How many security engineers does it take to (significantly) change a SIEM project?

I was recently asked to help putting together the qualifications or a high level profile for a job ad to hire a good "security engineer".

But what do security engineers actually do?

Depending on how mature an organization is (or how large the budget is), I risk saying it may be that person responsible for all things "cyber"!

Or maybe the person who does market research (PoCs), security design and projects delivery. But maybe also tunes the NIDS and to top it all, he/she is also monitoring security alerts (accumulating architect/analyst roles).

Believe me, there are such security out there. Just because they can, just because they liked it, just because.

So after a few discussions and some googling, we've agreed that one of the main goals of engineers is about achieving the best change given the resources available.

Next obvious question was: what kind of change is (mainly) expected and what will be the resources available?

The person said the much needed engineer would be responsible for making sure the SIEM (along with other security products), and mainly the SIEM, does provide the expected value — as it would apply to any other investment.

It had became clear we were talking about a "SIEM Engineer" role.

But then again, a SIEM engineer may be the guy (or girl) responsible for data on-boarding, to platform maintenance and capacity planning, to content development.

At some point, we ended up with some sort of Security Engineering profiles for developing a successful SIEM program. I'm not going to cover all those (I know, fishy title), but one that stands out is the .

Those folks are likely working for very specific business such as MSSPs, CSIRTs and Vendors, or any much mature teams from organizations willing to invest in in-house A-players staff.

They are the ones involved with security research, building rules and dashboards that will be consumed by monitoring teams. The output of their work leads to fruitful investigations, that will ultimately spot real threats.

Threat Detection Engineer profile

Since I heavily work with Splunk, here's how I would put a high level profile for such role given the mindset and skills needed:

BTW, this post made me recall this tweet from a while ago:

Blueteamer. Threat Detection Engineering & Research.

Blueteamer. Threat Detection Engineering & Research.