What does a network security engineer do?

Caute_cautim · ‎03-19-2023

Hi All

Ever wondered what a network security engineer does?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer.

https://securityintelligence.com/articles/what-does-a-network-security-engineer-do/

Regards

Caute_Cautim

JKWiniger · ‎03-19-2023

To me, this is another clueless person writing about something they know nothing about! This hurts the industry more than it helps. Why would this position need to know different programming languages or pen testing? Those would be 2 completely separate jobs. Outlining all hands on engineering tasks but then saying a CISSP is needed, which is a management certification just confuses people. And while I do understand that in recent years especially with the cloud the roles of network security engineer and just a security engineer has blurred together this goes far outside what a network security engineer would be, it's in the name "network." It is possible to have a security engineer also handle then network, but once you specifically have network in the job title you are indicating one area that will be worked on and you would not broaden it back down.

There is just so much more I could hit on but I think I have made my point.

Thoughts?

John-

Early_Adopter · ‎03-21-2023

+1

Can you really be a network engineer without also understanding network security? Moreover I’d hazard that a network security engineer had better understand networking.

PDNTSPA!

For either role you need to fit the whole zoo in your mental map, and go deep on each of the animals you find there, then grok the ecology and how it emerges in the wild.

JoePete · ‎03-21-2023

@JKWiniger wrote:
To me, this is another clueless person writing about something they know nothing about!

As broad as that statement is, I think there is a lot of truth to it, but to play blogger's advocate, the writing does accurately capture the pervasive mish-mash and misconception in the industry. I recall the days when the structure of things might be a "network manager," and those who reported to him or her were just "staff" handling the range of responsibilities. But in the past 20 years or so, we've seen a proliferation of titles that border on nonsensical. If I wanted to distinguish between an "architect" and an "engineer," I'd say one designs buildings and the other drives trains. At the risk of overt industry deprecation, I'd say most of us are "data plumbers." We separate potable info from the waste and ensure nothing leaks.

The opening statement of the blog -- "Cybersecurity is complex" -- I think misses the mark. That's like saying running is complex because of all the different running shoes you can buy and different training programs or diets. CIA is remarkably simple but effective. What makes our job difficult is not the objective but the plethora of distractions to that objective.

tmekelburg1 · ‎03-21-2023

@Early_Adopter wrote:
+1

Can you really be a network engineer without also understanding network security? Moreover I’d hazard that a network security engineer had better understand networking.

PDNTSPA!

For either role you need to fit the whole zoo in your mental map, and go deep on each of the animals you find there, then grok the ecology and how it emerges in the wild.

Well, that brings up a good point. What security specific job roles could we effectively eliminate if we built/designed the security function into the typical IT job role?

JKWiniger · ‎03-21-2023

@tmekelburg1 I think you are 100% right! Security needs to be built into every role and by having it as separate roles does it send the message that it's not their concern because the security team handles that? I consulted for a long time and I did whatever was needed, so I had security in mind on anything I did. I feel this is really how it should be. It's like building a house and then requiring a locksmith to come out to put the lock on the door. Can they do it, sure, should they need to, nope...

John-

tmekelburg1 · ‎03-21-2023

@JKWiniger Yeah, I think we need the highly specialized roles like IR, Intel, Forensics, and Malware Analysis (I may be missing a few), but it does seem like we can just add another paragraph to the job description to cover all the bases here. Somebody throw a wrench in this and tell us why it's a bad idea?

JKWiniger · ‎03-21-2023

@tmekelburg1 Another thought, which could help with the transition, is to have a team of security SME that other group would request consults from to make sure they are applying security correctly to whatever they are doing.

John-

Early_Adopter · ‎03-21-2023

Quite a few I’d reckon but networking is pretty well defined because you get it wrong stuff stops talking, so there isn’t much split between what you need for either.

Professional groups tend to have a emergent behaviour of carving out areas for themselves(security no different) but baked in not sprinkled on as a maxim points this way, security isn’t optional, therefore it should really be basic.

tmekelburg1 · ‎03-22-2023

@Early_Adopter wrote:
Professional groups tend to have a emergent behaviour of carving out areas for themselves(security no different) but baked in not sprinkled on as a maxim points this way, security isn’t optional, therefore it should really be basic.

Reminds me of the argument of the unaligned mission of IT vs. security within the org. One just wants it to function and the other wants the service to be secure (the department of "No"). When in reality, it can be combined using the functionality, usability, and security triangle.

We might chalk this up to being a vulnerability within the field. For example, the hyper focus on specialization results in great expertise in that area but it narrows our view and focus on how to fix issues. I'm not saying we don't need specialists because we do when you know what hits the fan, but it's something we need to be aware of.