When I started my journey in cybersecurity with my previous knowledge as an IT Project Manager, my mind was fixed on “ethical hacking”: finding vulnerabilities, exploiting them, and reporting them. However, while exploring the Security Engineer role I discovered that the true strength of a system doesn’t just lie in how it defends against attacks, but in how it is built from the ground up.

1. Security Engineer Intro

The first thing that struck me was the fundamental distinction between a Pentester and a Security Engineer. While the pentester seeks to break the system, the security engineer must ensure the system is resilient by design.

What I Learned:

• Security by Design: It’s not about adding patches after the software is finished. Security must be a functional requirement from the planning phase.
• The Secure Software Development Life Cycle (SDLC): I understood how security integrates into every stage: from requirements to deployment and maintenance.
• Shared Responsibility: In the cloud, for example, the provider protects the infrastructure, but I am responsible for protecting my data and configurations.

2. Security Principles

This section was a necessary review of basic concepts, but with a much deeper focus on their practical application. They aren’t just textbook definitions; they are golden rules guiding every technical decision.

Key Concepts:

• The CIA Triad (Confidentiality, Integrity, Availability): I learned that balancing these three elements is a constant act of equilibrium. Sometimes, increasing security (confidentiality) can reduce usability (availability).
• Defense in Depth: The idea that you should never trust a single layer of security. If the firewall fails, encryption must be there. If encryption fails, access controls must stop the attacker.
• Principle of Least Privilege: Every user and process must have only the permissions necessary for their function. This drastically limits the potential damage of a compromised account.
• Fail-Safe Defaults: If something fails, the system must enter a safe state (locked), not an unsafe one (open).

3. Introduction to Cryptography

Before this module, cryptography seemed like a magical black box to me. Reading about this topic made me to demystify it, showing it as a precise mathematical tool that, if used incorrectly, is useless.

What Helped Me Understand:

• Symmetric vs. Asymmetric: The critical difference isn’t just technical, but practical. We use symmetric (AES) for speed with large volumes of data, and asymmetric (RSA/ECC) for secure key exchange and authentication.
• The Importance of Key Management: The strongest algorithm in the world is useless if the key is stored in a plain text file. I learned about the need for HSMs (Hardware Security Modules) and secret managers.
• Hashing and Digital Signatures: I understood how data integrity and sender authenticity are guaranteed without revealing the original information.
• Common Pitfalls: I realized how dangerous it is to use obsolete algorithms (like MD5 or SHA-1) or to reinvent the wheel with proprietary algorithms.

4. Identity and Access Management (IAM)

Perhaps the most relevant lesson for the modern world. With the rise of cloud computing and remote work, the perimeter firewall is no longer enough. Identity has become the new perimeter.

IAM Strategies I Now Apply:

• Multi-Factor Authentication (MFA): It’s not an option; it’s a requirement. I learned why SMS is vulnerable and why security keys (FIDO2) are superior.
• Zero Trust: The slogan “Never trust, always verify” stopped being a catchphrase and became an operational methodology. Every access request must be authenticated and authorized, regardless of its origin.
• Lifecycle Management: The importance of automating the creation and, crucially, the deletion of access rights. “Zombie accounts” are one of the biggest internal threats.
• Identity Federation (SSO): How to simplify the user experience while maintaining centralized and strict control via protocols like SAML and OIDC.

Conclusion:

I have moved from viewing security as a series of defensive tools to understanding it as an integral engineering discipline.

Now I know that:

1. Security must be designed, not patched.
2. Fundamental principles (CIA, Defense in Depth) are non-negotiable.
3. Cryptography is a precise science requiring careful management.
4. Identity is the new security perimeter.

This is just the beginning. In future posts, I will document how I apply these concepts in practical labs, configuring SIEMs, implementing Zero Trust policies, and automating security controls.

If you are starting your journey in security engineering, I highly recommend not underestimating these fundamentals. They are the foundation upon which everything else is built.