Cатсн²² (in)sесuяitу / ChrisJohnRiley

I’ve been a member of the ITtoolbox mailing lists for a while now. Although I’ve mostly just been lurking (reading and not posting) certain obvious themes have emerged. At least once or twice a week somebody posts that they want to move into IT security, but have no idea where to start. This is exactly the dilemma that I had about a year back when I decided I wanted to learn something that interests me, instead of something that I have to learn.

I researched a lot. I even went to the Infosec 2007 conference in London and spoke to various companies about what they wanted and expected from somebody working in security. To my surprise the answer wasn’t a CISSP, a Cisco certification, or even a SANS qualification. It was a good knowledge of protocols, operating system theory, PKI, programming, and a range of other things. The list I gathered was long and varied, but almost void of three or four letter certification titles like the CEH I’ve blogged on a few time recently.

Working in security isn’t as easy as say, working in Systems Administration. You can’t just chose the Windows/*nix track and then go off to get your MCSE/RHCE. Although this is a probably where a lot of hands-on technical staff will start, where do you finish ?

Unfortunately there doesn’t seem to be an answer…. whatever you learn it will be beneficial, but there is no hard and fast way into security. Perhaps that’s why for me it seems such a good career track to aim for. I always want to learn more, and security seems to be the place for learning.

So.. I’m off to read some RFCs, as it seems that’s the way to go, at least for now.