"I want to become a security engineer. But I don't know what to learn first" — I really get this consultation a lot. The cause is clear: "security engineer" is actually not one occupation but a collective name for multiple roles of completely different natures. The person who attacks, the person who builds the protecting mechanism, the person who monitors in operations, the person who decides the organization's policy — as long as you lump these together, you can never draw the map.
So this article, with public primary sources (NIST's framework, METI and IPA guidelines, each certification's official information) as the "map" rather than personal anecdotes, draws end-to-end from the big picture of the security-engineer role through the skills a beginner should build, a certification strategy, and how to survive in the AI era. The technology along the way is all shown with copy-and-run real code.
Target readers of this article: beginners to young engineers about to learn security, engineers wanting to shift their footing from development to security, and developers/managers wanting to judge "should we develop security talent in-house or entrust it externally."
Note that this article is the path of a security engineer who "builds" the defending side. Those aiming for the "attacking side" (penetration tester / ethical hacker) can start from the sister article how to become a white-hat hacker [complete roadmap]. The two are two sides of a coin — you can't become first-rate at either without understanding the other.
0. What is a security engineer in the first place — classify with the official map
Search "security job" and role names flood out — SOC analyst, vulnerability assessor, security consultant, CSIRT… — and you get more confused. The world-standard organizing axis here is the US NIST NICE Workforce Framework for Cybersecurity (NICE Framework) (the foundation is NIST SP 800-181 Rev.1, the current component version is v2.2.0 / April 28, 2025).
The NICE Framework organizes cybersecurity work into 7 categories. This is like a "periodic table of roles," used worldwide as a common language to classify the roles in job postings.
| Category (code) | What domain it does | Role names often seen in Japan |
|---|---|---|
| Design and Development (DD) | Design, develop, test secure systems/software | Security engineer (product), application security |
| Implementation and Operation (IO) | Securely build, configure, operate, maintain systems | Infra / cloud security engineer, system administration |
| Protection and Defense (PD) | Analyze risk, detect threats, investigate/respond to incidents | SOC analyst, CSIRT, incident responder, vulnerability management |
| Oversight and Governance (OG) | Leadership in risk management, policy, education, regulatory compliance | Security consultant, GRC, CISO, audit |
| Investigation (IN) | Investigate cybercrime, digital forensics | Forensic investigator |
| Cyberspace Intelligence (CI) | Collect/analyze threat intelligence | Threat-intelligence analyst |
| Cyberspace Effects (CE) | Offensive/defensive operations in the national/military domain | (mainly government/defense domain) |
What the word "security engineer" refers to is mainly the top four (DD, IO, PD, OG). First decide where among these four you want to stand — this is the first step to drawing the map.
An auxiliary line in the Japanese context: IPA's ITSS+ (Plus) security domain is a "Japan-version role map" that organizes corporate security work into 17 fields. Cross-checking NICE (the world-standard frame) with ITSS+ (the domestic practical classification), almost every role name in a job posting can be positioned.
The difference from the attacking side (white-hat hacker)
Easily confused, but the two differ in starting point.
- White-hat hacker / pentester (the attacking side): demonstrate "how this system can be broken." In NICE terms, leaning toward Protection and Defense or operations. The value is "reproducing the attack."
- Security engineer (the building/protecting side): implement "how to build, operate, and protect a secure system." In NICE terms, DD / IO / PD / OG. The value is "building and maintaining defense."
You can't protect without knowing attack, and can't attack effectively without knowing defense. So this article touches on attack techniques too, but the goal is not "breaking" but "building something unbreakable."
1. The big picture of defense — grasp "what to protect" with NIST CSF 2.0's 6 functions
Once you've decided the role, next hold "what specifically defending means" on one page. The best map here is NIST's Cybersecurity Framework (CSF) 2.0 (released February 2024). CSF 2.0 decomposes an organization's security activities into 6 functions.
| Function | Question | Example of a security engineer's work |
|---|---|---|
| Govern | Who protects, by what policy | Security policy formulation, risk-management structure, supply-chain management |
| Identify | What to protect (assets, risks) | Asset management, threat modeling, risk assessment |
| Protect | How to build in the defense | Authentication/authorization, encryption, secure coding, security settings |
| Detect | How to notice anomalies | Log design, monitoring, alerting, SIEM, vulnerability scanning |
| Respond | How to act when it happens | Incident response, containment, root-cause investigation |
| Recover | How to restore | Backup, recovery plan, recurrence prevention |
The biggest change in CSF 2.0 is that "Govern" was added as an independent function at the top. Not just technology but "continuously managing risk as an organization" was placed at the foundation of security.
Here's what's important. A security engineer's central work is implementing "Protect" and "Detect" as code and operations. Correctly design authentication/authorization, validate input at the boundary, design logs, detect anomalies — understanding the skill map from the next chapter by tying it to which of these 6 functions it bears keeps it from being rote.
2. Foundation skill map — what to learn and why
Security is the work of "understanding the operating principle of systems one level deeper than an ordinary developer." So the foundation is, before security-specific knowledge, in "how computers work." Memorize each field paired with "why it's needed for security."
| Field | Minimum target | Why needed (correspondence with CSF function) |
|---|---|---|
| Network | Can explain the flow of TCP/IP, DNS, HTTP(S), TLS in a diagram | Where to protect communication and where to detect anomalies (Protect, Detect) |
| OS / Linux | Can handle shell, permissions, processes, file permissions | Least privilege, configuration hardening, reading traces of compromise (Protect, Detect) |
| Cloud | Understands the permission boundaries of IAM, network, storage | Most modern systems are on the cloud. Misconfiguration is the biggest hole (Protect) |
| How the web works | Request/response, cookies, sessions, same-origin | Web vulnerabilities (XSS/CSRF/broken authorization) all ride on this (Protect) |
| Programming | Can read and write in Python or JS/TS (can automate) | Write safe code, read flaws, automate detection (Protect, Detect) |
| Basics of cryptography | Distinguish the "where to use" of hashing, symmetric/asymmetric, TLS, JWT | Spot weak crypto, homemade implementations, JWT-verification omissions (Protect) |
What I especially want to emphasize is being able to write programs. A security engineer isn't "a person who only analyzes." The work is to "implement" safe mechanisms and "automate" defense and detection. Whether you can write code greatly divides market value.
And the world-standard map of "what to protect" is OWASP (Open Worldwide Application Security Project). In parallel with the foundation, keep the latest OWASP Top 10:2025 in mind (A01 "Broken Access Control" is still #1). The Top 10 is "a ranking of the holes attackers target," and for the defender it's "a list of holes to plug with priority."
3. The core skill = the ability to "build" securely (a minimal code example)
A security engineer's daily work in one line is "making an illicit state inexpressible by the structure of the code, not by operational carefulness." Abstraction doesn't land, so let me line up "dangerous code" and "safe code" with the example of the most frequent flaw, broken access control (IDOR).
// ❌ 危険:URLのIDを信じて、そのまま取得している。
// 別人のIDに書き換えるだけで、他人の請求書が読めてしまう(IDOR / A01:2025)。
export async function GET(_req: Request, { params }: { params: { id: string } }) {
const invoice = await db.invoice.findUnique({ where: { id: params.id } });
return Response.json(invoice); // ← 「誰がアクセスしているか」を一度も問うていない
}
// ✅ 安全:サーバー側で「ログイン中の本人の資産か」を必ず検証する。
// 所有者でなければ、存在自体を隠して 404 を返す(情報を漏らさない)。
import { z } from "zod";
import { auth } from "@/lib/auth";
const ParamsSchema = z.object({ id: z.string().uuid() }); // ① 境界で入力を検証(型と形)
export async function GET(_req: Request, ctx: { params: unknown }) {
const session = await auth();
if (!session) return new Response("Unauthorized", { status: 401 }); // ② 認証
const parsed = ParamsSchema.safeParse(ctx.params);
if (!parsed.success) return new Response("Bad Request", { status: 400 });
const invoice = await db.invoice.findFirst({
where: { id: parsed.data.id, ownerId: session.userId }, // ③ 認可:所有者条件をクエリに焼き込む
});
// ④ 見つからない=他人のもの。存在を匂わせず 404 に倒す。
if (!invoice) return new Response("Not Found", { status: 404 });
return Response.json(invoice);
}
The difference isn't the sophistication of the technology. It's the design discipline of "don't trust values from the client" and "enforce authorization on the server/DB, not in a UI if-statement." Applying this discipline consistently across input validation, output encoding, authentication/authorization, secrets, and dependencies — that's secure coding, the core skill of a security engineer.
The systematic way to do it (practice in line with NIST's official framework SSDF and OWASP's ASVS, through integration into CI) is deeply explored in a sister article.
📘 Read next: Secure-coding practice guide — becoming an engineer who "builds safely" with NIST SSDF and OWASP ASVS. This article is "what kind of role," that one is "how to build safely."
Note that the IDOR handled here is a representative example of a "design hole" that tools can't easily detect automatically. Concrete detection/fixing in your app (especially a Next.js × Supabase configuration) is collected at the implementation level in the broken-authorization / IDOR detection guide.
4. Turn "ability" into "trust" with certifications
Here many people misunderstand. A certification isn't "proof of ability" but "a common language to convey ability to others." Recruiters and clients don't have time to closely read your GitHub. A certification works as that shortcut to trust. Let me organize for security engineers by role.
4-1. Entry certifications — systematize the basics and step into the ring
| Certification | Issuer | Positioning | Work experience |
|---|---|---|---|
| ISC2 CC (Certified in Cybersecurity) | (ISC)² | Globally common entry. Surveys the basics | Not required (for beginners) |
| CompTIA Security+ (SY0-701) | CompTIA | World standard for practical basics. The staple named in job postings | Recommended only |
Beginners' royal road is to first systematize the basics "broadly and correctly" with ISC2 CC or CompTIA Security+. Both are valid worldwide.
4-2. The national certification you can't skip to work in Japan: "Registered Security Specialist"
Domestically in Japan, the Registered Information Security Specialist (Registered Security Specialist) is the only national certification in the cybersecurity field. Since it "works" for bidding requirements, internal evaluation, and job changes, it's worth aiming for first with a domestic orientation. Let me organize accurately based on IPA official.
- The exam itself needs no work experience. Anyone can take it. Many climb the stairs Fundamental IT → Applied IT → Specialist.
- The exam becomes CBT from FY2026. Subject A / Subject B structure, with no major change to scope or format (confirm the latest at IPA exam info).
- Only after passing and "registering" can you call yourself a "Registered Security Specialist." Registration comes with an obligation of continuing learning (an online course once a year, a practical course once per 3 years, registration renewed every 3 years), which sets it apart from other certifications. It's designed as "a certification to keep learning," not "get it and you're done." Always confirm costs and deadlines at IPA "Registered Security Specialist".
4-3. Specialization / advanced certifications — show defensive skill
Once you've solidified the basics, advance to specialty certifications per the direction you aim for.
| Certification | Issuer | What it shows | Suited direction |
|---|---|---|---|
| Cloud-security family (AWS / Azure / GCP security specialty certifications) | Each cloud vendor | Can securely design/operate cloud environments | IO (cloud operation) |
| CompTIA CySA+ | CompTIA | Practice of detection, analysis, incident response | PD (defense, SOC) |
| (ISC)² CISSP | (ISC)² | Management/design across all of security (5 years of work experience needed) | OG (the "ceiling" of management/consulting) |
Tip on order: you can't aim for CISSP right away (it has a work-experience requirement). Climbing gradually while accumulating practice — basics (CC / Security+ / Registered Security Specialist) → specialization (cloud / CySA+) → management (CISSP) — is realistic.
5. The fastest route from no experience — how to proceed by type
Answer "what should I tackle first, after all" by type.
完全未経験・国内就職重視 基本情報 → 応用情報 → 登録セキスペ(+ Security+ で世界共通語)
+ 自分のPCで手を動かす(次項のハンズオン)
開発経験あり・アプリ寄り Security+ → セキュアコーディング実践 → クラウドセキュリティ資格
(DD:プロダクトセキュリティへ。開発経験が最大の武器)
インフラ経験あり・運用寄り Security+ → クラウドセキュリティ資格 → CySA+
(IO/PD:クラウド・監視・インシデント対応へ)
非エンジニアからの異動 まず ITSS+ の「プラス・セキュリティ」(後述)から
And what works in common on any route is "moving your hands." In parallel with studying for certifications, stand up a learning environment on your own PC and actually build CSF 2.0's "Protect" and "Detect." For a concrete legal hands-on environment (how to learn by standing up a vulnerable app with Docker, CTF), the practical-environment section of the white-hat hacker introduction is directly usable. Trying attacks is the best "learning of defense" (but always only on your own assets / permitted targets — details in security and the law).
The realistic solution of "Plus Security": METI and IPA recommend that, not just security specialists, people in development, business, and management departments "relearn" security knowledge (ITSS+ Plus Security). If you're already an engineer, "security talent who can also develop" is the rarest and most valuable. Rather than changing jobs from zero, "adding" security to your current specialty is, in many cases, a faster and stronger career.
6. "Develop" or "entrust" — the company's viewpoint
Having read this far, the reality should be visible. A full-fledged security engineer isn't developed overnight. 1–2 years for the foundation, 2–4 years for specialization. This is the flip side of that skill's value being very high.
On the other hand, the answer can change from a company's standpoint. METI and IPA's Cybersecurity Management Guidelines Ver 3.0 (March 2023, the first revision in 6 years) and its Appendix F "Guide to building a cybersecurity structure and securing talent" state plainly — if you can't secure talent with the needed skills in-house, you may use a specialized external provider. For selecting a service of a certain quality, IPA's list of services conforming to the information-security-service standard can be used.
| Your situation | The optimal choice |
|---|---|
| Want to become a security expert as a career | "Grow" with this article's roadmap. Time is the biggest investment |
| Want to first wipe out the "horizontal holes" of your app for free | Automate with OSS tools (how to do ZAP/SAST) |
| Want to guarantee even "design holes" before release / RFP / compliance | An expert's audit (authorization/RLS/business logic that automation can't reach) |
The last row — authorization, RLS, tenant isolation, business logic — is a "vertical risk" whose correctness can only be judged by a human who understands "the meaning of the business rules," no matter how many tools you run. Development and external commissioning don't conflict. Automate the horizontal holes and route only the vertical risks to an expert — that's the most cost-efficient way to defend. That boundary is honestly drawn in what a security audit looks at.
7. The security engineer in the AI era — why value rises
"In the era when AI writes code, are security engineers needed?" — the answer is rather, demand grows. Three reasons.
- Generative AI mass-produces code but doesn't guarantee safety. AI-written code easily slips in specific vulnerability patterns (old dependencies, hardcoded secrets, insufficient input validation, missing authorization). NIST takes this seriously too, releasing an AI-development addendum SP 800-218A to SSDF. "A human who can judge that AI-mass-produced code is safe" is decisively in short supply.
- The more detection/response is automated, the more a person to design is needed. AI can handle alerts, but a human defines "what counts as an anomaly" and "is this a permitted operation."
- Secure-by-design moves forward. Precisely because it's an era of building fast, the value of designing safely from the start rises. The cost of rework becomes relatively larger.
I myself have built, with one person × generative AI (Claude Code), a B2B SaaS that won the METI Minister's Award and a payment platform with 0 double charges in production. What I can consistently say there is that "the ability to build fast" and "the ability to build safely" are two sides of the same coin. AI accelerates the former, but a human still judges the latter — there lies the unshakable value of the security engineer (→ how to diagnose vulnerabilities in AI-generated code).
8. Frequently asked questions (FAQ)
Q. Can a humanities major / inexperienced person become a security engineer? A. You can. What matters more than academic background is "the power to persist logically" and "the habit of continuing to move your hands." ISC2 CC and Security+ are designed for beginners and ask for no work experience. First, basic certifications and hands-on on your own PC.
Q. Is programming mandatory? A. It depends on the role. For a SOC analyst (PD) it's not mandatory, but being able to read and write greatly raises market value. It's mandatory especially if you aim for the design & development (DD) direction. Getting Python or JS/TS to a "can automate" level is a strong weapon in any direction.
Q. Is a transition from a development engineer advantageous? A. Very advantageous. "Security talent who can also develop" is the rarest. Rather than changing jobs from zero, "adding" security to your current specialty (METI's "Plus Security") is a faster and stronger career.
Q. The Registered Security Specialist or an overseas certification (CISSP, etc.), which should I get? A. Depends on the purpose. If you emphasize domestic employment, bidding, and public evaluation, the Registered Security Specialist; if you have global or management tiers in view, CISSP (but 5 years of work experience needed). Doing both is normal and not contradictory.
Q. White-hat hacker or security engineer, which should I aim for? A. If drawn to "breaking," white-hat hacker (the attacking side); if drawn to "building and operating something safe," security engineer (this article). Many people go back and forth. Offense and defense are two sides of a coin.
Q. Won't my job be taken by AI? A. Rather the opposite. Generative AI mass-produces code, but a human judges "is this implementation safe" and "is this a permitted operation." Detecting AI-generated-code vulnerabilities and secure-by-design are areas where demand will grow.
9. Conclusion — the next step
The path to a security engineer doesn't start suddenly from attack techniques. It starts from deciding "which role do I aim for" on the official map.
- Classify the role. With the NICE Framework's 7 categories (DD / IO / PD / OG …), decide one direction to aim for. That makes the skills and certifications fall in a straight line.
- Hold the big picture of defense. NIST CSF 2.0's 6 functions (Govern, Identify, Protect, Detect, Respond, Recover). Your center is implementing "Protect" and "Detect" with code and operations.
- Foundation → secure coding. On top of network, OS, cloud, web, programming, and cryptography, stack "the skill of building safely."
- A certification is a translation into trust. Basics (CC / Security+ / Registered Security Specialist) → specialization (cloud / CySA+) → management (CISSP). Pin to each one's latest official spec.
- Value rises precisely in the AI era. "The ability to build fast" and "the ability to build safely" are two sides of a coin. A human who can judge the latter becomes rare.
And don't forget that the answer can change by standpoint. Both growing yourself and entrusting someone already skilled are correct choices. If your app is facing a production release, first wipe out the "horizontal holes" with free OSS and route only the "vertical risks" that only design can protect to an expert — that's the most cost-efficient way to defend.
References (official primary sources)
- Frameworks: NIST NICE Framework / NIST SP 800-181 Rev.1 / NIST Cybersecurity Framework (CSF) 2.0
- Domestic guidance: METI Cybersecurity Management Guidelines / IPA ITSS+ security domain / IPA list of services conforming to the information-security-service standard
- Standards: OWASP Top 10:2025 / OWASP
- Certifications: (ISC)² CC / CISSP / CompTIA Security+ / CySA+ / IPA Registered Information Security Specialist (Registered Security Specialist)
- AI: NIST SP 800-218A (SSDF for generative AI)