×
Dropbox Engineering Career Framework
IC4 Security Engineer
I demonstrate solid business judgment and understand the organizational priorities. I lead multi-phase, multi-team security efforts to reduce risks on broad product capabilities, security domains, or a broad and complex technical system or environment.
Scope
Area of ownership and level of autonomy / ambiguity
Collaborative Reach
Organizational reach and extent of influence
Impact Levers
Technical levers typically exercised to achieve business impact
  • I own and deliver bi-annual/annual goals for my team.
  • I am an expert at identifying the right solutions to solve ambiguous, open-ended problems that require me to prioritize among several different business and team objectives.
  • I define and implement security solutions or efficient operational processes that level up my team.
  • I work on large security problems where the design may or may not be defined. 
  • I lead or help define security strategy.
  • I deliver complete solutions to security problems.
  • My solutions align and adapt to multi-year security goals.
  • I am a strong leader for my team. I lead by example, my impact is beginning to extend outside my team.
  • I increasingly optimize beyond just my team by driving cross-team or cross-discipline initiatives.
  • I influence security teams, partner orgs, and service/product owners.
  • I have mastered all key areas of my craft relevant to the problems I’m working on, and effectively choose when to draw from broad array of skills utilized by security engineers to solve a security problem. 
  • I play a key role in setting medium-to-long term strategy for business-impacting projects.
  • I autonomously define and deliver technical roadmaps of larger projects, often involving cross-team dependencies. 
  • I negotiate with teams and partner orgs to strategically solve security problems at scale.
  • I work autonomously with less defined parameters. I negotiate resources and security priorities. I escalate and communicate effectively. I always find a path forward, even when that means re-defining success or learning from failures.
  • I leverage input from product stakeholders and determine the right technical trade-offs to deliver security value quickly.
  • I actively level up less-experienced members across Security by helping them with their craft, providing guidance, and leading by example.
  • I can negotiate effectively, and influence others towards delivering the right security solutions for the organization.

trophy Results

Responsibility
Key Behaviors
Impact
  • I deliver many of my team’s goals on time and with a high standard of quality
  • My understanding of the business context and my team’s goals enable me to have the greatest customer impact and allows me to make independent technical decisions in the face of open-ended requirements
  • I can identify when my results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way and work with manager to redirect my focus
  • I get work to a simple place by focusing on the heart of the problem and prioritizing the right things
Ownership
  • I proactively identify new opportunities and advocate for and implement improvements to the current state of projects — potentially having broader business impact across teams or products
  • I take responsibility for any failures on my project and take action to prevent them in the future. I embrace and share the learnings from those failures
  • When I encounter barriers, I unblock myself and my team by proactively assessing and eliminating the root cause 
Decision Making
  • I make informed decisions by consulting the right stakeholders and balancing details with the big picture 
  • I understand the implications of my decisions and adjust my approach based on the impact and risk (e.g. choosing a more iterative approach based on the degree of uncertainty with respect to product fit, while maintaining a view of the long term arc needed to accomplish business goals).
  • I make timely decisions but don’t cut corners that would compromise my customer’s trust  

glowing star Direction

Responsibility
Key Behaviors
Agility
  • I embrace change and adapt quickly to it
  • I’m able to navigate ambiguity and remain resilient through ups and downs
Innovation
  • I am beginning to push boundaries to generate and implement ideas that aim to drive our products and tools forward
  • I set audacious goals, take risks, and share lessons learned
Strategy
  • I define the technical roadmap for complex projects, refining it as the projects progress, and provide leadership for the people executing on the project
  • I define my team's priorities and secure buy-in in partnership with my manager
  • I generate excitement for my/the team's strategy

deciduous tree Talent

Responsibility
Key Behaviors
Personal Growth
  • I proactively ask for feedback from those I work with and identify ways to act upon it
  • I have self-awareness about my strengths and areas for development
  • I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow
Hiring
  • I gain the trust of candidates and can represent Dropbox's mission, strategy, and culture throughout the interview process
  • I am able to represent my team’s technical challenges to potential candidates in a compelling way (e.g. 1:1 sell chats, blog posts, public speaking)
Talent Development
  • I model integrity and a high standard of excellence for my work. I leverage this to set and hold the bar for quality and best practices for my team (e.g. via code and design reviews)
  • I identify and support areas of growth for my teammates that take into account their skills, backgrounds and working styles
  • I solicit and offer honest and constructive feedback that is delivered with empathy to help others learn and grow

rainbow Culture

Responsibility
Key Behaviors
Collaboration
 
  • I build relationships and drive coordination across teams & disciplines, helping get to positive outcomes
  • I avoid blame and solve the right problems, disagreeing and committing when necessary
Organizational Health
  • Working with my manager, I leverage the strengths & skills of the members of my team, and help identify talent gaps required for team success
  • I act as a partner to my manager in setting the cultural tone for the team. I support an environment where all Dropboxers are included and heard
  • I motivate others to bring their authentic selves every day and contribute to building community at Dropbox
Communication
  • I tailor my message to my audience, presenting it clearly and concisely at the right altitude
  • I proactively share information so the right people are informed and aligned

owl Craft

I am considered a technical leader on my team. I autonomously engage with product and system owners across Dropbox to help create, build, and innovate security defenses. I have an in-depth knowledge of Security and possess a comprehensive view of how the Dropbox environment and services fit together. I focus on large and ambiguous security problems across internal and partner organizations. I take a long-term view and understand the details about my team’s security services and processes. I drive and plan the Security of large, complex, cross-team projects/incidents that could span multiple quarters and often involve numerous security members. I mentor, teach, and influence other members of Security continuously - the scope of my impact is amplified through their successes. My understanding of the business context and organization priorities enables me to deliver in alignment with longer-term security needs, not just immediate requirements.
 
Responsibility
Key Behaviors
Security Execution
  • My work demonstrates significant domain expertise in three or more security domains and secondary specializations, (e.g. infrastructure security, application security, threat intelligence, security operations, incident response, endpoint security, or identity management).  I understand the latest defensive capabilities provided by each layer of the stack in my purview and understand when to deploy them.
  • I have extensive experience with multiple methods of assessment, and can make the right call to identify the best approach for a given problem.
  • I design and/or implement structural changes to enforce security requirements and defenses at the scope of an entire product/codebase (e.g. Paper, Hellosign, or rSERVER)
  • I define and implement a comprehensive strategy to address a security problem, drawing upon a mixture of the necessary first-party, open source, or off-the-shelf technologies to enforce security requirements, detect badness, or defend Dropbox.
  • I consistently identify and provide solutions for non-obvious issues in the design, implementation, operation, and evaluation of security processes and technologies.
  • I own the response to complex security incidents, or drive strategic remediation initiatives which involve many teams/organizations/systems across Dropbox.
  • I track incidents, vulnerabilities, and other security trends over time and effectively incorporate lessons learned into Security strategy and requirements.
  • I effectively partner across the company to define and implement security requirements within a scope spanning several different layers of an infrastructure stack, disparate teams across several organizations, or parallel workstreams of a large scale initiative. 
Technology Fluency
  • I apply a comprehensive understanding of the Dropbox technology stack and relevant external technologies within my focus. I both maintain awareness and ensure my organization is aware of changes as they occur.I influence the design and architecture choices made by partner-orgs (e.g., system, network, or software).
  • I understand that technology, threats, and responses evolve and use that evolution to identify opportunities to improve security controls accordingly.
Threat Fluency
  • I have a deep understanding of attacker tools, techniques, and processes (TTPs) and the standard defenses/mitigations for them.
  • I am broadly aware of the kinds of defenses and their efficacy at mitigating attacks relevant to Dropbox Security.
  • I am continuously tracking and learning about attacks/attackers both inside and outside of my focus area
  • I am familiar with historical attacks of consequence and the lessons learned from them.
  • I am able to reason about attacker behavior and apply my understanding of TTPs in support of the rest of my job.