How do you balance proactive engineering work with reactive risk management in a security engineering role?