In my opinion there is no such things as very delimited areas in Security, but rather only Security Engineering. It’s like software development, where people are trying to map their areas to frontend / backend or whatever, but in the end what actually matters is having good programmers - code is always the best. (code is king)
Below, you can see my version of a “real” Security Engineering job description, that falls in to the realm of DevSecOps & Automation. I hope it will help your company in the long term to grow strong teams, rather than USE employees-as-a-pipeline or replacements elements, which creates a higher attrition. Remember, even if the focus is on the technical side, one MUST care about nurturing people - sending them to conferences, paying for their education & certifications, have real-care discussions with them, and more.
A Security Engineer is responsible for developing systems for detection, prevention, analysis, reporting, and lifecycle management of software vulnerabilities and other security-related needs. The ideal candidate will be required to demonstrate software development, infrastructure and network security skills and work with a cross-skilled security engineering team, have regular contact with the DBAs, development, architecture, infrastructure, network and other teams or business stakeholders.
- OSCP is required or must be taken in the first year after joining the company.
- Soft skills and strategic thinking to create the right environment for pushing the best ideas.
- BS Degree is not a must, but demonstrating knowledge & experience in real projects is.
- Programming skills or knowledge of any scripting language - especially Python.
- Security, Automation and DevOps mentality, plus knowledge about Security as Code, which creates less friction between teams and work together with them instead of just giving security requirements.
- Very good understanding of web related stack and concepts.
- Fluency in English (work related), plus learning some words from cross-locations teams - specific for each country where offices exists.
- Experience with Everything as Code and how to integrate Security into this flow - CI/CD.
- Hands on experience in hardening, secure systems, firewalls, authentication systems, content filtering, vulnerability management tools, security scanners etc - buying consultancy is “Acquisition” not “Security”.
- Knowledge about web-servers, load balancers, firewalls/WAF, CDN, SSL/TLS, VPN, LDAP, DNS, Unix, Git, Python, Network, Infrastructure, Databases, ULS, IDS, DDOS, SDN/NFV, hIDS/IPS, … .
- Knowledge of cloud security architecture - AWS, GCP, Azure, OpenStack - not the theory and the marketing terms, but the real understanding of tech stack.
- Ability to think like an attacker and solve complex problems with expertise and ingenuity, but at the same time, be able to think like a gatekeeper (Red/Blue Team).
- Able to explain in simple words web technologies and how the full stack works - if we need to go into details, just use documentation (“a man” of “man man”).
- Performing penetration tests, threat analysis, vulnerability assessment and incident response.
- Able to create & apply security requirements for multiple technologies and business projects.
Nice to have
- Reported security issues to other companies or to bug bounty programs.
- Ability to do presentations about DevOps, Automation and Security.
- Keep up with security trends and exploits from news.
- Mentoring and leadership skills.
Be mindful when the business is falling for the hype, and use techologies just because there are trendy. Companies need to evolve by themself to achieve automation, AI, ML or other advanced technologies, otherwise it’s like flying rockets without knowing anything about physics.