Dropbox: Security Engineering Career Framework

Security Execution

• I help resolve security issues, respond to incidents, and eliminate or mitigate vulnerabilities as they arise.
• My work demonstrates basic competence as a security practitioner - I apply basic principles such as least privilege and defense in depth appropriately to a set of problems within my team and projects.
• I assess the security of systems through code reviews, penetration tests, intuitive reasoning (with or without the application of a security framework), or manual testing (using ethical hacking tools or custom-written tools where they don’t yet exist.
• I develop, test, review, debug, and/or deploy code to enforce security requirements, detect badness to meet security objectives.
• I deploy, manage, monitor, and/or provide sustainable operational support for technology that my team relies on to enforce security requirements, detect badness to meet security objectives.
• I understand the designs and technology choices within my focus area and make technically-sound adjustments based on feedback, changes in the environment, and/or evolving threats.
• I provide clearly articulated and reasoned security guidance in areas I know well, both inside and outside of security team.

Impact

• I act with urgency and deliver high-quality work that will add the most value
• I work with my manager to direct my focus so my work advances my team's goals
• I prioritize the right things and don't overcomplicate my work. When necessary, I propose appropriate scope adjustments.
• I effectively participate in the core processes of my team, including recommending and implementing process improvements

Ownership

• I follow through on my commitments, take responsibility for my work, and deliver on time
• I proactively identify and advocate for opportunities to improve the current state of projects
• I own my failures and learn from them
• I think a step or two ahead in my work, solve the right problems before they become bigger problems, and problem-solve with my manager when I'm stuck

Decision Making

• I Identify and gather input from others and consider customer needs to make informed and timely decisions

Agility

• I’m open to change and enthusiastic about new initiatives
• I work with my manager to navigate complex and ambiguous situations

Innovation

• I ask questions and contribute to new ideas/approaches
• I experiment with new approaches and share what I learned

Personal Growth

• I proactively ask for feedback from those I work with and identify ways to act upon it
• I have self-awareness about my strengths and areas for development
• I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Talent Development

• I model integrity and a high standard of excellence for my work.
• I help the more junior members of my team, host interns, or am a residency mentor
• I offer honest feedback that is delivered with empathy to help others learn and grow
• I contribute to interviewing and assessing candidates to help us build a diverse and talented team. I am calibrated and consistently perform high-signal interviews
• I am able to represent my team’s initiatives and goals to candidates in a compelling way

Collaboration

• I can effectively collaborate to get work done
• I work with my manager to manage conflict with empathy and cooperation in mind

Organizational Health

• I contribute to a positive sense of community on the team (e.g. engage in team lunches, team offsites, and other group activities, help with new-hire on-boarding).
• I listen to different perspectives and I cut biases from my words and actions
• I practice the Dropbox Diversity Commitments on a regular basis

Communication

• I write and speak clearly
• I listen to understand others and ask clarifying questions
• I share relevant information on my projects to my manager, team and customers.

Technology Fluency

• I am familiar with relevant external and Dropbox-specific technologies within my domain, and am working to develop a deeper understanding.
• I seek to learn the business context and technologies behind my team’s security services and the segment of the business I focus on.

Threat Fluency

• I understand attackers and their tools, techniques, and goals. I am able to learn from historical examples.
• I understand how defenses address and mitigate common vulnerabilities made use of by malicious code, and how attackers bypass or negate common defensive techniques
• I have an understanding of strengths and weaknesses of the tools at my disposal to diffuse the impact and disrupt or detect attackers taking advantage of potential systems’ vulnerabilities.

Impact

• I deliver some of my team’s goals on time and with a high standard of quality
• I understand my customers, the business’s goals and my team’s goals. I ensure my work will have the greatest customer impact
• I can identify when my results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way and work with manager to redirect my focus
• I get work to a simple place by focusing on the heart of the problem and prioritizing the right things

Ownership

• I proactively identify new opportunities and advocate for and implement improvements to the current state of projects
• I take responsibility for my decisions and any failures on my project and take action to prevent them in the future. I embrace and share the learnings from those failures
• When I encounter barriers, I unblock myself and my team by proactively assessing and eliminating the root cause

Decision Making

• I make informed decisions by consulting the right stakeholders and balancing details with the big picture. I execute against the spirit, and not just the letter, of the requirements
• I understand the implications of my decisions and adjust my approach based on the impact and risk in the short and long-term
• I make timely decisions but don’t cut corners that would compromise my customer’s trust

Agility

• I embrace change and adapt quickly to it
• I’m able to navigate ambiguity and remain resilient through ups and downs by staying calm under pressure and taking care of my overall well-being

Innovation

• I ask questions and contribute to new ideas/approaches
• I experiment with new approaches and share what I learned

Strategy

• I work collaboratively with my manager to set realistic and ambitious short- and long-term goals to deliver customer value quickly and break these goals down into smaller projects for my team or myself
• I execute the development roadmap for multi-phase projects, possibly as a project lead

Personal Growth

• I proactively ask for feedback from those I work with and identify ways to act upon it
• I have self-awareness about my strengths and areas for development
• I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Talent Development

• I model integrity and a high standard of excellence for my work. I leverage this to influence and establish best practices
• I support the growth of my teammates by taking into account their skills, backgrounds and working styles
• I solicit and offer honest and constructive feedback that is delivered with empathy to help others learn and grow
• I contribute to interviewing and assessing candidates to help us build a diverse and talented team by conducting more advanced domain-specific and leveling interviews
• I am able to represent my team’s initiatives and goals to candidates in a compelling way

Collaboration

• I build relationships across teams and help get to positive outcomes
• I proactively communicate and coordinate my team’s requirements with other groups and teams in engineering
• I am capable of working with cross-functional stakeholders to identify technical blindspots and clarify ambiguity in their ideas.
• I avoid blame and solve the right problems, disagreeing and committing when necessary

Organizational Health

• I contribute to a positive sense of community on the team (e.g. engage in team lunches, team offsites, and other group activities, help with new-hire on-boarding)
• I listen to different perspectives and I cut biases from my words and actions
• I practice the Dropbox Diversity Commitments on a regular basis
• I champion good virtual first practices that help my team collaborate effectively
• I help shape the Dropbox engineering culture through my involvement with activities outside of my team (e.g. presenting tech talks, participating in Eng RFCs, creating interview questions, planning hackweek)

Communication

• I tailor my message to my audience, presenting it clearly and concisely at the right altitude
• I proactively share information so the right people are informed and aligned
• I foster effective communication across the team and promote inclusive meeting culture

Security Execution

• My work demonstrates deep domain expertise in one or more core security domains and secondary specializations, (e.g. infrastructure security, application security, threat intelligence, security operations, incident response, endpoint security, or identity management), sufficient to anticipate and communicate the implications of my work on adjacent fields.
• I perform risk analyses to a degree of rigor which enables me, my cross-functional partners, and future security engineers to weigh the the strengths and weaknesses of different options, and make recommendations for risk mitigation, acceptance, or escalation.
• I design and implement new systems, tools, or processes to enforce security requirements, detect badness, or otherwise defend Dropbox.
• I select, integrate, and/or improve operational support for technology that my team relies on to enforce security requirements, detect badness, or otherwise defend Dropbox.
• When I approach a problem I identify the applicable security strategies, weigh the tradeoffs of each, negotiate the best way forward, and effectively influence others to follow that path.
• I lead others to resolve security issues, to respond to incidents, and to eliminate or mitigate vulnerabilities as they arise.
• I actively work with partner orgs to drive awareness of policy, standards, best practices, and regulations.
• I base my decisions on validated evidence/data or I explicitly identify the cases where no data is available and the assumptions I am making instead.

Technology Fluency

• I have deep understanding of more than one domain (e.g. application, OS, networks, or hardware) and can quickly understand complex systems and identify the major security issues with them. I demonstrate and can apply understanding of the technologies Dropbox uses within my area of focus
• I can navigate through full stacks and build proficiency on the right tools to dig deep into the security issues.
• I understand that technology, threats, and responses evolve and plan security controls accordingly.

Threat Fluency

• I understand attackers and their tools, techniques, and goals. I am able to learn from historical examples.
• I understand how defenses address and mitigate common vulnerabilities made use of by malicious code, and how attackers bypass or negate common defensive techniques
• I have an understanding of strengths and weaknesses of the tools at my disposal to diffuse the impact and disrupt or detect attackers taking advantage of potential systems’ vulnerabilities.

Talent Development

• I model integrity and a high standard of excellence for my work. I leverage this to set and hold the bar for quality and best practices for my team (e.g. via code and design reviews)
• I identify and support areas of growth for my teammates that take into account their skills, backgrounds and working styles
• I solicit and offer honest, constructive, direct, and actionable feedback that is delivered with empathy to help others learn and grow into the next level
• I contribute to interviewing, and gain the trust of candidates. I can represent Dropbox's mission, strategy, and culture throughout the interview process
• I am able to represent my team’s technical challenges to potential candidates in a compelling way (e.g. 1:1 sell chats, blog posts, public speaking)

Impact

• I deliver many of my team’s goals on time and with a high standard of quality
• My understanding of the business context and my team’s goals enable me to have the greatest customer impact and allows me to make independent technical decisions in the face of open-ended requirements
• I can identify when my results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way and work with manager to redirect my focus
• I get work to a simple place by focusing on the heart of the problem and prioritizing the right things

Ownership

• I proactively identify new opportunities and advocate for and implement improvements to the current state of projects — potentially having broader business impact across teams or products
• I take responsibility for my decisions and failures on my project and take action to prevent them in the future.
• I embrace and share the learnings from those failures
• When I encounter barriers, I unblock myself and my team by proactively assessing and eliminating the root cause, and focusing on the solutions

Decision Making

• I make informed decisions by consulting the right stakeholders and balancing details with the big picture
• I understand the implications of my decisions and adjust my approach based on the impact and risk (e.g. choosing a more iterative approach based on the degree of uncertainty with respect to product fit, while maintaining a view of the long term arc needed to accomplish business goals)
• I leverage insights about customers to inform decisions, balancing value for the customer with other business goals
• I make timely decisions but don’t cut corners that would compromise my customer’s trust

Agility

• I embrace change and adapt quickly to it
• I’m able to navigate ambiguity and remain resilient through ups and downs by staying calm under pressure and taking care of my overall well-being

Innovation

• I am beginning to push boundaries to generate and implement ideas that aim to drive our products and tools forward
• I set audacious goals, take risks, and share lessons learned
• I have a growth mindset and am comfortable experimenting, learning, and owning the outcomes

Strategy

• I define the technical roadmap for impactful multi-phase projects, refining it as the projects progress to deliver customer value quickly, and provide leadership for the people executing on the project
• I define my team's priorities and secure buy-in in partnership with my manager
• I generate excitement for my/the team's strategy

Personal Growth

• I proactively ask for feedback from those I work with, know my strengths, and identify ways to take actions on my development areas
• I have self-awareness and connect with others with empathy
• I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Collaboration

• I promote and role model Dropbox core values, leading by example
• I build relationships and drive coordination across teams & disciplines, helping get to positive outcomes
• I proactively communicate and coordinate my team’s requirements with other groups and teams in engineering
• I am effective at working with cross-functional stakeholders to identify technical blindspots and clarify ambiguity in their ideas
• I avoid blame and solve the right problems, disagreeing and committing when necessary

Organizational Health

• Working with my manager, I leverage the strengths & skills of the members of my team, and help identify talent gaps required for team success
• I support others to bring their authentic selves every day and contribute to building community at Dropbox
• I practice the Dropbox Diversity Commitments on a regular basis
• I champion good virtual first practices that help my team collaborate effectively
• I help shape the Dropbox engineering culture through my involvement with activities outside of my team (e.g. presenting tech talks, participating in Eng RFCs, creating interview questions, planning hackweek)

Communication

• I tailor my message to my audience, presenting it clearly and concisely at the right altitude
• I proactively share information so the right people are informed and aligned

Culture Leader

• I act as a partner to my manager in setting the cultural tone for the team. I support an environment where all Dropboxers are included and heard - I help my team network and build relationships across Dropbox, creating connection and inclusion across my team and with other teams

Security Execution

• My work demonstrates significant domain expertise in three or more security domains and secondary specializations, (e.g. infrastructure security, application security, threat intelligence, security operations, incident response, endpoint security, or identity management). I understand the latest defensive capabilities provided by each layer of the stack in my purview and understand when to deploy them.
• I have extensive experience with multiple methods of assessment, and can make the right call to identify the best approach for a given problem.
• I design and/or implement structural changes to enforce security requirements and defenses at the scope of an entire product/codebase (e.g. Paper, Hellosign, or rSERVER)
• I define and implement a comprehensive strategy to address a security problem, drawing upon a mixture of the necessary first-party, open source, or off-the-shelf technologies to enforce security requirements, detect badness, or defend Dropbox.
• I consistently identify and provide solutions for non-obvious issues in the design, implementation, operation, and evaluation of security processes and technologies.
• I own the response to complex security incidents, or drive strategic remediation initiatives which involve many teams/organizations/systems across Dropbox.
• I track incidents, vulnerabilities, and other security trends over time and effectively incorporate lessons learned into Security strategy and requirements.
• I effectively partner across the company to define and implement security requirements within a scope spanning several different layers of an infrastructure stack, disparate teams across several organizations, or parallel workstreams of a large scale initiative.

Technology Fluency

• I apply a comprehensive understanding of the Dropbox technology stack and relevant external technologies within my focus. I both maintain awareness and ensure my organization is aware of changes as they occur.I influence the design and architecture choices made by partner-orgs (e.g., system, network, or software).
• I understand that technology, threats, and responses evolve and use that evolution to identify opportunities to improve security controls accordingly.

Threat Fluency

• I have a deep understanding of attacker tools, techniques, and processes (TTPs) and the standard defenses/mitigations for them.
• I am broadly aware of the kinds of defenses and their efficacy at mitigating attacks relevant to Dropbox Security.
• I am continuously tracking and learning about attacks/attackers both inside and outside of my focus area
• I am familiar with historical attacks of consequence and the lessons learned from them.
• I am able to reason about attacker behavior and apply my understanding of TTPs in support of the rest of my job.

Impact

• I identify and execute on opportunities that have area/group-wide impact
• I execute large projects to a very high standard — e.g. against a tight deadline with significant consequences of failure, or in a manner that allows rapid learning to clarify significant ambiguity, or to a standard of quality well exceeding that of the current system (though not all simultaneously)
• I know which levers to pull to drive meaningful results and understand the wider, cross-functional implications of my work. I proactively account for risks and monitor their likelihood. My project planning accounts for new capabilities necessary to deliver large-scale business impact and I work closely with partner teams to prioritize the development of these capabilities.
• I proactively identify and help to refocus my team's efforts when projects are off-course or not technically feasible and results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way

Security Execution

• I motivate security controls that simplify, optimize, and prevent bottlenecks
• My work demonstrates broad and deep security domain expertise, and I successfully apply it across technology domains (e.g. software, networking, risk management, operating systems, etc) to realize cross-functional security objectives and drive the maturity of the security team overall.
• I independently and proactively identify areas of security risk and future needs, reach out to the relevant teams, collaboratively design solutions to that risk, and successfully implement them in a sustainable way that “permanently” reduces risk across entire classes of threats.
• I design, deliver, and drive solutions for significantly complex security and risk problems across dropbox organizations.
• I split my time in different areas such as, security solution design, and/or security architecture, based on where my skills have the greatest impact (or in response to a security problem).
• I deliver solutions that are resistant to erosion of security controls over time and integrate ongoing testing strategies as part of the foundational design
• I own the response to extraordinary or otherwise sensitive security incidents.
• I adapt my role to the needs of an initiative, the security team, or a cross-functional partner team over time.
• I understand that technology, threats, and responses evolve, and drive that evolution to create opportunity to improve security across Dropbox.

Ownership

• I have a sense of responsibility and obligation to act on opportunities I see across the engineering org/company

Decision Making

• I have a holistic view of the engineering org and Dropbox’s goals and use my experience and judgment to make decisions optimized for the wider org, rather than my local project alone
• I act thoughtfully and decisively in critical situations even when making challenging or unpopular decisions
• I'm able to reach the right decision despite conflicting perspectives

Agility

• When necessary, I am able to introduce change into the organization, help others understand the business case for change, and create excitement to drive adoption of the change

Innovation

• I push boundaries to generate and implement breakthrough ideas that aim to create new products or advance existing products and drive our tools forward
• I create an environment supporting experimentation and iteration towards audacious goals.

Strategy

• I define a long-term vision for my team that factors in company-wide priorities as well as the technical limitations and possibilities of Dropbox’s software and systems. I inspire my team and cross-discipline stakeholders to work toward that vision
• I anticipate challenges and am able to influence the technical direction of the team or org to execute on that vision even in the face of potential significant misalignment

Personal Growth

• I proactively ask for feedback from those I work with and identify ways to act upon it
• I have self-awareness about my strengths and areas for development
• I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Hiring

• I am an active participant in the hiring process for senior candidates (for example, by participating in hiring committee, debriefs, etc.)
• I gain the trust of candidates and can represent Dropbox's mission, strategy, and culture throughout the interview process
• I am an effective partner to my manager and am able to represent my team’s technical challenges to candidates in an exciting way (e.g. 1:1 sell chats, blog posts, public speaking)

Talent Development

• I am a role model for other Dropboxers and model a standard of excellence that supports a culture of high performance on my team
• I invest time to coach and mentor my teammates (particularly ones looking to grow into L4/L5). I take into account their skills, backgrounds, working styles and solicit and provide thoughtful, constructive feedback to them.
• I devote time to spreading my knowledge widely via talks, blog posts or written documentation
• I participate in SPRiTEs calibration sessions by providing meaningful feedback to ensure fair and consistent decisions

Collaboration

• I help break down silos within and across functions and influence others to reach the best outcome for Dropbox
• I build deep cross-functional relationships, facilitate the right conversations, and settle disagreements by managing different viewpoints
• I disagree and commit when necessary to move critical priorities forward

Organizational Health

• I act as a partner to managers in setting the cultural tone for the team. I create an inclusive environment for others and ensure diverse perspectives are included
• Working with my manager, I leverage the strengths & skills of the members of my team, and help identify talent gaps required for team success
• I personify Dropbox's culture and values. I champion community building efforts and inclusion initiatives. I work in close partnership with the management team to ensure a healthy engineering org.
• I lead by example. I am aware of my public presence and actions and my influence on the people around me and Dropbox’s culture

Communication

• I tailor my message to my audience, presenting it clearly and concisely at the right altitude
• I fine tune my approach to getting buy-in and influencing stakeholders across a variety of audiences

Technology Fluency

• The expectations for technology fluency do not go up beyond L4 (though some specialist engineers may go deep in one or more areas)

Threat Fluency

• I have a deep understanding of attacker tools, techniques, and processes (TTPs) and an extensive array of defenses/mitigations for them.
• I am deeply aware of the kinds of defenses and their efficacy at mitigating attacks relevant to Dropbox Security.

Impact

• I identify and execute on significant group/company-wide opportunities by understanding how technical capabilities meet customer needs. I proactively work with business owners to help them understand these new capabilities and work with them to build the right roadmap for the business.
• I execute large projects to a very high standard — e.g. against a tight deadline with significant consequences of failure, or in a manner that allows rapid learning to clarify significant ambiguity, or to a standard of quality well exceeding that of the current system (though not all simultaneously)
• I proactively identify and help to refocus my team's efforts when projects are off-course or not technically feasible and results aren’t moving the needle for our business/team goals or serving the needs of customers in a meaningful way
• I know which levers to pull to drive meaningful results and understand the wider, cross-functional implications of my work

Ownership

• I have a sense of responsibility and obligation to act on opportunities I see across the engineering org/company
• I transcend organizational boundaries by taking a holistic view of my group’s goals and taking responsibility across my group, not just within my immediate scope of ownership.

Decision Making

• I act thoughtfully and decisively in critical situations even when making challenging or unpopular decisions
• I'm able to reach the right decision despite conflicting perspectives

Agility

• When necessary, I am able to introduce change into the organization, help others understand the business case for change, and create excitement to drive adoption of the change

Innovation

• I push boundaries to generate and implement breakthrough ideas that aim to drive our products and tools forward
• I demonstrate creativity, e.g. by finding simple, generalizable solutions that open up or unblock new technical or business opportunities in unexpected ways.
• I create an environment supporting experimentation and iteration

Strategy

• I partner with Directors and other members of senior EPD leadership to define a long-term vision for my group that factors in both a deep understanding of what is happening in the business and in the market as well as the technical limitations and possibilities of Dropbox’s software and systems.
• I anticipate challenges and am able to influence the technical direction of the team or org to execute on that vision even in the face of significant misalignment

Personal Growth

• I proactively ask for feedback from those I work with and identify ways to act upon it
• I have self-awareness about my strengths and areas for development
• I drive discussions with my manager about aspirational goals and seek out opportunities to learn and grow

Hiring

• I am an active participant in the hiring process for senior candidates (for example, by participating in hiring committee, debriefs etc)
• I attract talent for a variety of roles with diversity in mind
• I gain the trust of candidates and can represent Dropbox's mission, strategy, and culture throughout the interview process.
• I am an effective partner to my manager and am able to represent my team’s technical challenges to candidates in an exciting way (e.g. 1:1 selling, blog posts, public speaking)

Talent Development

• I model a standard of excellence that supports a culture of high performance on my team. I drive EPD-wide processes and define the bar for engineering-wide quality and best practices.
• I invest time to coach and mentor my teammates (particularly ones looking to grow into L5/L6). I take into account their skills, backgrounds, working styles and solicit and provide thoughtful, constructive feedback to them.
• I devote time to spreading my knowledge widely via talks, blog posts or written documentation.
• I participate in SPRiTEs calibration sessions by providing meaningful feedback to ensure fair and consistent decisions

Collaboration

• I help break down silos within and across functions and influence others to reach the best outcome for Dropbox
• I build deep cross-functional relationships, facilitate the right conversations, and settle disagreements by managing different viewpoints
• I disagree and commit when necessary to move critical priorities forward

Organizational Health

• I act as a partner to managers in setting the cultural tone for the org. I create an inclusive environment for others and ensure diverse perspectives are included
• Working with my manager, I leverage the strengths & skills of the members of my team, and help identify talent gaps required for team success
• I personify Dropbox's culture and values. I champion community building efforts and inclusion initiatives. I work in close partnership with senior EPD leadership to ensure a healthy engineering org.
• I lead by example. I am aware of my public presence and actions and my influence on the people around me and Dropbox’s culture.

Communication

• I develop compelling messages and effectively present them at the executive level
• I fine tune my approach to getting buy-in and influencing stakeholders across a variety of audiences

Security Execution

• I guide teams to iterate towards solutions where a significant portion of the challenge is designing an appropriately staged validation plan.
• I create, influence and participate in programs that work to overcome our security weaknesses.
• I relentlessly drive awareness about the impact and consequences that technology, architecture and security decisions may have on our business and customers.
• I combine my unique technical and security expertise and experience to drive fruitful, potentially even game-changing choices that benefit the business, Dropbox’s customers, and our technologies.
• I take a multi-year, industry-leading perspective around security concerns; ensuring they adapt to scale, usage, and/or business needs well beyond Dropbox’s current scope. I know when to apply an incremental approach. I know when to pull back and recommend major refactor/re-architecture efforts (in order to speed up later).
• Teams under my direction are focused and deliver effectively.
• I guide teams to iterate towards strategies and solutions that take into account organizational realities, process and documentation so they are resilient to erosion over multiple years of operations
• I help guide the career growth of others across the company, by actively mentoring, performing promotion assessments and participating in performance discussions.
• The programs that I build are structured to measure success in a manner that efficiently furthers security objectives; I recognize and replace ineffective metrics and incentive structures
• I am a recognized leader in information security inside and outside of Dropbox.
• I understand that technology, threats, and responses evolve, and drive that evolution to improve security across the industry.
• I am recognized as expressing some combination of security and technical breadth or depth in the scope of my work, the degree varying due to my unique experience, expertise, or in response to job requirements.
• I split my time based on where my skills will have the greatest impact.

Technology Fluency

• The expectations for technology fluency do not go up beyond L4 (though some specialist engineers may go deep in one or more areas)

Threat Fluency

• The expectations for threat fluency do not go up beyond L5 (though some specialist engineers may go deep in one or more areas)