Cybersecurity Engineer Vs Cybersecurity Professional: What’s The Difference?

Cybersecurity Engineer Vs Cybersecurity Professional: What’s The Difference?
Facebook may have decided that you shouldn’t see the news, but we think you deserve to be in the know with Lifehacker Australia’s content. To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

We often hear the term “engineer” tossed around in job titles for those in the IT space. But drilling down into the subcategory of security, what is the difference between a cybersecurity engineer and a cybersecurity professional? It might sound like the same thing to you but one security pundit insists that there are differences that could affect the employability of workers in this industry.

Expectations of cybersecurity workers have also changed and the subtle differences between various roles in this space can matter a great deal if they’re hunting for a new job, according to Kok Yew Toh, senior manager for IT security and assurance at insurance firm Prudential. With the prevalence of malware targeting businesses launched by professional criminal rings, organisations have become increasingly aware of cybercrime. This has resulted in a shift in boardroom conversation around cybersecurity, moving from fighting off active attacks to prevention. Strategic thinkers who can manage and assess risks are in higher demand than coders who are good at building ways to combat active cyberattacks, Toh said.

“Right now, we are not looking for cybersecurity engineers, we are looking for cybersecurity professionals. There’s a difference,” he said in a journal published by professional recruitment firm Hays.

To Toh, cybersecurity professionals are better at taking a long-term strategic view and can communicate effectively. While cybersecurity engineers have the technical capabilities, those skills can be learned by a cybersecurity professional later down the track, Toh said:

“Engineers will look to fulfil the baseline requirements for the industry: professionals will look at the baseline and ask if it is appropriate for their own business processes. If it isn’t, they will ask if they can make another baseline for their processes.
“We’re not looking for firemen anymore, we’re looking for people who can anticipate how the fire will happen.”

“Engineer” has been a problematic term in the IT industry. Some have claimed that it’s a misnomer when programmers call themselves “software engineers”.

According to Ian Bogost from The Atlantic:

“Traditional engineers are regulated, certified, and subject to apprenticeship and continuing education. Engineering claims an explicit responsibility to public safety and reliability, even if it doesn’t always deliver.
“The title ‘engineer’ is cheapened by the tech industry.”

What are your thoughts on the term “cybersecurity engineer” versus “cybersecurity professional”? If you’re in the IT space, what is your job title right now and does it accurately reflect your role? Let us know in the comments.


  • As an information security expert with over 20 years experience – I can confidently state this article is just plain ill informed and quite ignorant.

    You suggest that one starts as a “professional” and then at some point you gain skills that makes one an “engineer”?

    You mix up the terms “software engineer” and engineers who have a degree in engineering such as civil or mechanical. Perhaps you meant Systems Engineer, but I guess you don’t know what they are either, or what Systems Engineering is.

    Your interviewee from Prudential may not having a requirement for technical staff does not mean the entire security sector is like that – its specific to his business

    I hire IT security professionals myself, I can can confidently advise that the entire spectrum of skills is in demand , folk who can design and integrate, folk who can perform risk analysis, folk who can perform assurance and testing, folk who are specialised in particular compliance standards (ISM, NIST, PCI-DSS etc), folk who can look over the horizon and produce enterprise security architecture.

    • Hi Stephen.

      Thanks for the comment.

      Just wanted to clarify a few things:
      1) This article highlights comments made in a journal published by professional recruitment company Hays which addresses the IT security industry as a whole, not just the insurance space that Prudential plays in.
      2) I’m merely highlighting comments made by a security expert in a journal about recruitment. Nowhere in the article did I mention that I agree with his views. This article is more to be used a platform for discussion.
      3) I referred to an article published by The Atlantic, which has been widely read, regarding the term “engineer” being used in the IT space. Again, it’s not my personal opinion.

      I’m interested in what others in the industry think about this topic and thank you for kicking off the discussion. I hope I have cleared up any misunderstandings you have about the article.



  • I totally agree with this. One of my pet hates is people who call themselves engineers without an engineering degree. I myself have a Bachelors in engineering. I don’t understand why people just started calling themselves engineers without being an engineer in the first place. Like Elon Musk calls himself an engineer but he doesn’t have an engineering degree.

Show more comments

Comments are closed.

Log in to comment on this story!