Intermediate

Security Engineering: Asset Evaluation and Execution Plan

This course walked through the full lifecycle of a security engineer's role in securing a newly acquired IT estate — from understanding the job itself, through inventorying and evaluating...

Table of Contents

This course explores the role of the security engineer, beginning with a comprehensive approach to asset inventory, moving into identifying and managing IT assets, and finishing with crafting actionable execution plans to secure those assets. A running case study — Globomantics, an organization that has just acquired several small defense-manufacturing firms — is used throughout to ground each concept in a realistic, end-to-end scenario: from understanding what a security engineer does, to inventorying the newly acquired IT estate, to building and presenting a plan that secures it.


Module 1: Understanding the Security Engineer Landscape

The Role of a Security Engineer

The role of a security engineer centers on three major tasks as they relate to security tools, solutions, and controls:

  1. Designing a solution — figuring out the necessary components and requirements so the solution can be implemented into the environment.
  2. Implementing that solution — integrating it into existing architecture, which is rarely as simple as “set it up and forget it,” especially in large, complex enterprise environments with many interdependent components.
  3. Maintaining the solution — ensuring it continues to function as intended and continues to provide value in the form of security protection or performance enhancement.

Where the Security Engineer Fits

A typical organization’s technical cybersecurity talent can be viewed as a tiered structure:

flowchart TB
    A["Security Architect<br/>Provides the blueprints for the organization's<br/>overall security architecture (high-level design)"]
    B["Security Engineer<br/>Provides detailed design and implements the<br/>solutions referenced in the architect's blueprints"]
    C["Security Analyst<br/>Monitors SIEM alerts, investigates security events,<br/>and performs incident response"]

    A --> B --> C

    style A fill:#4a6fa5,color:#fff
    style B fill:#5b8c5a,color:#fff
    style C fill:#c96f3c,color:#fff
  • The security architect operates at the highest level, focused on the overarching design and placement of security solutions.
  • The security engineer operates one tier below the architect, providing much more detailed design and actually implementing the solutions referenced in the architect’s blueprints — for example, selecting an identity and access management (IAM) platform such as Okta for authenticating identities and enabling single sign-on.
  • The security analyst sits at the lower tier, leveraging the tools and controls that engineers build and maintain — monitoring SIEM alerts, querying logs during investigations, and performing incident response (e.g., mitigating a phishing campaign or remediating malware on a server or endpoint).

In short: the architect lays the foundation for the organization’s overall security architecture and planning; security engineers design, implement, and maintain the various security controls, tools, and solutions; and security analysts leverage those controls to perform their day-to-day tasks such as event investigation and incident response.

Security Engineer Specializations

The security engineer role can be broken down into a wide range of specializations:

SpecializationFocus AreaRepresentative Tools/Platforms
Identity and Access Management (IAM)Designing, implementing, and maintaining solutions for user authentication, single sign-on, and identity access controlsOkta, Microsoft Entra ID
Network SecurityMaintaining network security devices such as next-generation firewalls, wireless access points, and switch/router security configurationNext-gen firewalls, WAPs
Security Information and Event Management (SIEM)Engineering and deploying SIEM platforms, including dashboards and alerting, used by security analysts for investigation and responseSplunk, IBM QRadar
Physical SecurityEnsuring the physical security of IT systems by selecting and maintaining locks and access mechanisms for the most sensitive assetsBadge/access-control systems
Application SecurityEngineering security controls for software and web applications, often working alongside developers/DevOps to find and remediate code vulnerabilitiesWeb Application Firewalls (WAF)
Cloud SecurityImplementing cloud security controls that mirror on-premises controls (WAF, network firewall, IAM) but on a cloud platformAWS WAF/Network Firewall, Microsoft Entra ID on Azure
Artificial Intelligence (AI) SecurityImplementing IAM, virtual private cloud configuration, and application security controls specifically for AI applications and platformsCloud-native AI security tooling
Security Tool DevelopmentBuilding custom applications and scripts to aid other security team members (e.g., analysts) in performing investigation steps and tasksCustom scripting/automation
mindmap
  root((Security Engineer<br/>Specializations))
    IAM
      Authentication
      Single sign-on
      Access control
    Network Security
      Firewalls
      Wireless access points
      Switch/router security
    SIEM
      Dashboards
      Alerting
    Physical Security
      Locks
      Access mechanisms
    Application Security
      WAF
      Code vulnerability remediation
    Cloud Security
      IAM in the cloud
      Cloud firewalls
    AI Security
      IAM for AI platforms
      VPC configuration
    Tool Development
      Custom scripts
      Automation for analysts

Career Paths

Security engineering specializations primarily cater to a technical career path. With enough experience, an engineer can transition to a higher technical role such as security architect. However, security engineers are not limited to technical roles — many eventually transition to a non-technical path centered on Governance, Risk, and Compliance (GRC).

flowchart LR
    SE["Security Engineer<br/>(IAM / Network / Cloud / App / AI / SIEM)"]
    SE -->|Technical path| SA["Security Architect"]
    SE -->|Non-technical path| GRC["Governance, Risk, and Compliance"]
    SA --> Lead["Leadership<br/>(CISO / CIO / CTO)"]
    GRC --> Lead

    style SE fill:#4a6fa5,color:#fff
    style Lead fill:#c96f3c,color:#fff

A strong technical background aids either path. GRC roles, in particular, tend to interface with management and executives far more frequently than purely technical roles, and that added visibility can be leveraged toward consideration for a leadership role such as Chief Information Security Officer (CISO), Chief Information Officer (CIO), or Chief Technology Officer (CTO) — among the highest-compensated roles in enterprise organizations internationally. This is not to say a technical architect role cannot lead to leadership; it simply highlights that non-technical GRC roles traditionally provide more direct executive interfacing.

Security Engineering Challenges and Pillars

Challenges Facing Security Engineers

flowchart TD
    C["Security Engineering Challenges"]
    C --> T["Threat Actors & Attack Surface<br/>Hackers seeking monetary gain via data theft or ransomware"]
    C --> Comp["Compliance<br/>Legal regulations and industry standards"]
    C --> D["Deployment Issues<br/>Real-world implementations are rarely as simple as they seem"]
    C --> U["End-user Satisfaction<br/>Users may circumvent solutions they dislike"]

    style C fill:#4a6fa5,color:#fff
  • Threat actors and attack surface — Hackers seek to steal sensitive information or deploy ransomware for monetary gain. To combat this, it is critical to understand the organization’s attack surface and maintain visibility across assets, platforms, tooling, solutions, and vendors. Simply put: you cannot defend against what you cannot see or have no information about.
  • Compliance — Remaining compliant avoids legal ramifications and financial penalties, and keeps the business operational by adhering to legal regulations and industry standards.
  • Deployment issues — Security solutions do not deploy overnight and often run into implementation issues; simple-looking deployments are rarely simple in reality.
  • End-user satisfaction — Solutions must be both functional/secure and acceptable to end users. If users are unhappy with a solution, they are more likely to circumvent it while doing their job. For example, an IAM engineer might favor passwordless authentication (e.g., a push notification to a user’s mobile device via Microsoft Entra ID) over requiring users to carry easily lost hardware token-generation devices — sometimes less is more.

The Pillars of Security Engineering

Most security professionals are familiar with the CIA triad — Confidentiality, Integrity, and Availability. As a security engineer, it is your responsibility to adhere to secure design in order to support that triad.

flowchart TD
    CIA["CIA Triad<br/>Confidentiality • Integrity • Availability"]
    SD["Secure Design<br/>Security from the start — account for<br/>vulnerabilities and misconfigurations early"]
    P["Prevention<br/>Firewalls and IAM access controls<br/>block malicious requests"]
    Det["Detection<br/>Alarms notify the appropriate team members<br/>when malicious activity is detected"]
    R["Response<br/>Analysts and incident responders act<br/>on detected activity"]

    SD --> CIA
    CIA --> P
    P --> Det
    Det --> R
    R -.supports.-> IR["NIST SP 800-61:<br/>Computer Security Incident Handling Guide"]

    style CIA fill:#4a6fa5,color:#fff
    style IR fill:#c96f3c,color:#fff
PillarDescription
Secure DesignSecurity is considered from the start of a solution’s design, accounting for vulnerabilities and misconfigurations before they can be introduced.
PreventionControls such as firewalls and IAM access controls actively block malicious requests.
DetectionAlarms and monitoring alert the appropriate team members whenever malicious activity is detected, aiding analysts during incident response.

These pillars directly support the incident response lifecycle described by NIST in the Computer Security Incident Handling Guide (NIST Special Publication 800-61). This holistic perspective is especially valuable for security engineers responsible for developing tooling used by other members of the security team.

Aligning Security Engineering with Business Objectives

Objectives, Goals, and Mission

flowchart TD
    O["Objectives<br/>Small, measurable, specific achievements<br/>completed in weeks or months<br/>(e.g., deploy a WAF, provision a database)"]
    G["Goals<br/>Larger achievements taking months to years<br/>(e.g., 5-10 goals set at the start of a year)"]
    M["Mission<br/>Multi-year vision based on the organization's<br/>values, culture, and purpose"]

    O --> G --> M

    style O fill:#5b8c5a,color:#fff
    style G fill:#4a6fa5,color:#fff
    style M fill:#c96f3c,color:#fff
  • Objectives are small, measurable, specific achievements — for example, deploying a web application firewall, deploying the databases that support a web application, and provisioning the resources/services necessary to support it. These are typically achievable within weeks or months.
  • Goals may take several months to years to achieve. Organizations commonly start the year with 5 to 10 goals. Objectives feed into goals — e.g., all those web-application-related objectives feed into the goal of launching a new web application. Departments outside of IT (such as marketing) also have their own business objectives (e.g., launching a new campaign) that feed into broader goals.
  • Mission is a multi-year vision grounded in the organization’s values, culture, and purpose (e.g., a university’s mission of providing educational services to learners seeking degrees and certifications).

Case Study: Aligning to Globomantics’ Acquisition Objective

Globomantics recently completed the business objective of acquiring several small firms, feeding into their annual goal of becoming more competitive in the defense industry by acquiring firms that specialize in defense manufacturing and hold valuable R&D insights.

flowchart LR
    Obj["Objective:<br/>Acquire small defense-manufacturing firms"] --> Goal["Goal:<br/>Become more competitive<br/>in the defense industry"]
    Goal --> Mission["Mission:<br/>Sell innovative products"]

    Obj --> SE1["Security Engineer Action:<br/>Perform asset inventory & evaluation"]
    SE1 --> SE2["Understand attack surface<br/>and exposure of new assets"]
    SE2 --> SE3["Assess risk associated<br/>with these assets"]
    SE3 --> SE4["Design, implement, and maintain<br/>security controls"]

    style Obj fill:#5b8c5a,color:#fff
    style Goal fill:#4a6fa5,color:#fff
    style Mission fill:#c96f3c,color:#fff

Security engineers align to this business objective by first performing asset inventory and evaluation on the newly acquired firms. This feeds directly into understanding the attack surface and exposure of those new assets, which in turn feeds into risk assessment and, ultimately, the design, implementation, and maintenance of the security controls that protect those assets.

Risk and Risk Management

Risk is the likelihood that a threat will cause an undesirable incident — such as a ransomware attack, sensitive data exfiltration, or a denial-of-service attack that takes services offline for an extended period. Any of these can seriously affect the organization financially, potentially putting it out of business. For this reason, organizations calculate and assess risk through a process known as risk management.

For security engineers, risk analysis — and quantitative risk analysis in particular — drives which business objectives are undertaken and prioritizes which objectives must be completed first.

Quantitative Risk Analysis: The Math Behind ALE

TermDefinitionFormula
Asset Value (AV)The monetary value of the asset being protected
Exposure Factor (EF)The percentage of asset value expected to be lost if a threat is realized
Single Loss Expectancy (SLE)The expected monetary loss from a single occurrence of a threat$$SLE = AV \times EF$$
Annualized Rate of Occurrence (ARO)The estimated frequency a threat is expected to occur in a year
Annual Loss Expectancy (ALE)The expected monetary loss to an asset over one year$$ALE = SLE \times ARO$$
Residual RiskThe remaining risk facing an asset after security controls have been implemented

ALE is important to security engineers because it aligns directly with a business objective like the Globomantics acquisitions: the only way to calculate ALE — which ultimately helps leadership understand the expected annual loss — is through asset value and exposure factor, both of which are directly tied to the security engineer’s work of asset inventory and evaluation.

Residual risk calculations help the organization understand the risk still facing an asset after controls have been implemented. This drives future design and implementation decisions, especially if the organization is unsatisfied with the amount of residual risk that remains.

flowchart TD
    AI["Asset Inventory & Evaluation"] --> AV["Determine Asset Value (AV)"]
    AI --> EF["Determine Exposure Factor (EF)"]
    AV --> SLE["Single Loss Expectancy<br/>SLE = AV x EF"]
    EF --> SLE
    SLE --> ARO["Apply Annualized Rate<br/>of Occurrence (ARO)"]
    ARO --> ALE["Annual Loss Expectancy<br/>ALE = SLE x ARO"]
    ALE --> Prioritize["Prioritize security objectives<br/>by risk reduction value"]
    Prioritize --> Controls["Design / Implement / Maintain<br/>security controls"]
    Controls --> RR["Residual Risk<br/>(risk remaining after controls)"]
    RR -.re-evaluate.-> Prioritize

    style ALE fill:#c96f3c,color:#fff

Two guiding principles when selecting and implementing security controls:

  • The cost of the control should never exceed the value of the asset it protects — you would never use a $1,000 door lock to protect an asset worth only $5.
  • Controls require ongoing maintenance; a lack of maintenance can render a control ineffective.
  • Controls should demonstrate measurable risk-reduction value — a control that reduces ALE by 10% is more valuable than one that only reduces it by 5%.

Module 1 Recap

  • Security engineers design, implement, and maintain security tools, solutions, and controls, and can specialize across IAM, network, SIEM, physical, application, cloud, and AI security, as well as security tool development.
  • Security engineering careers can follow a technical path (toward security architect) or a non-technical GRC path, both of which can lead to leadership roles such as CISO, CIO, or CTO.
  • Key challenges include understanding threat actors and the attack surface, maintaining compliance, managing deployment friction, and preserving end-user satisfaction.
  • The pillars of security engineering — secure design, prevention, and detection — support the CIA triad and the NIST SP 800-61 incident response lifecycle.
  • Business objectives are small, measurable achievements that feed into larger goals, which in turn support the organization’s overarching mission. Security engineers align to these objectives through asset inventory, evaluation, and risk-driven control implementation.
  • Quantitative risk analysis (ALE = SLE × ARO = AV × EF × ARO) and residual risk drive which security controls are selected, prioritized, and refined.

Module 2: Demonstrating Asset Inventory and Management

The Purpose of Asset Management

Following on from the Globomantics acquisition scenario, security engineers are tasked with understanding the assets acquired, their exposure level, and the security controls needed to protect them. IT asset management includes:

  • Tracking the number and location of assets.
  • Identifying the various types of assets acquired.
  • Monitoring asset health and utilization.
  • Maintaining assets through patching, upgrades, and/or repairs.

The Three Asset Types

Asset TypeDescriptionExamples
Infrastructure / HardwarePhysical and virtual computing equipmentServers, user workstations, network equipment, VoIP phones, printers, virtual machines
SoftwareSoftware and user licenses leveraged by workloads or end usersMicrosoft Office licenses, Adobe Photoshop licenses
DataAny sensitive or meaningful data used to run the businessCustomer/employee PII, intellectual property, financial data
flowchart TD
    AM["IT Asset Management"] --> Infra["Infrastructure & Hardware<br/>Servers, workstations, equipment"]
    AM --> Soft["Software<br/>Licenses used by workloads and end users"]
    AM --> Data["Data<br/>Sensitive/meaningful business data"]

    style AM fill:#4a6fa5,color:#fff

Why Asset Management Matters

flowchart LR
    V["Visibility<br/>What assets exist, how many, where they are"]
    V --> RA["Risk Analysis"]
    V --> VM["Vulnerability Management<br/>(identify CVEs tied to model/version)"]
    V --> Val["Monetary Valuation<br/>(determine appropriate control cost)"]
    V --> Comp["Compliance"]

    style V fill:#4a6fa5,color:#fff
  • Visibility — Knowing what assets exist, how many, and where they’re located enables meaningful risk analysis.
  • Vulnerability management — Visibility allows the organization to identify common vulnerabilities and exposures (CVEs) tied to a given asset’s model or version.
  • Monetary valuation — Understanding the monetary value of assets lets security engineers determine an appropriately priced control. As before: never use a $1,000 door lock to protect a $50 asset.
  • Compliance — One of the most important aspects of asset management. Compliance comes in multiple forms:
Compliance CategoryExamplePurpose
Health regulationsHIPAA (United States)Protects personal health information
Privacy regulationsGDPR (European Union)Protects the personal data of individuals in the EU through data protection requirements
Industry standardsPCI DSSPlaces strict information security requirements on organizations that process credit/debit cards

This is only the surface of the available compliance frameworks, standards, and regulations. Failure to meet compliance can result in legal action and financial penalties, and non-compliance can also restrict business operations — adding further financial burden. Security engineers must prioritize compliance when designing security controls and solutions.

Identifying and Classifying IT Assets

Infrastructure and Hardware Assets

Infrastructure assets include end-user desktops, notebooks, tablets, and mobile devices — typically managed via an agent that reports health, location, and status to a central management console. Servers and network devices are usually top-of-mind, being among the most valuable and expensive hardware assets, but it’s important to remember that VoIP phones and printers are part of the infrastructure too. Though seemingly innocuous, these devices can serve as attack points — an insider threat recording voice calls, or an attacker exfiltrating scanned documents from a compromised printer.

Assets can also be virtual (virtual machines and virtual servers), and one of the most difficult categories to identify is Internet of Things (IoT) devices — wireless cameras, sensors, appliances, and other devices leveraging mobile computing power with an internet connection. Although sometimes overlooked, IoT devices are IT assets with real exposure factor, especially since their firmware is often out of date, leaving them vulnerable to exploitation as an entry point or for side-channel communication.

Software Assets

Software assets include desktop software requiring a legally purchased license (e.g., Adobe Photoshop) as well as software increasingly delivered exclusively as Software as a Service (SaaS) (e.g., Microsoft 365). Asset management extends to server-based licensing, virtual server licensing, and end-user operating system licensing. Adequate license tracking helps avoid fines related to software license auditing.

Data Assets

Data is the most critical — and most intangible — asset type:

  • Personally Identifiable Information (PII) — social security numbers, phone numbers, addresses, and any information that can uniquely identify a person (customer data and employee data alike). Failure to protect PII can result in legal action and fines, so it must be protected using access controls, encryption, and other security controls.
  • Sensitive internal data — internal secrets related to intellectual property, supply chain and manufacturing details that give the company a competitive edge. Losing control of this data can cause the organization to lose its competitive edge and damage perception among customers and partners. This category also includes market-research data and financial data sensitive to business operations.
mindmap
  root((Asset Types))
    Infrastructure/Hardware
      Desktops, notebooks, mobile devices
      Servers & network devices
      VoIP phones & printers
      Virtual machines/servers
      IoT devices
    Software
      Desktop software licenses
      SaaS subscriptions
      Server/OS licensing
    Data
      PII (customer & employee)
      Intellectual property
      Supply chain/manufacturing secrets
      Market research & financial data

Methods for Identifying Each Asset Type

Asset TypeManual MethodAutomated / Tooled Method
Infrastructure/HardwarePhysically locate and count devices (ineffective at enterprise scale; doesn’t cover virtual infrastructure)IT infrastructure asset management platforms such as SolarWinds N-Central or Lansweeper — scan the network, discover assets, track utilization, and support lifecycle management
SoftwareTrack sales records and communicate with authorized-seller sales teamsSoftware asset management tools such as Microsoft Volume Activation Management Tool (centralized license activation and compliance monitoring)
DataManual review/classificationData classification/DLP tools such as Microsoft Purview — scans on-premises servers, workstations, and Azure environments for sensitive information, classifies it, and integrates with data loss prevention (DLP) to stop exfiltration once data is labeled

Automated infrastructure discovery provides control and visibility into which assets are active and how utilized they are — useful when an organization is looking to reduce costs by disposing of underutilized assets. These are only a few examples; thorough research should guide selection of the solution that best fits the organization.

Approaches to Asset Management

Two contrasting approaches define how much information you have about your assets:

flowchart LR
    BB["Black-box Approach<br/>Limited visibility<br/>Detailed information is lacking"]
    WB["White-box Approach<br/>Extensive visibility<br/>Complete information available"]

    BB -->|Simpler, but leaves uncertainty| Risk1["Estimations must be made about<br/>asset count, location, and risk"]
    WB -->|More complex, but comprehensive| Risk2["Enables identification of<br/>potential security concerns"]

    style BB fill:#c96f3c,color:#fff
    style WB fill:#5b8c5a,color:#fff
ApproachVisibilityComplexityTrade-off
Black-boxLimitedLow (simpler)Must rely on calculated estimations about asset count, location, and risk; leaves a level of uncertainty
White-boxExtensiveHigh (information overload)Must consider all available information when making asset management decisions, but enables identification of potential security concerns

In the Globomantics scenario, the security engineering team is currently operating with a black-box approach toward the newly acquired assets, having little to no detailed information available. In the real world, most organizations fall somewhere between the two extremes, and the amount of information available is often dictated by the type of environment the assets live in.

Asset Environments

flowchart TD
    Env["Asset Environment"] --> OnPrem["On-premises<br/>Physical control over location<br/>Detailed model/serial info<br/>Locked doors & access-card control"]
    Env --> Cloud["Cloud<br/>Physically located at the CSP's data center<br/>Managed via console or CLI/credentials"]
    Env --> Hybrid["Hybrid<br/>Some assets on-prem, some in the cloud<br/>No single tool centrally manages everything"]
    Env --> IoT["IoT<br/>Billions of connected devices<br/>Requires dedicated centralized IoT management"]

    style Env fill:#4a6fa5,color:#fff
EnvironmentCharacteristics
On-premisesPhysical control allows detailed asset information (model, serial number) and physical access control (locked data center rooms, key-card access).
CloudIT infrastructure resides in the cloud service provider’s data center; physical access cannot be regulated. Asset management and configuration happen through the CSP’s management console or command-line interface with cloud credentials.
HybridSome assets on-premises, others in the cloud (the Globomantics acquisition scenario). No single tool centrally and effectively manages every facet of a hybrid asset infrastructure; many vendor “solutions” have drawbacks or lack support for newly launched cloud services. Best approach: leverage multiple solutions targeted at the attributes/configuration/status information the organization values most. First-party CSP-native tools often provide more detail than third-party asset management solutions for cloud-hosted assets.
IoTIdentifying and tracking IoT devices is especially challenging. CSPs such as AWS and Azure offer dedicated, centralized IoT management solutions capable of connecting billions of devices while collecting and analyzing their data — essential for industrial manufacturing and automotive organizations managing millions of sensors, cameras, and devices operating in sync.

Demo: Managing Assets Using Lansweeper

This walkthrough demonstrates Lansweeper, an asset management solution that discovers infrastructure, hardware, and software assets and helps identify related vulnerabilities.

StepActionWhat It Shows
1Log into the Lansweeper console after installationA Scanning Activity screen while Lansweeper discovers servers, devices, hosts, and other assets on the network
2View the Dashboard once the scan completesA total asset count (e.g., 25 assets) and a graph of the most common asset types (virtual machines, switches, network devices, cameras, etc.)
3Navigate to All AssetsA detailed breakdown of asset types (laptop, smart TV, gaming device, virtual machine, etc.), domain information, and network information (IP and MAC address) for every connected device
4Create Asset GroupsOrganize discovered assets in a way that makes sense for the organization
5Use Add a New AssetManually register an asset missed by the scan, or one segmented from the Lansweeper server — capturing name, type, IP, MAC, domain, location, serial number, warranty end date, backup/patching maintenance info, notes, and even a picture; the new asset can be linked to an asset group or related to another asset at the same or a remote location
6Navigate to SoftwareA list of discovered software applications (e.g., 76 applications), including publisher, version, and category
7Navigate to Risk InsightsVulnerabilities displayed using the CVE format, prioritized by a risk score derived from the CVSS score, alongside Attack Vector and Attack Complexity — enabling the security engineer to quickly identify and patch high/critical vulnerabilities and lower overall risk
sequenceDiagram
    participant Engineer as Security Engineer
    participant Lansweeper
    participant Network

    Engineer->>Lansweeper: Install and log in
    Lansweeper->>Network: Scan for servers, devices, hosts
    Network-->>Lansweeper: Return discovered assets
    Lansweeper-->>Engineer: Display Dashboard (asset count & types)
    Engineer->>Lansweeper: Navigate to All Assets
    Lansweeper-->>Engineer: Show detailed asset breakdown (type, IP, MAC, domain)
    Engineer->>Lansweeper: Add missing/segmented asset manually
    Engineer->>Lansweeper: Navigate to Software
    Lansweeper-->>Engineer: List discovered software (name, publisher, version)
    Engineer->>Lansweeper: Navigate to Risk Insights
    Lansweeper-->>Engineer: Show CVEs ranked by risk score, attack vector, attack complexity
    Engineer->>Engineer: Prioritize and patch high/critical vulnerabilities

This single platform provides both hardware/infrastructure asset discovery and software asset discovery, giving the security engineer the visibility needed to understand what’s on the network and where the highest-risk vulnerabilities exist.

Module 2 Recap

  • Asset management provides visibility (what assets exist, how many, where located), enables risk analysis and vulnerability management, supports cost control (identifying underutilized assets for disposal), and is essential for meeting compliance obligations (health, privacy, and industry standards).
  • The three asset types are infrastructure/hardware, software, and data — each identified and managed using different tools (network discovery platforms like Lansweeper/SolarWinds N-Central for hardware, license management tools like Microsoft Volume Activation Management Tool for software, and classification/DLP tools like Microsoft Purview for sensitive data).
  • Two approaches to asset management are the black-box approach (limited visibility, simpler, but leaves uncertainty) and the white-box approach (extensive visibility, more complex, but enables identifying concerns).
  • Asset environments — on-premises, cloud, hybrid, and IoT — each carry distinct visibility, control, and tooling implications. Globomantics’ newly acquired assets exist in a hybrid environment.
  • The Lansweeper demo illustrated end-to-end asset discovery, inventory, grouping, manual asset registration, software discovery, and CVE-based risk prioritization.

Module 3: Creating a Security Engineering Execution Plan

Defining Processes and Procedures

With asset evaluation, identification, and risk management understood, the next step is to translate that information into action via an execution plan. The foundation of that plan is a clear definition of processes and procedures.

flowchart TD
    P["Processes<br/>High-level<br/>A series of inputs (steps/tasks/activities)<br/>that produce a desired output"]
    Pr["Procedures<br/>Low-level<br/>Step-by-step instructions that define<br/>HOW tasks are performed"]

    Pr -->|Feed into| P
    P -->|Provides| S["Strategic direction for the<br/>security engineer's role and the<br/>organization's overall security efforts"]

    style P fill:#4a6fa5,color:#fff
    style Pr fill:#5b8c5a,color:#fff
ConceptLevelPurpose
ProcessHigh-levelMade up of many small tasks/steps; defines what is being done and why — provides structure and strategic direction.
ProcedureLow-levelStep-by-step instructions defining how an activity is performed; ensures consistency across security engineers performing the same task.

An example of a procedure is a set of step-by-step instructions on how to update an Apache system, or detailed instructions on how to configure/modify firewall rules on a web application firewall. Having such detailed procedures keeps security engineers consistent, lowering the risk of misconfigurations that could lead to a cybersecurity incident. These low-level procedures ultimately feed into a higher-level process — for example, “strengthening the web applications of all Globomantics’ newly acquired firms” — which should be included in the overall execution plan because it supports the organization’s overall security.

Strategy for an Execution Plan

With processes and procedures serving as the actions of the plan, the next step is to plan the strategy for execution.

flowchart TD
    Scope["1. Define Scope<br/>(e.g., focus only on newly acquired firms)"]
    Req["2. Gather Requirements<br/>(licenses, upskilling, budget)"]
    Resp["3. Assign Responsibilities<br/>(manageable workload per team member)"]
    DL["4. Define Deadlines<br/>(strict for must-haves, looser for nice-to-haves)"]
    Val["5. Check & Validate<br/>(requirements met, responsibilities upheld)"]

    Scope --> Req --> Resp --> DL --> Val

    style Scope fill:#4a6fa5,color:#fff
    style Val fill:#5b8c5a,color:#fff
Strategy StepDescription
Define scopeStart with a focused scope (e.g., only the newly acquired small firms). A smaller scope yields a reasonable, achievable list of requirements.
Gather requirementsRequirements might include purchasing licenses, upskilling the team on a new technique, and determining the budget needed for the plan. A manageable requirements list is far easier to achieve than a long list the organization cannot fund.
Assign responsibilitiesResponsibilities must be manageable — avoid overloading any single team member so others can pick up the load if something happens to a teammate. For an acquisition, incorporate team members from the acquired firm’s existing IT staff alongside current team members, since they bring critical environment-specific knowledge.
Define deadlinesDefine strict deadlines for must-have outcomes (e.g., implementing MFA) and looser deadlines for nice-to-have items (e.g., adding a company logo to the MFA prompt).
Check and validateContinuously verify the plan meets requirements and that team members are completing tasks on time.

Anticipating Roadblocks

mindmap
  root((Execution Plan<br/>Roadblocks))
    Organizational culture
      Resistant to change
      Prefers traditional tooling
    Lack of leadership support
      Difficulty securing resources
    Financial budget
      Often tied to scope being too wide
    Technical infrastructure
      Not in place or too slow to implement
    Skill gaps
      May require additional staffing/expertise
RoadblockDescription
Organizational cultureA culture resistant to change may prefer traditional tools over newer tooling/solutions, even when the newer options expand capability.
Lack of leadership supportResults in difficulty securing the resources needed to implement the plan.
Financial budgetOften tied back to scope — failing to properly scope the plan (too wide) leads directly to budget concerns.
Technical infrastructureThe infrastructure may not be in place, or may take too long to implement for the plan to succeed.
Skill gapsMay require assessing whether to bring in additional staffing or technical expertise.

Anticipating these roadblocks in advance allows the team to plan accordingly rather than being caught off guard.

Meeting with Leadership

Once a strategy is defined and roadblocks are anticipated, the next step is presenting the execution plan to leadership to garner support and increase the likelihood of successful implementation.

flowchart TD
    Purpose["1. State the Purpose<br/>Clear, non-technical explanation of how assets will be secured"]
    Scope2["2. Describe the Scope<br/>Business units impacted, team members involved, resources required"]
    Benefits["3. Explain the Benefits<br/>Prioritize financial benefits (cost savings, productivity)"]
    Align["4. Show Alignment<br/>Connect the plan to organizational goals and mission"]
    QA["5. Leave Time for Questions<br/>Come prepared with your own questions too"]
    Proof["6. Provide Proof & References<br/>Evidence the plan can and will succeed"]

    Purpose --> Scope2 --> Benefits --> Align --> QA --> Proof

    style Purpose fill:#4a6fa5,color:#fff
    style Proof fill:#5b8c5a,color:#fff
Presentation ElementGuidance
PurposeBe clear and straight to the point — explain how assets will be secured without getting lost in technical jargon, since not all audience members will be technical.
ScopeDescribe the business units impacted, the team members involved, and the additional resources required for execution.
BenefitsPrioritize financial benefits — cost savings or productivity increases resonate strongly with leadership.
AlignmentExplicitly connect the plan to the organization’s existing goals and objectives, establishing that the plan supports the overall mission.
Q&ALeave time for questions at the end; coming prepared with your own likely questions can pre-empt concerns and drive more meaningful feedback.
Proof and referencesInclude proof/case references that the plan can and will succeed, further instilling confidence.

Case Study: Presenting Globomantics’ Execution Plan

Presentation StepGlobomantics Example
PurposeMeeting a compliance framework — PCI DSS has clearly defined objectives for meeting its compliance requirements.
ScopeLimit the plan to the newly acquired assets, allowing the team to focus on a small subsection of the organization and complete the plan in a timely manner.
BenefitsEmphasize avoiding legal action and fines rather than the vague “it keeps the organization safe” — this signals the plan protects the organization’s finances directly.
AlignmentThe plan aligns with the organization’s mission of selling innovative products — Globomantics must be able to process credit/debit card transactions from consumers, which requires meeting PCI DSS compliance requirements.
Anticipated question”How much will the plan cost?” — come prepared with at least two or more sales quotes/proposals, and consider leveraging vendor sales representatives to help build a proof-of-concept deployment in a test environment.

Incorporating Feedback

After the presentation, elicit feedback to:

  • Further analyze the plan for deficiencies or areas of concern.
  • Understand which parts of the plan are most meaningful from leadership’s perspective.
  • Gauge leadership’s overall sentiment toward the plan.

Once feedback is collected, incorporate it by addressing concerns and prioritizing leadership’s interests — ensuring there is clear alignment between the feedback and the plan’s intended outcome. Failing to do so signals that you do not value the input or time of the person providing feedback, which can erode support for the plan.

Module 3 Recap

  • Processes are high-level and define what/why; procedures are low-level, step-by-step instructions that define how — procedures feed into processes.
  • An execution plan strategy should define scope, gather requirements, assign responsibilities, set deadlines (strict for must-haves, looser for nice-to-haves), and check/validate progress.
  • Anticipate roadblocks from organizational culture, lack of leadership support, financial budget, technical infrastructure gaps, and skill gaps.
  • When meeting with leadership, clearly state the purpose and scope, articulate benefits (prioritizing financial ones), show alignment with organizational goals/mission, leave room for questions, and provide proof of success.
  • After presenting, elicit and incorporate feedback to further bolster leadership support.

Module 4: Continuing and Next Steps

Communication and Reporting

Communication in a plan or project involving multiple team members should never be siloed — updates, responsibilities, and progress must be actively communicated. It’s equally important to tailor communication to the audience:

  • Leadership — keep communication at a high level, prioritizing how the execution plan affects (or is currently affecting) business units. Leadership is preoccupied with organizational decision-making, so detailed technical information should be reserved for key stakeholders and technical team members.
  • Key stakeholders and technical team members — more detailed, task-oriented information.

Communication is typically formalized through reports — emails, documents, and spreadsheets — presented at interval meetings depending on the organization. Reports should include:

  • How feedback from stakeholders and leadership is being incorporated.
  • Tracking information related to resource procurement and meeting the requirements defined in the execution strategy.

Reports begin before the execution plan commences and continue throughout its life on a biweekly or monthly cadence, depending on the organization.

Globomantics’ Communication Cadence

sequenceDiagram
    participant SecEng as Security Engineers (Technical)
    participant Stake as Key Stakeholders
    participant Lead as Leadership

    loop Weekly
        SecEng->>SecEng: Weekly team sync
    end
    loop Every 2 weeks
        SecEng->>Stake: Biweekly sync with stakeholders
    end
    Note over SecEng,Stake: After every 2 biweekly syncs
    Stake->>Lead: Monthly meeting (formal, high-level report)
    SecEng-->>Lead: One representative engineer attends to answer technical questions
CadenceAudienceContent Level
WeeklySecurity engineers (technical team)Task-level, detailed
BiweeklySecurity engineers ↔ key stakeholdersDetailed progress and blockers
MonthlyStakeholders → leadership (one representative engineer attends)High-level, formal document outlining progress and business-unit impact

During the monthly leadership meeting, stakeholders present a formal, high-level document outlining the plan’s progress and its impact on the organization’s business units, while the accompanying security engineer supports them by answering any technical questions leadership may raise.

Execution and Next Steps

Once the Globomantics security engineers have received leadership’s approval — gained by incorporating feedback and communicating that integration back to leadership — the plan can move into execution.

flowchart TD
    Approval["Leadership Approval Received"] --> Purchase["Purchase Resources<br/>(licenses, technology, purchase orders, sales contracts)"]
    Purchase --> Positions["Team Takes Their Positions"]
    Positions --> Commence["Commence Execution Plan<br/>(secure newly acquired IT assets)"]
    Commence --> Monitor["Actively Monitor"]
    Monitor --> Resource["Resource Utilization<br/>(cloud metered-service spend, unused running services)"]
    Monitor --> Levels["Resource Levels<br/>(avoid running out near plan end)"]
    Monitor --> Controls["Control Effectiveness<br/>(validate implemented security controls)"]
    Monitor --> Road["Roadblocks<br/>(delivery delays, deployment issues)"]
    Resource --> Improve["Continuously Improve the Plan"]
    Levels --> Improve
    Controls --> Improve
    Road --> Improve
    Improve -->|Communicate via reports| Monitor

    style Approval fill:#4a6fa5,color:#fff
    style Improve fill:#5b8c5a,color:#fff
Execution StageDetails
ApprovalPlan can only commence once leadership has approved it and resources have been secured.
Purchase resourcesPurchase appropriate licenses and technology; draft purchase orders and sales contracts.
Take positionsIndividuals associated with the plan take their positions so execution can commence.
CommenceFor Globomantics, this means securing the newly acquired IT assets obtained through the recent acquisitions.
Monitor resource utilizationEspecially important with cloud service providers, which often use metered billing — watch for services unintentionally left running that increase spend.
Monitor resource levelsAvoid running short on resources as the plan nears completion.
Monitor control effectivenessTrack and validate that implemented security controls are functioning as intended.
Monitor roadblocksWatch for delays in resource delivery or plan-related deployments, and communicate these issues through report updates to the appropriate parties.

Proper monitoring allows the team to continuously improve the plan by addressing identified issues and adapting to evolving security requirements — whether that means fine-tuning configurations for efficiency, addressing small issues before they escalate, or identifying further areas of security concern and risk to address and improve the security of the newly acquired IT assets.

Module 4 Recap

  • Know your audience: keep communication high-level for leadership and technically detailed for security engineers and key stakeholders.
  • Establish a clear reporting cadence — for Globomantics, a weekly technical sync, a biweekly stakeholder sync, and a monthly leadership meeting (with one representative engineer present to field technical questions).
  • Execution can only commence once leadership approval is secured and resources are purchased.
  • Once underway, continuously monitor resource utilization (especially cloud metered services), resource levels, control effectiveness, and roadblocks.
  • Use monitoring insights to continuously improve the plan and adapt to evolving security requirements.

Summary

This course walked through the full lifecycle of a security engineer’s role in securing a newly acquired IT estate — from understanding the job itself, through inventorying and evaluating assets, to building and executing a formal plan.

flowchart LR
    M1["Module 1<br/>Understand the Security<br/>Engineer Landscape"] --> M2["Module 2<br/>Inventory & Evaluate<br/>IT Assets"]
    M2 --> M3["Module 3<br/>Build the<br/>Execution Plan"]
    M3 --> M4["Module 4<br/>Execute, Monitor,<br/>and Improve"]

    style M1 fill:#4a6fa5,color:#fff
    style M2 fill:#5b8c5a,color:#fff
    style M3 fill:#c96f3c,color:#fff
    style M4 fill:#8c5ab8,color:#fff

Key Principles

  • The security engineer role is one tier below the security architect and one tier above the security analyst, tasked with designing, implementing, and maintaining security controls across specializations such as IAM, network, SIEM, physical, application, cloud, and AI security.
  • Attack surface visibility is foundational — you cannot defend against what you cannot see.
  • Secure design, prevention, and detection are the pillars that support the CIA triad and the NIST incident response lifecycle.
  • Objectives feed goals, and goals feed the mission — security engineering work should always be traceable back to a business objective.
  • Quantitative risk analysis (ALE = AV × EF × ARO) grounds control selection in measurable, financial terms, and controls should never cost more than the asset they protect.
  • Asset inventory across infrastructure/hardware, software, and data — combined with a clear-eyed choice between black-box and white-box visibility — is the prerequisite for any meaningful risk assessment or execution plan.
  • Execution plans succeed when scope is tightly defined, requirements and responsibilities are realistic, deadlines distinguish must-haves from nice-to-haves, roadblocks are anticipated, leadership buy-in is earned through a clear and benefit-focused presentation, and feedback is genuinely incorporated.
  • Communication must be audience-aware, and execution must be actively monitored and continuously improved even after leadership approval is secured.

Quick-Reference Table

PhaseKey ActivityPrimary Output
Understand the landscapeIdentify role, specialization, and business alignmentClarity on how security engineering supports business objectives
Evaluate assetsIdentify infrastructure, software, and data assets; choose black-box or white-box approachAsset inventory with risk and exposure context
Build the execution planDefine processes/procedures, scope, requirements, responsibilities, deadlinesAn approved, leadership-backed execution plan
Execute and improvePurchase resources, commence, monitor, report, and refineA secured, continuously improving asset environment

Security Engineering Execution Checklist

  • Identify the security engineering specialization(s) relevant to the task at hand.
  • Map the initiative back to a specific business objective, goal, and mission.
  • Perform (or update) asset inventory across infrastructure/hardware, software, and data.
  • Determine whether a black-box or white-box asset management approach is realistic given available information.
  • Calculate asset value (AV), exposure factor (EF), SLE, ARO, and ALE where possible to prioritize risk.
  • Confirm that proposed security controls cost less than the value of the asset they protect.
  • Define processes (the what/why) and procedures (the how) for every planned activity.
  • Scope the execution plan narrowly enough to produce a realistic requirements list.
  • Assign manageable responsibilities, including staff familiar with newly acquired environments.
  • Set strict deadlines for must-haves and looser deadlines for nice-to-haves.
  • Anticipate roadblocks: organizational culture, leadership support, budget, technical infrastructure, and skill gaps.
  • Prepare a leadership presentation covering purpose, scope, benefits, alignment, Q&A, and proof of success.
  • Elicit and incorporate feedback from leadership and stakeholders.
  • Establish an audience-appropriate communication and reporting cadence.
  • Purchase resources and take positions only after leadership approval.
  • Monitor resource utilization, resource levels, control effectiveness, and roadblocks throughout execution.
  • Continuously improve the plan based on monitoring insights and evolving security requirements.

Search Terms

security · engineering · asset · evaluation · execution · plan · cybersecurity · fundamentals · networking · systems · assets · management · engineer · globomantics · aligning · case · challenges · communication · identifying · objectives · pillars · risk · study

Interested in this course?

Contact us to book it or get a custom training plan for your team.