What separates a good security engineer from a great one in 2025
New research and industry voices spell out exactly what companies should demand when hiring the people who keep their systems safe, and why the old checklist of certifications no longer cuts it.

Key points
- 43% of more than 625 security executives surveyed in the 2026 Global CISO Leadership Report named third-party supplier risks as their single top priority.
- Artificial intelligence tools now handle vulnerability scanning and threat flagging that previously took security teams hours to do manually.
- The strongest security engineers today are expected to move fluently across cloud infrastructure, application security, and regulatory compliance without needing to hand off work at each boundary.
- Criminals are using the same AI writing and automation tools as defenders, making phishing emails harder to detect and social engineering attacks more precisely targeted.
The job of a security engineer, meaning the specialist who designs and builds the technical defences protecting a company's data and systems, has changed more in the past two years than in the previous ten. What companies need from those engineers has shifted just as fast.
CSO Online gathered views from practitioners at major organisations to map out what separates an exceptional hire from an average one. The picture that emerges is less about technical certificates and more about judgment.
Why do AI skills matter so much right now?
AI now does the repetitive detection work that used to fill a security engineer's day. Automated tools scan for weaknesses and flag suspicious behaviour in minutes rather than hours. That frees engineers for harder decisions, but it also raises the bar for what they need to understand.
The problem cuts both ways. The same AI tools that help defenders work faster are available to criminals. Phishing emails, which are fake messages designed to trick staff into handing over passwords or sensitive information, are now better written and more precisely aimed at individuals than they were a year ago. Security engineers must understand both how to use AI defensively and how attackers are weaponising it.
Praveen Margabandhu, who leads performance engineering at Navy Federal Credit Union, puts it plainly. A fraud detection system that is technically secure but too slow to catch a transaction as it happens is not actually secure. Elite engineers optimise for both speed and protection at the same time.
Communication is the underrated skill.
Multiple people quoted in the reporting agree on one trait that does not appear in most job advertisements: the ability to explain a technical risk to a room full of executives who have no technical background. An engineer who can connect an authentication flaw to real financial exposure moves faster through an organisation than one who can only describe it in infrastructure jargon.
Many security failures, independent researcher Juan Mathews Rebello Santos argues, trace back not to missing tools but to a breakdown between technical teams and the business leaders making decisions about risk.
Third-party risk, meaning the danger that comes through suppliers and external software a company depends on rather than systems it directly controls, rounds out the picture. Nearly half of surveyed security leaders call it their top concern. Engineers who still think only about securing what a company owns, rather than everything it connects to, are already behind.
For ordinary employees, the practical upshot is straightforward. The people your company hires to protect its systems now need to understand your business, not just their tools. If your workplace has not recently reviewed how it vets outside suppliers or updated staff training on AI-generated phishing, those are the two gaps most likely to matter.



