Dropbox Engineering Career Framework

IC2 Security Engineer

I work with stakeholders, peers and my manager to deliver robust risk analyses, designs, or solutions to security problems identified by me or my team

Scope Area of ownership and level of autonomy / ambiguity

  • I own identifying, testing, mitigating, and/or responding to security issues/incidents within the scope for my team and projects.
  • I effectively participate in the core processes of my team (planning, on-call rotations, incident response, consulting meetings, etc), including recommending and implementing improvements.
  • I work on small and defined security problems where the security solution might not be defined. I own the implementation.

Collaborative Reach Organizational reach and extent of influence

  • I work primarily within the scope of my team I collaborate with peers and seek high level guidance from my manager/TL. I review small tools and software components for a team.

Impact Levers Technical levers typically exercised to achieve business impact

  • I am increasingly mastering my craft and learning when to hone and apply some of a broad array of talents utilized by security engineers to solve a security problem.
  • I accomplish tasks. I can define requirements.
  • I may participate in mentorship activities.
  • I work at the small to medium size component level. I mitigate threats and small risks to applications. I improve team efficiency and processes.

🏆 Results


  • I act with urgency and deliver high-quality work that will add the most value
  • I work with my manager to direct my focus so my work advances my team's goals
  • I prioritize the right things and don't overcomplicate my work. When necessary, I propose appropriate scope adjustments.
  • I effectively participate in the core processes of my team, including recommending and implementing process improvements


  • I follow through on my commitments, take responsibility for my work, and deliver on time
  • I proactively identify and advocate for opportunities to improve the current state of projects
  • I own my failures and learn from them
  • I think a step or two ahead in my work, solve the right problems before they become bigger problems, and problem-solve with my manager when I'm stuck

Decision Making

  • I Identify and gather input from others and consider customer needs to make informed and timely decisions

🌟 Direction


  • I’m open to change and enthusiastic about new initiatives
  • I work with my manager to navigate complex and ambiguous situations


  • I ask questions and contribute to new ideas/approaches
  • I experiment with new approaches and share what I learned

🌳 Talent

Personal Growth

  • I proactively ask for feedback from those I work with and identify ways to act upon it
  • I have self-awareness about my strengths and areas for development
  • I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Talent Development

  • I model integrity and a high standard of excellence for my work.
  • I help the more junior members of my team, host interns, or am a residency mentor
  • I offer honest feedback that is delivered with empathy to help others learn and grow
  • I contribute to interviewing and assessing candidates to help us build a diverse and talented team. I am calibrated and consistently perform high-signal interviews
  • I am able to represent my team’s initiatives and goals to candidates in a compelling way

🌈 Culture


  • I can effectively collaborate to get work done
  • I work with my manager to manage conflict with empathy and cooperation in mind

Organizational Health

  • I contribute to a positive sense of community on the team (e.g. engage in team lunches, team offsites, and other group activities, help with new-hire on-boarding).
  • I listen to different perspectives and I cut biases from my words and actions
  • I practice the Dropbox Diversity Commitments on a regular basis


  • I write and speak clearly
  • I listen to understand others and ask clarifying questions
  • I share relevant information on my projects to my manager, team and customers.

🦉 Craft

I am an autonomous contributor. I create and execute security controls, defenses, and countermeasures to detect and mitigate internal and/or external attacks, seeking guidance from my team and lead. My solutions help mitigate attempts to infiltrate company systems (e.g., services, products, components, email, data, commerce, among others) to protect customer data and trust. I help mitigate attacks that could potentially compromise large systems, company trust, or customer data. I deliver consistently high-quality work.

Security Execution

  • My work demonstrates basic competence as a security practitioner - I apply basic principles such as least privilege and defense in depth appropriately to a set of problems within my team and projects.
  • I assess the security of systems through code reviews, penetration tests, intuitive reasoning (with or without the application of a security framework), or manual testing (using ethical hacking tools or custom-written tools where they don’t yet exist.
  • I develop, test, review, debug, and/or deploy code to enforce security requirements, detect badness to meet security objectives.
  • I deploy, manage, monitor, and/or provide sustainable operational support for technology that my team relies on to enforce security requirements, detect badness to meet security objectives.
  • I understand the designs and technology choices within my focus area and make technically-sound adjustments based on feedback, changes in the environment, and/or evolving threats.
  • I help resolve security issues, respond to incidents, and eliminate or mitigate vulnerabilities as they arise.
  • I provide clearly articulated and reasoned security guidance in areas I know well, both inside and outside of security team.

Technology Fluency

  • I am familiar with relevant external and Dropbox-specific technologies within my domain, and am working to develop a deeper understanding.
  • I seek to learn the business context and technologies behind my team’s security services and the segment of the business I focus on.

Threat Fluency

  • I understand attackers and their tools, techniques, and goals. I am able to learn from historical examples.
  • I understand how defenses address and mitigate common vulnerabilities made use of by malicious code, and how attackers bypass or negate common defensive techniques
  • I have an understanding of strengths and weaknesses of the tools at my disposal to diffuse the impact and disrupt or detect attackers taking advantage of potential systems’ vulnerabilities.