Who are these Cisco Security Intelligence Engineers?

May 9, 2012 - 1 Comment

Protecting data, resources, and assets, including audio-video (A/V) content and communications no matter where it resides or travels on Cisco-powered networks can be a daunting undertaking to say the least. People ultimately are responsible for making this happen. With this thought in mind, here are a few questions that frequently challenge someone with this type of responsibility:

  • How can one ensure that the confidentiality, integrity, and availability of the core network keeps pace with the introduction of new technologies, while managing the continuous stream of disclosures on existing product vulnerabilities and emerging threats?
  • What preemptive or corrective actions can one take to mitigate or remediate known or potential weaknesses in your network operations?
  • What trusted informational resources are available that we can apply in the design, operation and optimization of a secure network, and where can this information be found?

This article provides personal insight into a specialized role residing within Cisco’s Applied Intelligence team, a team which was highlighted in the Network World feature article (page 3), “Inside Cisco Security Intelligence Operations.” The role is that of the Security Intelligence Engineer (SIE), a role which focuses on researching and producing actionable intelligence, vulnerability analysis, and threat validation that typically leads to providing answers and solutions to the challenges posed by these questions.

The SIE drives innovation in internal security programs that ultimately deliver security intellectual property to customers. Furthermore, the SIE has the expertise and deep security knowledge necessary to deliver Applied Mitigation Bulletins for Cisco Security Advisories and Responses, Technical White papers, Microsoft Security Bulletins, and other vendor security advisories.

As an educator and thought leader, the SIE may provide security training and knowledge sharing at industry conferences such as Cisco Live and Black Hat. The SIE team has produced several mobile learning modules that can be used on most popular hand-held devices. For example, you might be interested in the Introduction to Network Security learning module that you can use to sharpen your security skills or prepare for a related security certification. The SIE also works on projects that enable additional security capabilities within Cisco services and products. An example of these efforts is evident in security services such as the Cisco IntelliShield Alert Manager Service and other intellectual capital that contribute to providing comprehensive security protection and mitigation solutions to customers, partners, and the networking community.

Similar to my previous blog article on the Cisco Security Analyst, the following section is taken from an interview that I conducted with the goal of providing prospective engineers a closer look into a day in the life of a Cisco Security Intelligence Engineer and also helping those of you pondering a career in the information security field.

What range of background does a Security Intelligence Engineer role have?

A promising engineer must understand core networking in order to properly understand the aspects to take into consideration and what factors are in play when it comes to providing security solutions for an environment. As the field of IT has changed in general and roles are more focused and specialist-oriented, SIEs bring a deep knowledge from other areas such as Unified Communications, Data Center, and Wireless. Non-technically, the SIE’s foundation is solidified with a holistic view of security, complemented by demonstrating adaptability and the ability to learn and reverse engineer new technologies.

What does an SIE do to come up to speed?

The SIE should be following the research community, industry and security forums. Stay passionate, be a sponge, learning from those in the field and around you. Ground yourself in understanding networking and the encompassing technologies, how it works at its core, and stay up to date with the direction of the field.

What do you like most about your role? (i.e. Why would you want to do this?)

It entails state-of-the-art information, learning and working on contemporary issues and concerns. The all-encompassing nature of the field provides new and constant opportunities to learn and grow. This exposes the SIE to a multitude of technologies and arenas in which security applies. Therefore, the opportunity exists to continue to grow and challenge yourself each day.

Can you share some insights on what your day-to-day core activities involve?

We research what is happening in the world of security such as current events. We interact with peers, colleagues and customers to seek areas of need or voids that need to be filled. We author, edit, and publish security collateral (i.e. white papers, training material, mitigation solutions, and security notifications). Testing, analyzing threats and mitigations are key activities, as well as collaborating with other parties in various security projects.

How does your day usually begin?

We research various security-oriented informational sites and other security mediums like podcasts and subscription-based services, to see what is occurring in the field. In addition, it is a good practice to create a to-do list or tasks for the day. If an incident has not escalated, we’ll go about the regular assigned tasks and projects.

What is a key aspect (qualitative or quantitative) of being successful?

It is key to understand how to balance daily tasks that could be measured qualitatively and/or quantitatively. These two approaches provide the correct level of contextual information. Also key is the drive to learn new things and work on them.

Are there any other aspects of your job that are especially essential as you work with your team members or others that depend on your work?

Time management is a critical skill. Be mindful of knowing when less is more by not expounding in communications beyond what is necessary, as there are many situations, such as non-disclosure agreements (NDAs) that should not be discussed. It is also important to keep focused without allowing the pressure or gravity of a situation to adversely affect you (i.e. knowing when to let go). Look at problems as objectively as possible and not emotionally. As always, ensure you create and keep the ability to balance your day and your life.

What else can you recommend to others regarding optimizing their practices based on your experience?

Leave the ego at home and be open to ideas, thoughts, and solutions. This will allow one to open their vision and understand the multitude of perspectives that exist. Research is essential to staying current, gaining thought-provoking insights on, and understanding the diversity of areas faced in this field. Become an expert in at least one technology area such as data center, firewalls, security policy, etc. If you can exert your expertise in one area, it is a stepping stone for many others. Ensure you have a deep understanding of networking at its core, as it will continue to be foundational to this field. Approach security early enough in your architecture, as security is part of the design, implementation and the operation phases of building a network.

What do you like to do for fun when you are not a practicing Security Intelligence Engineer?

One of our SIEs knows how to switch gears out of the office as an avid outdoorsman and who also enjoys activities such as motorsports involving building, servicing, upgrading and racing motorcycles, cars, and anything else with an engine.

I encourage you to check out the security intelligence resources produced by Cisco’s team of SIEs, which explain how Cisco network security technology can be leveraged to protect against security threats. These and other resources available from Cisco include, but are not limited to, providing preventative and event-specific guidance.

In other articles, I would like to cover similar perspectives on other key roles in security management, like the IPS Signature Developer on Cisco’s IPS Signature Development Team, as well as the PSIRT Incident Manager. Both of these roles are highly focused on security, yet complementary in nature.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Great read Mike.