF, reviewers are regulators and not engineers. At least the ones I have meet. The people who develop and find those risks for the regulators to search for are engineers. way to many check box monkeys I've encountered. Overall a security engineer would have both the technical aspect (like the main job posting states) and understand the laws. They need to be technical enough to find the risk (similar to an IRRT / RED team combo imo).
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Sep 2013
    Location
    Southern California
    Posts
    156

    Certifications
    CISSP-ISSEP, CRISC, MCSA
    #45
    Quote Originally Posted by higherho View Post
    programmers are engineers, software engineers I guess it's just my personal belief that the C&A, A&A, RMF, reviewers are regulators and not engineers. At least the ones I have meet. The people who develop and find those risks for the regulators to search for are engineers. way to many check box monkeys I've encountered. Overall a security engineer would have both the technical aspect (like the main job posting states) and understand the laws. They need to be technical enough to find the risk (similar to an IRRT / RED team combo imo).
    Haha yes programmers are software engineers. Although I don't think that's what you initially meant.

    You're right that "C&A, A&A, RMF, reviewers are regulators and not engineers". Although they're more auditors, not regulators, since they can't regulate anything. They only assess compliance. I guess "check box monkey" is another name for them. Maybe I'll add it to my signature since I did for a bit for one of the big 4. Haha!

    The Security Engineer, hybrid of technical and auditor, like you described is where I see the future moving to. This is what I do now and I think most bigger companies and the government will move towards this. I used to create gpo's, write scripts, set permissions, ACL's, configure routers, etc...but now I just consult for the Microsoft and cisco engineers to make sure security is built into the baseline from the ground up, and in some ways I'm the customers representative to the auditors.
    Last edited by dou2ble; 03-10-2015 at 10:29 PM.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 2 First 12

Social Networking & Bookmarks