Life As A Security Engineer

Insights from 400 Security Professionals Around Challenges They Face With Existing Tools

Download the PDF

Profile of Who We Surveyed

Because the purpose of this survey was to learn more about security engineers specifically, rather than a broader segment of the security industry, we limited our query to only those individuals actively working in that role. By far the largest group, 34.3%, work for companies they describe as being in the technology industry, and 31.4% of the respondents work for medium-sized businesses.

If we were to build a baseline profile of the typical respondent for this survey, it would be a security engineer who has worked for about seven years at a medium-sized, cloud-native technology company.

The majority of security engineers have earned a master’s degree.

If our survey represents the industry at large, and we designed it to do just that, it suggests that most security engineers (56%) earned a master’s degree before obtaining that role. Professional security certifications (49.2%) are also common among those in this segment of security practitioners.

So, as we continue to build upon the profile of the typical security engineer, we can add that they tend to be well-educated, both from the perspective of university-level studies and more specific knowledge based on industry certifications.

Pay and job stability are essential, but so is passion.

Passion for cybersecurity ranked third (21.7%), but only slightly behind job stability as the primary reason for becoming a security engineer. This speaks to the mission-driven nature of cybersecurity and the rewarding aspects of thwarting attacks.

Experience Working As A Security Engineer

We crafted this portion of the survey to illuminate those aspects of working as a security engineer that practitioners find fulfilling and frustrating. We look at job satisfaction and how that may cross over into other parts of the life of a security engineer.

From compensation to COVID, we’ll provide insights into what employers should know about why security engineers are content, happy, and productive, and in some cases, not so much.

Keeping their company secure is what they enjoy the most about their job.

When asked what they enjoy most about being a security engineer, the most popular response by far was that they derive personal satisfaction from keeping their company safe (33%).  This speaks volumes about the character of these individuals, and relates back to our earlier finding that passion for cybersecurity is a key reason they pursued this career path.

The second most frequently chosen answer — learning about new technologies (16.8%) — signifies their curiosity and desire to be learning continually. Given how rapidly cybersecurity evolves, it makes sense that the people drawn to this role enjoy the challenge of learning new things.

 

Keeping up with constantly changing technology is their number one challenge at work.

It is interesting to note that while many of the security engineers surveyed indicated that they enjoy learning about new technologies, many (32.7%) also indicated that "constantly changing technologies" was their biggest challenge. The explosion in cloud and SaaS applications is a good example of a fundamental shift that is driving a fast-growing and ever-changing attack surface, and new challenges for security engineers.

Most feel well compensated, but we shouldn’t ignore that a full third do not.

Hiring managers in the security industry often struggle to fill open roles due to the overall skills gap when it comes to security. As a result, salaries have increased for security engineers, meaning that organizations that don’t (or can’t) keep up with salary requirements will have trouble retaining their staff. As a result, organizations would be ill-advised to ignore the fact that a third (34%) of their security engineers feel underpaid.

But let’s focus on the positive for a moment. It is a credit to the security industry that most — in fact, two-thirds (66%) — of security engineers indicated that they feel they are compensated fairly. This investment in security talent is well worth the return, given that security engineers play a crucial role in protecting their organizations’ ability to operate effectively.

Security engineers get their information from a broad spectrum of sources.

We asked security engineers what their primary source of information is for keeping their knowledge up to date. The answers paint a picture of a group of professionals who leverage a variety of information sources.

Blog posts are the number one resource security engineers use for information. Many security bloggers have built their reputation over years of providing credible and useful information to the security community, and therefore have become a trusted resource.

It is telling to note that there is not much difference in the number of security engineers that use the top three answers: blog posts (49.2%), research papers (42.4%), and forums (42.4%). Social media (40.1%) also ranks high as a source of information, which is not surprising considering that social media is a good source for new and developing information — zero-day cyber threats, for example.

49% say COVID has made their jobs more stressful.

For many companies, the answer to keeping their employees safe during the pandemic was to have them work from home. This sudden and near-total shift to WFH caused an exponential increase in the size and shape of the attack surface for most companies. Security engineers were at the forefront of finding ways to keep their organization’s networks, endpoints, and sensitive information protected, no matter where employees were working. Therefore, it comes as no surprise that 48.5% of security engineers responded that COVID has made their lives more stressful.

57% are very engaged, but almost half say they feel very burned out.

The ability to stay engaged in work is a key indicator of job satisfaction. When employees are unsatisfied, they find it much more difficult to stay engaged.

Because the responsibilities of security engineers are critical for protecting their organizations, it is encouraging that 57.3% indicate they are very engaged in their work.

However, the survey results also show that a significant portion (48.2%) feel very burned out. Given the important (and often stressful) role played by security engineers, it is not surprising that it can take a toll in terms of burnout. Organizations need to be cognizant of this, and actively work on solutions to support employee health, retain their security staff, and prevent cumulative exhaustion from introducing risk to the organization.

Section Summary

Our picture has become more apparent as we have looked deeper at what provides security engineers a sense of satisfaction at work, what they enjoy about their jobs, and what challenges they encounter. We know from their answers that they love a good challenge. They’re curious and like to gather information from a wide variety of sources. And, most feel engaged in their work, however burnout is a common challenge.

Let’s now pivot to look at the tools they use, how satisfied they are with their tools, and what tools they wish they had.

Tools

The tools security engineers have access to and how well those tools perform have a major impact on their ability to do their jobs well. In this section, we look at tools and their capabilities.

Three tools engineers are most happy with in terms of capabilities.

In order of satisfaction, the top three security tools are:

It is also interesting to note that a sizable percentage of respondents indicated that they would like to have access to these tools but do not (13.9% for CASB, 11.9% for EDR, and 11.7% for SIEMs). For organizational leaders wanting to improve their security teams' effectiveness, ensuring they have access to these three categories of tools could be an excellent place to start.

Three tools engineers are least happy with in terms of capabilities.

Our respondents were least satisfied with the capabilities of:

Please rank how you feel about the capabilities of the following tools you use in your work as a security engineer.

Responsibilities

In the previous section, we asked security engineers about their satisfaction with specific categories of tools. In this section, we explore how well they think they can perform specific functions of their role with the tools they have.

Outlook For the Future

We look down the road to see what security engineers and their employers might expect in the next year, and the skills needed to thrive as a security engineer

67% are planning to leave their job in the next year

One of the most alarming findings from this survey is that the majority of security engineers (67%) indicated they plan to leave their job in the next year. There is rarely a single reason why employees plan to change workplaces. Still, unhappiness with their pay (29.5%) is the biggest reason security engineers gave, by nearly a two-to-one margin. Dissatisfaction with their company’s culture (15.9%) and how much importance their employer places on security (15.5%) are two additional reasons engineers cite as significant factors for leaving their job. Overall, engineers take their responsibility to protect the organization they work for very seriously. Being a security engineer for a company that does not put enough emphasis on security or provide adequate support to their security teams can be very difficult. It is also reasonable to attribute some turnover to the fact, as discovered by question 14, that 80.2% of security engineers feel at least somewhat burned out in their jobs.

Scripting, writing software, and cloud computing are the top three skills for the future.

Looking forward from the security engineer’s perspective, adding scripting to their list of skills should be a priority, as reported by 22.7%. The need to have a firm grasp on the security aspects of cloud computing is a predictable answer to a question about future skills. Still, the number one answer (scripting) and number two answer (writing software, at 17.8%) are fascinating. This speaks to the convergence of software development and security operations and the frequent need for security engineers to write code to automate tasks and fill gaps in their technology stack.

Summary

As we’ve seen from this section, many security engineers may choose to change jobs in the coming year, and many will continue to acquire new skills to enhance their abilities. Organizations should take steps to retain these valuable employees by recognizing the importance of security, offering competitive salaries, and providing the tools security engineers need to do their jobs well.

Conclusion

The Life as a Security Engineer 2021 survey results offer insights into one of the more technical roles within security teams.

We all could have guessed that COVID and the resulting work from home culture have put additional stress on security teams, yet most security engineers continue to feel engaged in their work. Burnout is certainly a risk, as is the chance of turnover, especially for organizations that don’t demonstrate that they value cybersecurity. Employers can't do much to alleviate the stress caused by COVID, but they can evaluate what new tools their security teams need to do their jobs well and ensure that the company culture emphasizes the importance of security.

Experienced security engineers are in high demand, and that trend will no doubt continue in the future. Organizations would be wise to evaluate how they can best retain their security staff as this is essential to protecting their business from disruptions caused by a breach.

Life As A Security Engineer

Insights from 400 Security Professionals Around Challenges They Face With Existing Tools

Download the PDF