Classifying types of “Security Work”

Applying the types of work from The Phoenix Project to security engineering

  • “We are always chasing shiny objects.”
  • “We are always firefighting.”
  • “We are never acknowledged for the day-to-day efforts.”
  • “We are under resourced.”
  • “We are always brought in last minute.”
This is a qualitative modeling approach to work categorization and has some rough edges as a result. All models are wrong.

Business Projects (💰)

Security Operations (🔁)

Security Engineering ( 🛠️ )

Incidents & Unplanned (🚒)

  • Fires
  • Late nights
  • Weekend work
  • Postmortem findings
  • Burn-out

Applying the model

Our new product was launched with several SSRF bugs that we have to fix. (Unplanned 🚒).

We need to start working with product leads to prevent SSRF from making it into future launches (Business💰).

We could also detect SSRF vulns with static analysis as commits land. Then, patch. (Operations 🔁).

SSRF won’t matter so much if we mitigate the risk more comprehensively. (️️Security Engineering 🛠).


Appendix: Work Examples

Secrets Scanning

Suspicious Email Escalation

Encrypted Laptops



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store