As a consultant and instructor, one of the questions I get all the time is "I would like to move into the field of security, what do I need to do?" My answer is "What area of security?" That usually has the person pause and say "Security in general." I say "Well, we all are in security in general."
My point in making that statement is to help people understand that in IT we all practice security in some form, but there are a lot of different areas of security and those different areas require a different knowledge base. However there is a base knowledge of security that is needed no matter what area of security you go into. Once this base area of security knowledge is obtained then you can pursue a more distinct area of security.
One of the key components of getting into security is experience, which cannot be taught is must be learned. Experience in IT is crucial no matter what area of IT you currently work. Experience gives you a period of time in which you can learn from troubleshooting and implementation techniques that can you use in security. Lets say for example you have been working as an Exchange Server admin for 5 years. Well you probably have been exposed to email malicious code, smtp relay and spam which in turn will help you when you move into the areas of email security. I usually say at least 5 years of good admin experience with a any vendor is a good starting point for most people.
So lets say you have the experience, what type of training can help you get into security? I believe it starts with a good understanding of networking and security. There are three classes I always recommend:
1. Network+ - for a good understanding of all of the areas of networking
2. Security+ - for a good understanding of the basics of security
3. Cisco ICND1 and ICND2 - to understanding how network traffic is moved within different areas of the network. Cisco is not the only vendor, any vendor for routing and switching will due.
I would also take them in that order. The reason why is because they build upon each other. Each class provides the basis of information for the next class. It is not required, but recommended.
After that, I always encourage certification in these areas as well, but it is not required. Certification in these classes shows you took the time ensure you understand the basics of the areas, however it does not prove proficiency.
Next, then you can explore the different areas of security in which you want to specialize in such as:
3. Penetration Testing
4. Vulnerability Testing
I would also advise taking vendor specific training for these different areas such as VMWare, Cisco, Eccouncil and Microsoft. Finally after a you spend some time in security, you can go after the much coveted and difficult CISSP. The most heralded and sought after security certification.
- Tom Pruett, Cisco & Security Expert; MCT, CTT+, CISSP, CWNA, CEH, CHFI, CCSI, CCNA, MCSE LinkIn with Tom