The Head of Security Engineering manages and runs the security engineering function within a business, they’re often more embedded in the product and engineering departments in comparison to the other pillars of Information Security. A Head of Security Engineering usually has a background in hardware or software, and has extensive experience working as a Security Engineer.

A key responsibility of the Head of Security Engineering is to help devise the security engineering strategy, in collaboration with the security engineering team and any stakeholders. The strategy will align with the needs of the business, and take into account any regulatory requirements associated with the industry in which the business operates. They can then create objectives for the team, which are derived from the security engineering strategy.

The Head of Security Engineering will help mentor the members of their team, and encourage continuous learning and knowledge sharing. In a fast changing threat landscape it is integral to have a high performing team with access to the latest training. The team can then evolve their skills and understanding, which can enable more proactive evaluation of security tools, best practices, and techniques.

They will help to establish a security first culture by embedding security engineering within the product and technology departments. That way security can be a first class citizen, and it can be embedded in team processes, the software development lifecycle, and while services are running in production. By establishing robust processes and supplying tools with the best developer experience, teams will be empowered to take ownership of the security posture of the products they are building.

To ensure the business maximises the return on their investment in security tooling, the Head of Security Engineering will evaluate and experiment with the latest technologies and platforms, along with their team. They will ensure access to the best security tools, to satisfy the security requirements of the business. This will involve bringing in and evaluating new vendors, and managing those business relationships.

The Head of Security Engineering will report to the CISO in large businesses, and the CTO in smaller companies. This will involve regular transparent communication with senior management and executives on how the security engineering strategy feeds into the bigger strategy for the security department and the wider business. It will also include insights into the security posture of any products deployed in production, along with updates on current objectives and any associated metrics.

A Head of Security Engineering will have the technical capabilities to drive improvements to the security culture within the technology department, and also the communication skills to sell ideas to engineers and non-technical stakeholders. They should be confident communicators and able to manage business relationships, and they should be capable of selling the benefits when security may be a competing priority with product development.

A Head of Security Engineering will often have certifications acquired as a Security Engineer, which are usually vendor specific, they may have more managerial focused certifications, but often they are acquired once in the position. Here are some common certifications you might find a Head of Security Engineering has acquired:

• AWS Certified Security - Specialty
• Microsoft Certified: Cybersecurity Architect Expert
• Professional Cloud Security Engineer
• Certified Information Systems Security Professional (CISSP)

This is not an exhaustive list, and the path to becoming a Head of Security Engineering is too diverse to cover all qualifications that may have been obtained along the way. It is not even a requirement to have formal education, although it may help, the experience of working within technology, being able to communicate with engineers, having a modern attitude to security in practice, and having extensive experience working as a security engineer or in a related role is what will give you the foundation to be a successful Head of Security Engineering.