These days virtually any skills and titles related to cyber security are in high demand. Organizations are scrambling to keep up with the latest threats and vulnerabilities and deploy new tools and services to protect their data resources, and in many cases they lack the necessary expertise to do the job.
The work-from-home model that has resulted from the pandemic has made security even more of a concern for many IT and business leaders. All of a sudden a large part of the workforce began accessing corporate networks and data from remote locations, in many cases using devices and networks that might not be secure.
One of the key positions on the cyber security team is security engineer. These professionals help design systems and infrastructures that protect all the assets within the IT environment, including those located away from headquarters.
Security engineers might handle tasks including analyzing networks to make sure they are operating securely, and anticipating possible cyber security issues that might arise. They are often responsible for testing security software and monitoring networks and systems for any intrusions or other suspicious activity.
People in this role need to be able to quickly identify any potential threats and know how to best prepare for threats such as hackers, malware, and distributed denial of service attacks.
Among the common responsibilities of security engineers are helping to create security standards and practices for the organization; recommending security improvements to management; testing, deploying, and maintaining tools such as firewalls, intrusion prevention, and data encryption; conducting scans of networks and penetration tests to look for vulnerabilities; monitoring networks for breaches or intrusions; leading incident response activities and investigations into how intrusions occurred; and helping plan cyber security strategy.
Infosec, a firm that provides security-specific education and training programs, notes that the cyber security engineer role is one of the most sought-after careers in information security.
“Information security professionals who find themselves in this position get to use a broad information security skill set, help organizations secure their information environments from hackers, and get a firsthand opportunity to further develop their skill set on the job,” the firm says.
Among the key skills required for the position, according to Infosec:
- An expert-level understanding of information security concepts and their application via relevant technology solutions.
- The ability to develop, design, test, and deploy security-related systems and subsystems, as well as clean up computer code bases for common coding vulnerabilities, and work with other departments within the organization to secure IT systems.
- Penetration testing skills, especially if the organization does not have devoted penetration testers.
- Knowledge of network equipment and architecture, and possibly the ability to install, test, and configure an entire network infrastructure.
Depending on the organization, the role might go by another title such as IT security engineer, data security engineer, or application/Web security engineer, Infosec says. But their role and function within an organization is the same.
To work as cyber security engineers, individuals typically need to meet certain requirements, the firm says. That includes a Bachelor of Science degree, preferably in computer information systems, computer science, IT, or a related field; and five to 10 years of information security experience. “These requirements may vary from organization to organization, and will have a noticeable impact on your salary,” Infosec says.
One of the factors that can affect salary in the role of cyber security engineer is whether someone has earned cyber security engineer certifications. While there are no statistics that measure how much specific certifications will boost pay, Infosec says, most relevant certifications should help. Some examples of relevant certifications include Certified Information Systems Security Professional (CISSP), Certified Ethical Hacking (CEH), and GIAC Security Essentials (GSEC).
The role of cyber security engineer is currently one of the hottest in the information security field. Infosec notes: “Organizations are increasingly demanding this role to be in their rosters, because of the value they give organizations.”
To find out what it takes to become a cyber security engineer we spoke with Anna Zapata, cyber security engineer at communications services provider AT&T.
Education/Early Life
As is the case with many people who go on to technology-related fields, Zapata initially was not focused on preparing for a career in IT or cyber security during her undergraduate college years.
Zapata attended the University of Denver, earning a bachelor of arts degree in biology and public policy with a minor in business. It was not until graduate school, also at the University of Denver, that her focus turned to the IT area. She received a masters degree in computer information systems in 2003.
“My full intent was to go to medical school,” Zapata says. “Something about my junior year in college made me rethink that career choice. I decided to pursue IT instead, as I also always had a love for technology.”
Job history
Zapata began her career at the University of Denver in 2001, working as an assistant to the director of special events and assistant to the director of stewardship and development events before moving to the position of network security coordinator.
In that role, she gained knowledge about various cyber security tools from different vendors, and learned about locking down servers, desktops, laptops, and software to create a more secure infrastructure. She was tasked with the eradication of viruses and other malware on the university campus to keep its network up and running continuously.
Other skills Zapata learned include website development; security policy and procedure development and implementation; customer service and support for staff, students, and faculty; budget forecasting and planning; and moving a data center.
“The job opportunity coincided beautifully with my masters program,” Zapata says. “This position encompassed entry level/junior work that really helped foster the foundation of my career.”
In 2005, Zapata went to work for ProLogis, a real estate investment trust, as IT security and compliance analyst. Among other tasks she handled Sarbanes-Oxley audits for company compliance; and worked with C-level executives to push through important company policies and IT functions such as data classification, acceptable use policies, and the hardening of hardware and software.
This was followed by a position as IT specialist at container and shipping company American President Lines, where Zapata worked on desktop, laptop, and server deployment, implementation, and maintenance; as well as support for a variety of proprietary software applications.
The next stop on Zapata’s career path was a post as desktop engineer at the Colorado Community College System, where she was responsible for desktop and laptop deployment, implementation, and maintenance; and application creation and support. In this position she gained extensive knowledge in technologies from a number of IT and security vendors.
Following this was a brief stint as a corporate information security analyst at StoneRiver, a provider on insurance technology products. In this job Zapata created and developed enterprise information security policies and procedures, made technical evaluations of new security products, performed regular security functions such as access control log reviews, and investigated cyber security issues and determined appropriate response.
In March 2010, Zapata took on a post as senior elevated user support and trainer at the U.S. Forest Service, a government agency, where she provided training and support services to each region throughout the country. Other tasks included server migration education and assistance, end-user migration education and assistance, and documentation development and implementation.
Continuing with government-related work, Zapata served as IT security lead for an agency of the U.S. Department of the Interior, performing as lead contractor of the operations and support team. In this role, she worked closely with a managed service provider to ensure all hardware and software was secure, and collaborated with other team members working on code development and testing.
Other tasks included monthly vulnerability scans to allow for better visibility into the agency’s infrastructure to help determine points of weakness and vulnerabilities, and providing overall risk assessment for the agency based on Zapata’s knowledge and expertise.
In 2012 Zapata joined EchoStar, a provider of satellite communication and internet services, as principal IT security systems administrator/engineer. In this role she developed and administered a corporate-wide information security awareness program; developed and maintained information security policies, standards, guidelines, and procedures for all system environments; managed and maintained security systems and auditing tools; and performed system forensics and security incident investigations.
After about two and a half years she went to work as a senior IT engineer for DirectTV, a direct broadcast satellite service provider that’s a subsidiary of AT&T. She handled security operations on a broad scale for the company, managing a variety of technologies for end points and infrastructure, and correlating architecture and policies to support these practices.
Then in 2017 Zapata moved to her current role at AT&T, where she works on access control, enterprise perimeter firewalls, high-risk security controls, virtual private networks, and architecture/infrastructure.
“My career has a wide range from policy and procedure creation and execution to being technically hands on,” Zapata says. “I have worked in higher education, logistics, insurance, telco, and media. Like any career, there have been highs and lows. From layoffs of the Great Recession to pay cuts. I’ve weathered many a storm and continue to do so. It has been through trials and tribulations that I’ve seen my career grow.”
Memorable moments
The most memorable moment in Zapata’s career thus far was working for the U.S. Forest Service. “Truly one of my most proud and profound positions,” she says. “As a lover of our forests, as someone who hikes and spends her time in such sacred places, it was an honor to serve them.”
Ironically, what made it possible for Zapata to get a job at the Forest Service was a layoff from her previous position. “Yes, this sounds counterintuitive, but if something as awful as that layoff didn’t happen I would’ve never gotten the job,” she says. “Truly a life-changing and life-affirming position that will stay with me the rest of my life.”
Skills and certifications
Zapata says she has always been proactive about her education. “I knew graduate school was a good way of getting my foot in the door; but that was only the start,” she says. “It was through additional guidance and support [from a mentor] that helped me through graduate school and obtain the certifications I hold.”
Those certifications include GIAC Security Essentials Certification and CompTIA Security+. “I have sat for many other certifications,” Zapata says. “Although I didn’t pass them all, I gained a lot of insight and information to help me move forward in my career.”
Biggest inspiration
“I don’t have any inspirations outside of myself to do a job well, in a career I’ve held for 20 years,” Zapata says. “Inspiration comes within for me.”
Best career or life advice received
“Don’t be afraid to fail,” Zapata says. “We live in a society that looks down upon failure, as if it’s the end all be all. Failure and the ability to pick yourself up is [an] amazing feat. Never give up on yourself.”
Goals for current position and the future
Looking ahead, Zapata is looking to gain more education, as cyber security is an ever-evolving field.
Advice for others seeking a similar career path
“This isn’t an easy gig,” Zapata says. “I know a lot of people promise safety and security in IT. Ensure your own safety and security. Make sure this is something you want. It’s not an easy road. It takes years and years of education to gain the knowledge. Trust in your peers. Educate yourself. Hustle for what you want and pursue it as if your life depended on it. Stay the course. You’ll be rewarded.”