1

I have a strategy consulting and sales background, but what I read about IT and IT Security sounds fascinating as an outsider. I'm considering a career switch, but would need to know quite a bit more.

IT Security is what interests me the most, but do I need to learning a programing language? If so which? Do I need to study for and pass certifications to be taken seriously? How does one learn more and take the first step.

Reading material (books, blogs, links, or even video) or comments are much appreciated. I'm not sure if it is the right switch for me, but I can tell you I'm interested, humble moving forward, and curious. Pen testing, encryption, & networks sound the sexiest but that is a far way off. Thank you for any help in advance.

Vic Charlotte
  • 13
  • 2

3 Answers3

1

Doing IT security properly implies grasping the fine details of how a computer operates; if you have that knowledge, then learning a programming language would be a matter of a few days at most. It is not, theoretically, strictly necessary to know any programming language to "do IT security", but potentially knowing them all is basically a requirement.

There is a lot more to software development than simply "knowing the language", and we are not talking here about being able to design a big application, structure it, implement it, and being able to understand the code three months later. We are simply talking about the ability to write a 100 lines of code in order to experiment something. Every decent IT security specialist ought to be able to do that.

(Conversely, I have met some IT security "specialist" who could not, and decency prevents me from expressing in accurate terms what I think of their competence.)

Specific programming language, generally speaking, does not matter. They are all more or less the same -- I mean the programming, not the language. Ideally, learn three or four languages; then you will know them all. Potentially. Which is the important point.

There are specific situations, though, which require a bit more programming knowledge. If doing pentesting on Web applications, you should have at least rudimentary knowledge of PHP, Javascript, SQL and C#/VB (for ASP.NET).

To be taken seriously, be competent. To be competent, spend time on it. Computers in general, IT security in particular, are a field where practitioners spend a lot of time trying out things at home, on their own computers.

Certifications are great when you want to be hired, because most people who will hire an IT security specialist are not IT security specialists themselves. For them, a certification is a kind of "proof of competence". In fact, a certification is a signal: it demonstrates that you were serious enough in your craft that you deemed it worth the effort to obtain the certification (learning the skills for the certification exam, spending the money on the certification, and, biggest effort of all, navigating the administrative task of actually obtaining the paper).

Don't become an IT security specialist if your idea of fun does not include spending five hours reading through log files and network transcripts.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

Look deep within yourself before you make the jump. To really get into infosec you will really need to be in the game 110%. If you can't make it your life then just make it a cool hobby. Typically how people get into security is though a system admin or programming job however there are people who have been able to jump right in. As far as I know a degree isn't required but helps a lot and either way you have to be able to backup your skills.

You don't need to know how to program but you should know how to program. Python is a good starting point. As for certifications check out CompTIA's Security+, EC-Council's Certified Ethical Hacker.

Hang out on this forum and learn as much as you can. It's a looooonnnnnnggggg road but if you're really into security it's worth it.

Definately check out

OH and setup your own lab to hack around in. Don't just hack random stuff on the internet or random stuff you see on public networks. That used to be kind of safe 10-15+ years ago as long as you didn't damage anything but now a days it's dangerous, especially if you don't know how to properly hide yourself. Even then there's still a risk and it's usually not worth it.

Four_0h_Three
  • 1,225
  • 2
  • 8
  • 13
  • 1
    Good answer. Also, learn to set up a lot of virtual machines to play on. Install a wide variety of apps, operating systems, and learn how to attack them. As you gain this knowledge, you will start to get an idea of the skills required. Eventually, you'll find a scripting language will help, but by that time you'll already understand what you want to do, which will make it much easier. – John Deters Sep 23 '13 at 19:14
1

There are many different areas to information security. You have risk and compliance management, architecture and design, and then hardcore technical like ethical hacking and penetration testing. Then there are side-shoots like forensics. It's impossible to answer your question fully without knowing what your interests are, and what your general IT experience is.

IT security is a growing field which generally pays pretty well. More and more companies are realizing they are deficient, and are staffing up as a result. The roles are quite often in the security program and project management space, as well as risk management and architecture. Hardcore technical types are also needed although there aren't as many new roles.

Now the other responses deal with the more technical side, and they are right that it takes a good deal of effort and knowledge to successfully break into that field. It isn't strictly necessary to know a programming language, although being handy with at least one scripting language is pretty essential if you want to be able to automate tasks. You certainly need to know the basics of how computer languages get translated into executable files in any case. Really, if you don't have a good start on that by now I wouldn't recommend that you go that direction as a career.

The real opportunity (based on the assumptions I'm making about you) comes from the fact that the majority security managers and architects (in the states that is) are getting to retirement age, so there's going to be a need for IT professionals in that area. Certifications like the CISSP and CISM are attainable with just self-study, although there are experience requirements in order to gain the full certification. These will open the door to the more managerial and project level, which may play more to your previous experience. Security experience and knowledge is still critical in these types of roles, the fact that they require strategy and management skills could help you with that transition.

GdD
  • 17,291
  • 2
  • 41
  • 63