A Day in the Life of a Senior Cybersecurity Engineer


Since their former life as the SANS Top 20, the CIS Controls have come a long way. The CIS Controls have grown over the years to help provide security guidance to organizations around the world. To keep up with the expanding CIS Controls community, it takes dedicated and whip-smart staff like Josh Franklin. A Senior Cybersecurity Engineer at CIS, Josh leverages years of cybersecurity experience to help organizations protect their systems and data. Keep reading to learn more about his experience in this exciting role at CIS.

Please share a brief overview of what you do as a Senior Cybersecurity Engineer.

First and foremost, I work on the CIS Controls. This is one of the largest cybersecurity standards in the world, and I’m lucky enough to be able to help make these best practices even better. This includes integrating new technologies and cutting-edge defensive strategies to protect enterprises and governments everywhere. I also write best practices for certain subdomains of cybersecurity, such as mobile and IoT.

How long have you worked at CIS?

I started in July of 2018. I’m already getting double vision as I cruise for my two-year mark in 2020.

What education/background do you have that helped you get your position at CIS?

I have a Master’s of Science from George Mason University in Information Security and Assurance. I also have a Bachelor’s of Science from Kennesaw State University in Information Systems, with a minor in Information Security and Assurance. There was a period of time in the late oughts that I became slightly obsessed with cybersecurity certifications such as the CISSP, and I have more than my fair share.

I feel as if my 10 years focusing on cybersecurity in the federal government is really what helped me get here. I worked on securing voting systems at the election assistance commission and then I moved to the National Institute of Standards and Technology. There I focused on 4G and 5G cybersecurity, elections, and how to safely use mobile devices in the works place.

With all that said, I also performed a number of non-work-related research efforts and outside projects that provided valuable expertise and training. Collaborating with your peers online in an open-source project really helps you learn to work with the training wheels off. 🙂

I’m a firm believer that success in this area stems from knowledge, experience, critical thinking, communication skills, and luck in no particular order.

What are 5 daily tasks you do as a Senior Cybersecurity Engineer?

  1. Monitoring the CIS Controls Communities: CIS runs a number of communities that govern different areas of cybersecurity. These communities are made up of cybersecurity experts that offer their valuable knowledge to make sure our guidance is top-notch.
  2. Talk with stakeholders: CIS regularly reaches out to governments and organizations to get feedback on the CIS Controls. We also regularly provide expertise on the controls to CIS SecureSuite members.
  3. Read Blueteam Research: It sounds basic, but there are literally hundreds of new vulnerabilities each month. I need to understand the mitigation strategies for the most important vulnerabilities and make sure there’s a feedback loop in our guidance documents.
  4. Writing (a lot!): The Controls team here at CIS is part of a larger group known as security best practices, which includes our CIS Benchmarks team. In order to document best practices for cloud, mobile, or IoT, it’s a lot of fingers on the keyboard and wordsmithing all day long.
  5. Mapping: There’s no shortage of other cybersecurity and controls frameworks out there in the wild. The CIS Controls understands that cybersecurity is a team sport. We work to map the CIS Controls to most other large frameworks. If you don’t see your favorite framework covered, you should send us an email at [email protected].

What are your favorite parts about being a Senior Cybersecurity Engineer?

I get to talk to people all the time. I also get to learn their cybersecurity woes and more often than not I get to help them out and make their lives just a little bit better.

What advice would you give a prospective Senior Cybersecurity Engineer?

Never stop never stopping. There’s so much wonderful training material available online in the form of blogs, podcasts, and YouTube training courses. Your favorite cybersecurity heroines and heroes likely have hundreds of hours of conference presentations and training freely available. It’s up to you to find it and turn it into something useful for your organization.

If you could describe your job in 3 words, what would they be?

Improvise. Adapt. Overcome. 

What is a skill or habit that has helped you in your current role?

Timelines. In my heart of hearts, I am a terrible planner. That’s why I try to rigidly create a project management schedule and hold myself to it. I plan to continue this until I get the time stone from The Sorcerer Supreme. Deadlines make things happen!

What has surprised you about this position?

The sheer number of CIS Controls users and their use cases for the Controls. There’s a vibrant array of cybersecurity professionals looking to use the Controls in ways we never imagined. I’m simultaneously delighted and humbled to see so many people using the controls, it really makes me want to ensure their use cases are included and that the Controls work for them.