I’ve been thinking a lot about how to get to the next level in my field of information security, and I’ve come to a pretty interesting conclusion:
It’s not possible to just study in this field — you have to implement each thing you’re trying to learn if you want to get the full benefit.
To be good in information security, you can’t just know that RBAC (Role Based Access Control) does a certain thing in managing access. You also should know how it works out in the real world. Specifically, you must know how to implement this concept in various operating systems and applications.
In fact, I do strongly recommend learning concepts before diving in, but when you set out to truly understand something — to really feel it — you need to be using it to accomplish a real-world goal. It can’t be for the sake of it. Learning like that doesn’t burn in the same way as it does if you’re learning for a purpose.
There are three basic areas on which you familiarize yourself.
- Networking (TCP/IP/switching/routing/protocols,etc.)
- System Administration (Windows/Linux/Active Directory/hardening,etc.)
- Programming (programming concepts/scripting/object orientation basics)
If you don’t have a good foundation in all three of these, and ideally some decent strength in one of them, then it’s going to be hard for you to progress past the early stages of an information security career.
Next, subscribe to some input sources like the news, articles, tools etc..
Increasingly, though, Twitter is replacing the following of websites. The primary reason for this is the freshness of data. Twitter is real-time, which gives it and advantage over traditional sources.
Twitter allows you to create (and subscribe to) lists. So, if your username is @krishnang79, you can just append to it and tweets from everyone in that list.
My recommendation is to use two main sources:
- RSS feeds
Certifications does matter as how your degree matters. But things has its own value when others place on them. Certifications don’t have any inherent value. They’re worth precisely as much as people value them. If employers are asking for them at places you want to get hired, they matter. If the places you want to get hired don’t care at all about them, they don’t have value there. It’s that simple.
Certifications have good study materials, and if you get all four of these certifications you will have a decent understanding of lots of basics.
- CISA/CISM - Audit
- SANS (GSEC) - Technical
[ NOTE: I recommend doing CISSP, then GSEC, then CISA/CISM. CISSP is the king, and then get your technical out of the way. Audit just rounds you out nicely. ]
- Don't Study, But Do
- Setup Home Lab for practice
- Have project oriented goals
- Network with others
- Attend conferences
- Mastering professionalism
- Understand the Business
- Having passion
I hope this resource is helpful to people as they enter and move through the various levels of an information security career.