System Security Engineer is a critical job in the cyberspace workforce. As information technology has become a centerpiece for our lives, the security of IT has been more and more in demand. A security engineer is expected to have a working understanding of IT enough to be able to strike a balance between operational functionality and application security controls.
System Security Engineer (ISSE, CSSE, SSE I/S Security Engineer) actually can mean anything.. So you actually need to read the job description. But in this post, I am referring to SSE from the perspective Risk Management and DIARMF.
And Risk Management SSE needs to be savvy enough with the operational needs and security needs to balance the risk. While a security engineer does not take risks of the organization they work for, they do consult the decision makers that do take risks.
Many security engineers are not hands on. Meaning they might not touch the servers or configure routers, but they must know enough to orchestrate the over all security of the organization or system they are assigned to.
System Security Engineering Tasks
I have been in system security engineer positions where I did have hands-on tasks working directly with the system administrators and I have had some where I rarely even seen the systems that I wrote system security plans for.
System Security Engineers do consultation where they are working directly with information owners, project managers, information system security managers or technical security practitioners to come up with the most cost effective strategy for applying security controls with a certain level of effort within a certain time constraint. A good security engineer understands all these factors and make sure the decision makers are well informed. As an SSE the last thing you want to do is a prima madonna and attempt to put security beyond the scope of the operational mission. And don’t be a hero, even if you really care about the mission you must ALWAYS remember the risk is not yours to bear and neither is the decision of what security controls (if any) will be applied.
Tasks of a system security engineer
System security engineers do system security related documentation such as system security plans, plan of action and milestones, security assessment reports and other supporting documentation.
A day in the life of a system security engineer might consist of attending configuration management meetings, meeting with system administrators to address new challenges, writing authorization packages, coordinating with other units to complete an authorization package, reading the latest change to a regulation or organizational standard, WRITING an organizational standard and in some cases they are actually doing security administration on some system.
CYBER System Security Engineer (CSSE)
With Dod 8140 and the cyber-ization of the every goddamn thing! I believe the new term will be CYBER System Security Engineer (CSSE) and in the past it was commonly refer to as an Information System Security Engineer (ISSE).
As stated above and SSE can be just about anything computer security related. I have been a SSE and done nothing put paperwork but also been an SSE and done mostly installations of system security controls. My former co-worker just got a position as an Information System Security Engineer (I/SE) and he will be doing all ArcSight admin stuff.