Topics / 🔒Security & Privacy Engineering

Becoming a Security & Privacy Engineer

By Pritesh Yadav June 21, 2026 12 min read —

This final section is about you and a career. You have spent thirteen sections learning how systems get attacked and defended. Now the question is: is this worth turning into a profession, and if so, how do you actually get in? The short answer is yes, and the path has never been more open. This section maps the field, the roles, the durable skills that survive every wave of new technology, how to practise for free, which certificates matter, what the work actually feels like day to day, and a concrete 90-day plan you can start tomorrow.

14.1 Why this field is durable (lead with this)

Most tech specialties rise and fall with a particular tool or framework. Security is different because it has a permanent adversary — a real human attacker who never stops, gets paid to find new ways in, and benefits from every new technology you adopt. Every new feature, cloud service, or AI model is fresh attack surface (the set of places an attacker can try to get in). As long as software exists and has value, someone will attack it, and someone must defend it. That makes demand structurally permanent in a way few jobs are.

The 2025-2026 numbers back this up:

Breach cost. IBM's Cost of a Data Breach 2025 puts the global average breach at USD $4.44M — the first decline in five years (down 9% from $4.88M), credited to faster, AI-assisted containment. The US average hit a record $10.22M.
Speed. Mean time to identify and contain a breach fell to 241 days, the lowest in nine years.
Shadow AI. Employees using unapproved AI tools (called "shadow AI") added roughly $670K to the average breach. Organisations using AI and automation extensively in defence saved about $1.9M versus those that did not.
The job gap. The ISC2 2025 Workforce Study (a record 16,029 professionals surveyed) reports a 4.8M-role global gap (+19% year over year). But the big 2025 shift is honest and important: budget overtook talent scarcity as the top staffing constraint — 33% lack the resources to staff adequately, 29% cannot afford the skills they need. ISC2 now frames this as a skills gap, not a headcount gap.

Key takeaway: Generic "bodies" are oversupplied; demonstrable skills are scarce. 88% of organisations had at least one significant incident traced to a skills shortage. The way in is proof-of-work, not just a diploma.

Common mistake: Believing the "millions of open jobs" headline means easy entry. Experienced people have near-zero unemployment; entry level is competitive and budget-constrained right now. You win it with a visible portfolio, not a hope.

14.2 The roles — most people specialise

"Security engineer" is not one job. Pick a track that fits your temperament and existing skills.

Role	What they do	Good fit if you…
AppSec engineer	Secure software/code: review designs, run SAST/DAST/SCA scanners, threat-model features, fix OWASP-class bugs.	Are a developer; closest track to coding.
Security engineer (infra/generalist)	Build and harden defensive tooling: identity, network controls, Zero Trust, secrets, logging.	Like building systems and plumbing.
Cloud security engineer	AWS/Azure/GCP misconfiguration, IAM, CSPM, container/Kubernetes security.	Want the fastest-growing track — 41% of employers pay more for it.
Detection & Response / SOC / IR (Blue Team)	Build detections (SIEM, EDR), investigate alerts, run incident response, threat hunt.	Like puzzles and calm-under-pressure work; common entry door (SOC analyst).
Penetration tester / Red Team (Offensive)	Simulate attackers, find exploitable holes, write reports.	Love breaking things and explaining how.
Security architect	Design secure systems end-to-end; set standards. Senior.	Have years of breadth.
GRC (Governance, Risk, Compliance)	Policy, risk assessment, audits: SOC2, ISO 27001, PCI, HIPAA. Less coding, more communication.	Are strong at writing/process; great entry for non-coders.
Privacy engineer	The technical "how" of privacy: privacy-by-design, data minimisation, de-identification, consent plumbing, LINDDUN threat modeling, DSAR flows, retention.	Like sitting between legal, security, and engineering.
AI-security roles (new)	AI Red Teamer, ML Security Engineer, LLM Security Architect, AI Trust & Safety — adversarially test LLMs for prompt injection, jailbreaks, data leakage.	Want the newest, lowest-barrier sub-field.

A note on the AI roles: the World Economic Forum found in 2025 that only 14% of organisations believe they have the AI-security talent they need. Because the field is new, the experience bar is lower than traditional senior roles — a genuine opening for newcomers. EU AI Act red-teaming requirements are also creating a steady consulting pipeline. (Salary signposts, US, 2026: security engineer median ~$152K–$170K; AI Red Teamer ~$160K–$230K; LLM Security Architect ~$200K–$280K+.)

14.3 The durable mindset — the part that survives tech churn

Tools rot; principles compound. The engineers who thrive for decades invest in a core that does not expire.

1. Fundamentals: Networking (TCP/IP, DNS, TLS, HTTP), operating systems (especially Linux), how authentication/authorization/sessions actually work, and cryptography basics — meaning what to use and the iron rule: never roll your own crypto.
2. Threat modeling: The single most transferable skill: systematically asking "what can go wrong?" Learn STRIDE (Microsoft: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Adam Shostack's four questions — What are we building? What can go wrong? What are we going to do about it? Did we do a good job? The privacy analog is LINDDUN. A flaw caught at design costs roughly 100x less than the same flaw in production — this is the "shift-left" payoff.
3. Adversarial thinking: Assume breach. Think like an attacker. Distrust all input.
4. Communication & the "audit discipline": Security is mostly a people job. Writing a finding a busy developer or non-technical executive will actually act on — translating risk into business language, documenting evidence, staying calm and precise during an incident — matters more than the exploit itself. This is why audit habits (evidence, repeatability, traceability) help even pure engineers.
5. Risk prioritisation: You can never fix everything. Rank by likelihood × impact. Know the frameworks by name: OWASP, NIST CSF, MITRE ATT&CK, and MITRE ATLAS (the ATT&CK equivalent for AI systems).

Analogy: Tools are like the seasonal weather; the durable mindset is the climate. People who chase only the hottest tool get rained on every year. People who understand the climate dress right no matter the season.

14.4 Current frameworks & facts to know (2025-2026)

OWASP Top 10:2025 — announced Nov 2025, finalised Jan 2026, built on 175,000+ CVEs and 589 CWEs. A01 Broken Access Control stays #1 (now absorbs SSRF). A02 Security Misconfiguration jumped from #5 to #2 (100% of tested apps had some misconfiguration). Two brand-new categories: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions. Lesson: the list evolves — track the trend (supply chain + misconfig + access control dominate), don't memorise a frozen list.
OWASP Top 10 for LLMs — LLM01 Prompt Injection is the #1 AI risk; attack success rates 50–84%, and no complete fix exists even for frontier models. Real 2025-26 high-severity CVEs: EchoLeak (CVE-2025-32711, Microsoft 365 Copilot data exfiltration), GitHub Copilot RCE (CVE-2025-53773), Cursor IDE flaws — all CVSS over 9.3.
NIST CSF 2.0 (Feb 2024) — added a 6th function, GOVERN, at the centre of the wheel (Identify, Protect, Detect, Respond, Recover + Govern), expanded scope to all organisations, and emphasised supply chain.
EU AI Act — in force Aug 1, 2024; prohibited practices + AI-literacy duties applied Feb 2, 2025; general-purpose AI (GPAI) obligations applied Aug 2, 2025 (enforcement powers from Aug 2, 2026); high-risk Annex III deadline deferred (Digital Omnibus provisional agreement, May 7, 2026) to Dec 2, 2027. This creates real privacy/AI-governance hiring.

14.5 Real incidents that teach the lesson

Example — MOVEit Transfer (Clop): One zero-day in a managed file-transfer product was mass-exploited against nearly every internet-facing instance at once. One door key opened thousands of houses. This is exactly why software supply chain became a Top-10 category.

Example — Change Healthcare (2024): Ransomware from ALPHV/BlackCat hit the health records of ~190M+ people, a $22M ransom was paid, and US healthcare billing froze. It shows systemic third-party risk and the human cost beyond dollars.

Example — Snowflake campaign (2024): Attackers used credentials stolen by infostealer malware to log into customer cloud data warehouses that lacked MFA (AT&T, Ticketmaster, Santander). This was not a Snowflake "hack" — it was a customer identity-hygiene failure. The lesson: MFA and identity discipline beat exotic exploits. (In June 2025, ~16 billion leaked credentials were aggregated from infostealer logs — the same reason password reuse and MFA matter.)

14.6 How to learn & practise — doing beats watching

Learning by doing works far better than watching videos. Free and cheap labs, in a sensible order:

  Linux + Networking            Web hacking              Real targets
  -------------------           -----------              ------------
  OverTheWire Bandit   --->  PortSwigger Web    --->  HackTheBox
  (Linux fundamentals)       Security Academy         machines
        |                    (free, Burp Suite)            |
        |                          |                       v
        +----> picoCTF / -----> TryHackMe rooms -----> Bug bounty
               VulnHub          + beginner CTFs        (HackerOne/
                                                        Bugcrowd)

Build things: stand up a home lab, write your own deliberately vulnerable app and exploit it, automate a scan, contribute to open source, write detection rules. Bug bounties give you real targets, real money, and a portfolio. Document everything — public write-ups, GitHub, a blog. When budgets are tight, proof-of-work is what earns the interview. HTB even now has a dedicated AI Red Teamer path if that's your track.

14.7 Certifications — their place (be honest)

Certs open doors and pass HR keyword filters; they do not replace skill. One good cert plus a portfolio beats five paper certs.

Cert	What it's for	Cost / note
CompTIA Security+	Standard foundational/entry cert; meets US DoD 8570 baseline.	~$400 exam; good first cert.
OSCP / OSCP+	Gold standard for pentesting — practical, hands-on, 24-hr exam.	PEN-200 bundle ~$1,749; high ROI for offence.
CISSP	Management/breadth cert; gatekeeper for senior roles.	Exam ~$749; needs 5 yrs experience; holders avg ~$148K.
CCSP / CCSK	Cloud security.	ISC2 / Cloud Security Alliance.
IAPP CIPP / CIPT	Privacy: CIPP = law/program (CIPP/US, CIPP/E); CIPT = the engineer's "how" cert.	IAPP-certified pros earn up to ~13% more.

Best practice: Security+ first (or skip if you already have skills), then specialise: OSCP for offence, a cloud cert for cloud, CIPT for privacy, CISSP later when you have the years. Privacy ladder: CIPT → CDPSE → CCSP/CCSK → ISO 27701. Don't certificate-collect.

14.8 A day in the life (reality, not Hollywood)

Across every track, the common thread is more meetings, writing, and persuasion than movies imply — keyboard-hacking is a fraction of it.

AppSec: morning triage of scanner/bug-bounty findings, a threat-modeling session with a product team, a PR security review, tuning a CI security gate, answering "is this safe to ship?" in Slack.
Detection/IR: monitor alerts, decide "real or noise?", tune detections to cut false positives, then run an incident bridge during a live event (high adrenaline, then long documentation).
Pentester: scoping, recon, exploitation — and the underrated half, writing a clear report a client will fund fixes for.
GRC: evidence collection, control mapping, vendor risk reviews, audit prep.

Common mistake: Treating every alert as a fire. Proofpoint 2025 found 63% of CISOs experienced or witnessed burnout, and Sophos measured ~4.8 hrs/week lost to it (+25% YoY). Set boundaries — yet 68% of professionals still report job satisfaction (ISC2). A sustainable pace is a skill too.

14.9 Staying current as AI changes the board

AI plays both sides. Defenders use it to cut containment time and save ~$1.9M. Attackers use it to scale phishing, deepfakes, malware, and exploit discovery, and "shadow AI" is now a measurable breach driver. Your own apps' LLM features are fresh attack surface (prompt injection, RAG poisoning, data leakage, insecure tool/agent calls). The AI-prompt-security market grew from $1.51B (2024) to $1.98B (2025), ~31.5% CAGR. What does not change: the fundamentals, threat modeling, identity hygiene, and the human judgment to decide whether an AI's output is safe to trust. Use AI as a force-multiplier (drafting, triage, code review) but verify everything; and learn to secure AI systems (OWASP LLM Top 10, MITRE ATLAS, tools like Microsoft PyRIT and Garak) — the fastest-growing, lowest-barrier sub-field.

14.10 Your 90-day plan

Days 1–30, fundamentals: Linux via OverTheWire Bandit; networking (TCP/IP, DNS, HTTP, TLS); how auth and sessions work; read OWASP Top 10:2025; start Security+ study if you want the cert.
Days 31–60, web + offence: PortSwigger Web Security Academy end-to-end with Burp Suite; TryHackMe beginner paths; 5–10 CTF challenges; learn STRIDE and threat-model a real app.
Days 61–90, specialise + prove it: pick a track (AppSec / cloud / blue team / privacy / AI security); go deeper (HTB machines, a cloud free-tier lab, or OWASP LLM labs); open a bug-bounty account; publish 2–3 write-ups; sit your first cert if ready.
After 90 days: one lab + one write-up per month, join a community (local DEF CON group, Discords), and apply to entry roles (SOC analyst, junior AppSec, GRC analyst) with your portfolio as evidence.

Common mistakes

Collecting certs with zero hands-on practice.
Memorising a frozen OWASP list instead of understanding the categories and trends.
Ignoring communication and writing skills.
Trying to stay a generalist forever instead of specialising.
Skipping fundamentals to jump straight to flashy tools.
Rolling your own crypto.
Treating AI tools as oracles instead of verifying their output.
Burning out by treating every alert as a five-alarm fire.

Best practices

Invest in fundamentals and threat modeling first — they never expire.
Specialise into one track and go deep.
Learn in public: write-ups, GitHub, a blog are your real resume.
One good cert per stage, paired with proof-of-work.
Practise monthly forever; treat learning as the job, not a side task.
Learn to secure AI systems early — lowest barrier, highest growth.
Protect your own energy; a sustainable pace outlasts heroics.

Key takeaway: The barrier to start has never been lower (free labs, open knowledge) and the need has never been higher. You don't need permission or a perfect resume — you need curiosity, persistence, and proof-of-work. Every expert started by breaking a deliberately vulnerable box. Pick the 90-day path, learn in public, and you'll become not just employable but genuinely useful — protecting real people's data, like the customers behind every order in the systems you build.

Continue reading

🔒 Security & Privacy Engineering

Why Security & Privacy Engineering Matters

🔒 Security & Privacy Engineering

Core Security Foundations

🔒 Security & Privacy Engineering

Cryptography Made Simple