Why every Security Engineer needs to know UX, program management and be imperfect.

09 Jul 2024

In the past decade, the landscape of technical roles has transformed dramatically. Where once software engineers, ops, and sysadmins had distinct skill sets, the advent of DevOps has blurred these lines, creating an expectation for multifaceted expertise.

In the security field, while technical expertise remains paramount, it’s crucial to balance this with project management skills and a deep understanding of user and client needs. Your colleagues are your internal clients, and being able to manage projects efficiently and empathize with user requirements can be as important as keeping up with the latest security trends. Often having “perfect technical solution” is not what is needed nor required for a company.

Hint: Maybe you don’t need Kubernetes https://endler.dev/2019/maybe-you-dont-need-kubernetes/

Stepping back and looking more generically, there are 3 things I’ve seen that differentiate many good security engineers from bad: knowledge of UX, project management and admitting when they are wrong. Delivering good user experience, understanding the customer and providing a solid product often is the 10x multiplier that many people strive for, but not always get

https://www.marclittlemore.com/be-a-force-multiplier/

UX

User experience (UX) design is the process design teams use to create products that provide meaningful and relevant experiences to users.

What many security engineers don’t realise, is that product does not have to be a software, but also the work they deliver.

Security processes, policies, and internal offerings often suffer from poor user experience. Consider the difference between presenting a security tool with no automation, documentation, or examples versus providing a tool accompanied by thorough documentation, automated processes, and accessible security support channels. The latter approach not only enhances usability, overall user experience but also ensures better adherence to security protocols.

What we should strive for is providing good user experience, easy to use security services, tools, documentation.

Program and project management

How often do security people ask themselves:

“Would I be satisfied with this product/service/feature if I were the user?”

“Does business actually need this perfect implementation, or can the issue be solved by less technically perfect solution?”

Striving for the perfect solution isn’t always the best approach. Effective security engineers understand the importance of finding a balance between technical excellence and business practicality. Instead of chasing perfection or settling for a quick fix, they seek the ‘right level of good’—a solution that is both effective and feasible

https://xkcd.com/1425/

As unusual as it sounds, good security engineers not only get deeply involved with the tech side, but also with product and project management side. Getting involved with other teams, driving security initiatives, solving roadblockers (how often was lack of automation an issue for you?), adapting to your client is something good engineers strive for.

Being imperfect

The Unseen Virtue in Engineering: Humility

Humility is a critical yet often overlooked trait in security engineering. No matter your level of skill or experience, a hostile or toxic attitude can hinder team productivity and morale. Great security engineers recognize their imperfections, welcome honest feedback, and rely on collaborative efforts to achieve common goals.

Ultimately, what distinguishes great security engineers is their balanced skill set—combining technical prowess with project management, UX understanding, and humility. By recognizing their limitations and valuing team collaboration, they drive security initiatives that are not only effective but also embraced by the entire organization.