IC3 Security Engineer
I work on large components, applications, security events or security services. I influence team projects. I drive teams to meet security goals.
Area of ownership and level of autonomy / ambiguity
Organizational reach and extent of influence
Technical levers typically exercised to achieve business impact
- I own and deliver projects in service of quarterly goals on the team.
- I define security solutions and can select the best approach within many. I work independently and seek help when necessary.
- I deliver solutions to ambiguous security problems where the solution may not have been obvious at the outset.
- I identify and implement necessary short-term risk reduction measures while designing, building, or securing commitment on longer-term systemic improvements.
- I demonstrate understanding of how my work aligns with 1-2 year security goals
- I work primarily with my direct team and cross-functional partners while driving cross-team collaboration for my project
- My scope of influence is primarily within my team, but I can work across teams. I influence process, priorities, and trade-offs.
- I own and propose solutions for problems even when outside of my specific domain, informing and/or handing off to correct owners when necessary.
- I regularly and effectively partner with other teams on substantial projects (new features with difficult security concerns or major internal services) and use that opportunity to build lasting improvements to Dropbox’s security posture across projects.
- I work with partner teams to create opportunities to improve security on an ongoing basis.
- I continue to master my craft, and effectively choose when to hone and apply a broad array of skills utilized by security engineers to solve a security problem. I have demonstrated an ability to apply several different skills.
- I define and deliver well-scoped security projects. I may be a technical lead for projects on my team. My work reduces or mitigates risk in a major portion of a product or service.
- I actively level up less-experienced members of my team by helping them with their craft, providing guidance, and leading by example.
- I work on large components, applications, security events or security services. I influence team projects. I drive teams to meet security goals.
- I deliver some of my team’s goals on time and with a high standard of quality
- I understand my customers, the business’s goals and my team’s goals. I ensure my work will have the greatest customer impact
- I can identify when my results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way and work with manager to redirect my focus
- I get work to a simple place by focusing on the heart of the problem and prioritizing the right things
- I proactively identify new opportunities and advocate for and implement improvements to the current state of projects
- I take responsibility for any failures on my project and take action to prevent them in the future. I embrace and share the learnings from those failures
- When I encounter barriers, I unblock myself and my team by proactively assessing and eliminating the root cause
- I make informed decisions by consulting the right stakeholders and balancing details with the big picture. I execute against the spirit, and not just the letter, of the requirements
- I understand the implications of my decisions and adjust my approach based on the impact and risk in the short and long-term
- I make timely decisions but don’t cut corners that would compromise my customer’s trust
- I embrace change and adapt quickly to it
- I’m able to navigate ambiguity and remain resilient through ups and downs
- I ask questions and contribute to new ideas/approaches
- I experiment with new approaches and share what I learned
- I work collaboratively with my manager to set realistic and ambitious short- and long-term goals and break them down to smaller projects for my team or myself
- I execute the development roadmap for complex, multi-phase projects, possibly as a project tech lead
- I proactively ask for feedback from those I work with and identify ways to act upon it
- I have self-awareness about my strengths and areas for development
- I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow
- I contribute to interviewing and assessing candidates to help us build a diverse and talented team by conducting more advanced domain-specific and leveling interviews
- I am able to represent my team’s initiatives and goals to candidates in a compelling way
- I model integrity and a high standard of excellence for my work. I leverage this to influence and establish best practices
- I support the growth of my teammates by taking into account their skills, backgrounds and working styles
- I solicit and offer honest and constructive feedback that is delivered with empathy to help others learn and grow
- I build relationships across teams and help get to positive outcomes
- I proactively communicate and coordinate my team’s requirements with other groups and teams in engineering
- I am capable of working with cross-functional stakeholders to identify technical blindspots and clarify ambiguity in their ideas.
- I avoid blame and solve the right problems, disagreeing and committing when necessary
- I contribute to a positive sense of community on the team (e.g. engage in team lunches, team offsites, and other group activities, help with new-hire on-boarding)
- I listen to different perspectives and I cut biases from my words and actions
- I practice the Dropbox Diversity Commitments on a regular basis
- I tailor my message to my audience, presenting it clearly and concisely at the right altitude
- I proactively share information so the right people are informed and aligned
- I foster effective communication across the team and promote inclusive meeting culture
I am a significant and autonomous contributor. I have mastered the fundamentals of information security and can apply them effectively in novel situations. I solve ambiguous and challenging security problems. I can decompose security problems or incidents into solutions to help mitigate attacks that could compromise large systems, company trust, or customer data. I understand the technologies and techniques used in my area and how they fit together. I focus on projects with cross-functional impact. My work is consistently of high quality. I engage autonomously with product and system owners to help create, build, innovate, and operate security defenses, possibly by writing code, scripts, creating detections, among others.
- My work demonstrates deep domain expertise in one or more core security domains and secondary specializations, (e.g. infrastructure security, application security, threat intelligence, security operations, incident response, endpoint security, or identity management), sufficient to anticipate and communicate the implications of my work on adjacent fields.
- I perform risk analyses to a degree of rigor which enables me, my cross-functional partners, and future security engineers to weigh the the strengths and weaknesses of different options, and make recommendations for risk mitigation, acceptance, or escalation.
- I design and implement new systems, tools, or processes to enforce security requirements, detect badness, or otherwise defend Dropbox.
- I select, integrate, and/or improve operational support for technology that my team relies on to enforce security requirements, detect badness, or otherwise defend Dropbox.
- When I approach a problem I identify the applicable security strategies, weigh the tradeoffs of each, negotiate the best way forward, and effectively influence others to follow that path.
- I lead others to resolve security issues, to respond to incidents, and to eliminate or mitigate vulnerabilities as they arise.
- I actively work with partner orgs to drive awareness of policy, standards, best practices, and regulations.
- I base my decisions on validated evidence/data or I explicitly identify the cases where no data is available and the assumptions I am making instead.
- I have deep understanding of more than one domain (e.g. application, OS, networks, or hardware) and can quickly understand complex systems and identify the major security issues with them.
- I demonstrate and can apply understanding of the technologies Dropbox uses within my area of focus
- I can navigate through full stacks and build proficiency on the right tools to dig deep into the security issues.
- I understand that technology, threats, and responses evolve and plan security controls accordingly.
- I am broadly knowledgeable about attacks and attacker mindset.
- I am broadly aware of the kinds of defenses and their efficacy at mitigating attacks relevant to my team’s focus.
- I have gained practical experience performing attacks and using attacker tools, and take this into account in my projects or operations work. I continuously seek to learn about and apply lessons learned from new attacks/attackers to my area of focus.
- I have an understanding of how the tools at my disposal have historically failed, and what those failures indicate about the limitations or risks associated with security mechanisms.