Dropbox Engineering Career Framework

IC4 Security Engineer

I demonstrate solid business judgment and understand the organizational priorities. I lead multi-phase, multi-team security efforts to reduce risks on broad product capabilities, security domains, or a broad and complex technical system or environment.

Scope Area of ownership and level of autonomy / ambiguity

  • I own and deliver semi-annual/annual goals for my team.
  • I am an expert at identifying the right solutions to solve ambiguous, open-ended problems that require me to prioritize among several different business and team objectives.
  • I define and implement security solutions or efficient operational processes that level up my team.
  • I work on large security problems where the design may or may not be defined.
  • I lead or help define security strategy.
  • I deliver complete solutions to security problems.
  • My solutions align and adapt to multi-year security goals.

Collaborative Reach Organizational reach and extent of influence

  • I am a strong leader for my team. I lead by example, my impact is beginning to extend outside my team.
  • I increasingly optimize beyond just my team by driving cross-team or cross-discipline initiatives.
  • I influence security teams, partner orgs, and service/product owners.

Impact Levers Technical levers typically exercised to achieve business impact

  • I have mastered all key areas of my craft relevant to the problems I’m working on, and effectively choose when to draw from broad array of skills utilized by security engineers to solve a security problem.
  • I play a key role in setting medium-to-long term strategy for business-impacting projects.
  • I autonomously define and deliver technical roadmaps of larger projects, often involving cross-team dependencies.
  • I negotiate with teams and partner orgs to strategically solve security problems at scale.
  • I work autonomously with less defined parameters. I negotiate resources and security priorities. I escalate and communicate effectively. I always find a path forward, even when that means re-defining success or learning from failures.
  • I leverage input from product stakeholders and determine the right technical trade-offs to deliver security value quickly.
  • I actively level up less-experienced members across Security by helping them with their craft, providing guidance, and leading by example.
  • I can negotiate effectively, and influence others towards delivering the right security solutions for the organization.

🏆 Results


  • I deliver many of my team’s goals on time and with a high standard of quality
  • My understanding of the business context and my team’s goals enable me to have the greatest customer impact and allows me to make independent technical decisions in the face of open-ended requirements
  • I can identify when my results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way and work with manager to redirect my focus
  • I get work to a simple place by focusing on the heart of the problem and prioritizing the right things


  • I proactively identify new opportunities and advocate for and implement improvements to the current state of projects — potentially having broader business impact across teams or products
  • I take responsibility for my decisions and failures on my project and take action to prevent them in the future. I embrace and share the learnings from those failures
  • When I encounter barriers, I unblock myself and my team by proactively assessing and eliminating the root cause, and focusing on the solutions

Decision Making

  • I make informed decisions by consulting the right stakeholders and balancing details with the big picture
  • I understand the implications of my decisions and adjust my approach based on the impact and risk (e.g. choosing a more iterative approach based on the degree of uncertainty with respect to product fit, while maintaining a view of the long term arc needed to accomplish business goals)
  • I leverage insights about customers to inform decisions, balancing value for the customer with other business goals
  • I make timely decisions but don’t cut corners that would compromise my customer’s trust

🌟 Direction


  • I embrace change and adapt quickly to it
  • I’m able to navigate ambiguity and remain resilient through ups and downs by staying calm under pressure and taking care of my overall well-being


  • I am beginning to push boundaries to generate and implement ideas that aim to drive our products and tools forward
  • I set audacious goals, take risks, and share lessons learned
  • I have a growth mindset and am comfortable experimenting, learning, and owning the outcomes


  • I define the technical roadmap for impactful multi-phase projects, refining it as the projects progress to deliver customer value quickly, and provide leadership for the people executing on the project
  • I define my team's priorities and secure buy-in in partnership with my manager
  • I generate excitement for my/the team's strategy

🌳 Talent

Personal Growth

  • I proactively ask for feedback from those I work with, know my strengths, and identify ways to take actions on my development areas
  • I have self-awareness and connect with others with empathy
  • I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Talent Development

  • I model integrity and a high standard of excellence for my work. I leverage this to set and hold the bar for quality and best practices for my team (e.g. via code and design reviews)
  • I identify and support areas of growth for my teammates that take into account their skills, backgrounds and working styles
  • I solicit and offer honest, constructive, direct, and actionable feedback that is delivered with empathy to help others learn and grow into the next level
  • I contribute to interviewing, and gain the trust of candidates. I can represent Dropbox's mission, strategy, and culture throughout the interview process
  • I am able to represent my team’s technical challenges to potential candidates in a compelling way (e.g. 1:1 sell chats, blog posts, public speaking)

🌈 Culture


  • I promote and role model Dropbox core values, leading by example
  • I build relationships and drive coordination across teams & disciplines, helping get to positive outcomes
  • I proactively communicate and coordinate my team’s requirements with other groups and teams in engineering
  • I am effective at working with cross-functional stakeholders to identify technical blindspots and clarify ambiguity in their ideas
  • I avoid blame and solve the right problems, disagreeing and committing when necessary

Organizational Health

  • Working with my manager, I leverage the strengths & skills of the members of my team, and help identify talent gaps required for team success
  • I support others to bring their authentic selves every day and contribute to building community at Dropbox
  • I practice the Dropbox Diversity Commitments on a regular basis
  • I champion good virtual first practices that help my team collaborate effectively
  • I help shape the Dropbox engineering culture through my involvement with activities outside of my team (e.g. presenting tech talks, participating in Eng RFCs, creating interview questions, planning hackweek)


  • I tailor my message to my audience, presenting it clearly and concisely at the right altitude
  • I proactively share information so the right people are informed and aligned

Culture Leader - I act as a partner to my manager in setting the cultural tone for the team. I support an environment where all Dropboxers are included and heard - I help my team network and build relationships across Dropbox, creating connection and inclusion across my team and with other teams

🦉 Craft

I am considered a technical leader on my team. I autonomously engage with product and system owners across Dropbox to help create, build, and innovate security defenses. I have an in-depth knowledge of Security and possess a comprehensive view of how the Dropbox environment and services fit together. I focus on large and ambiguous security problems across internal and partner organizations. I take a long-term view and understand the details about my team’s security services and processes. I drive and plan the Security of large, complex, cross-team projects/incidents that could span multiple quarters and often involve numerous security members. I mentor, teach, and influence other members of Security continuously - the scope of my impact is amplified through their successes. My understanding of the business context and organization priorities enables me to deliver in alignment with longer-term security needs, not just immediate requirements.

Security Execution

  • My work demonstrates significant domain expertise in three or more security domains and secondary specializations, (e.g. infrastructure security, application security, threat intelligence, security operations, incident response, endpoint security, or identity management). I understand the latest defensive capabilities provided by each layer of the stack in my purview and understand when to deploy them.
  • I have extensive experience with multiple methods of assessment, and can make the right call to identify the best approach for a given problem.
  • I design and/or implement structural changes to enforce security requirements and defenses at the scope of an entire product/codebase (e.g. Paper, Hellosign, or rSERVER)
  • I define and implement a comprehensive strategy to address a security problem, drawing upon a mixture of the necessary first-party, open source, or off-the-shelf technologies to enforce security requirements, detect badness, or defend Dropbox.
  • I consistently identify and provide solutions for non-obvious issues in the design, implementation, operation, and evaluation of security processes and technologies.
  • I own the response to complex security incidents, or drive strategic remediation initiatives which involve many teams/organizations/systems across Dropbox.
  • I track incidents, vulnerabilities, and other security trends over time and effectively incorporate lessons learned into Security strategy and requirements.
  • I effectively partner across the company to define and implement security requirements within a scope spanning several different layers of an infrastructure stack, disparate teams across several organizations, or parallel workstreams of a large scale initiative.

Technology Fluency

  • I apply a comprehensive understanding of the Dropbox technology stack and relevant external technologies within my focus. I both maintain awareness and ensure my organization is aware of changes as they occur.I influence the design and architecture choices made by partner-orgs (e.g., system, network, or software).
  • I understand that technology, threats, and responses evolve and use that evolution to identify opportunities to improve security controls accordingly.

Threat Fluency

  • I have a deep understanding of attacker tools, techniques, and processes (TTPs) and the standard defenses/mitigations for them.
  • I am broadly aware of the kinds of defenses and their efficacy at mitigating attacks relevant to Dropbox Security.
  • I am continuously tracking and learning about attacks/attackers both inside and outside of my focus area
  • I am familiar with historical attacks of consequence and the lessons learned from them.
  • I am able to reason about attacker behavior and apply my understanding of TTPs in support of the rest of my job.