[artie_effim]

Cyber pro here - 5 years doing IV&V testing, 15 years as Fed, State and Local contractor, now a firewall admin at a major U.S. uni. I got an NSA accredited (https://www.nsa.gov/resources/educators/centers-academic-exc...) Master's in IT with a specialization in security. While the degree got my foot in the door (I have a BA in Arts - but have been messing around with computers since the early 80's - plus a lot of self taught stuff) - I've found that a ton of side reading (anything related to the subject - I spent a lot of time on the RFCs - that stuff I use every day)), looking at PCAPs to understand the protocols and reading case studies are the best way to hone the craft.

For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.

Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.

Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.

If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.

IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.

As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.

Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.

Good luck!

<edit - word choice>

[elorant]

While on the subject and since you're an expert in the field, there's something that's nagging me. How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it.

[susam]

I am not sure why you are getting downvoted. You have a very valid question.

There are many different kinds of security roles such as risk, compliance and security reviews (very little programming), penetration testing (programming and scripting to various degrees depending on the work) and security software development (full-time programming).

How good one is at programming would of course usually depend on the individual. In the rest of the software industry, there are all kinds of roles (some of which involve programming and some do not) and the ones that do involve programming have programmers of all kinds and calibre. It is no different in computer security.

I have over 12 years of experience in this field now in various positions where my various colleagues and I have written large security products in C, C++ and Java, as well as smaller security solutions in Python and Go. Most of the times programming is just a means to an end which is true for many other fields as well. It is usually math, algorithms, crypto, protocols, etc. that are more interesting and that we need to be well versed with along with being skilled at programming. Also, I would like to share two of my earlier posts around this subject:

- https://news.ycombinator.com/item?id=14873475 (about demand and job prospects in security software development)

- https://news.ycombinator.com/item?id=12545851 (about math and software development in the computer security field)

[watwut]

I haven't downvoted, but "How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it." sounds trollish to me. Designed to elicit emotional response from people as they will try to defend security people.

[toomuchtodo]

I’m a mid level security architect (governance, risk, compliance) and I’m a below average developer, coming from DevOps/infrastructure before. In my security roles, no development or software engineering skills are required.

I might work on improving eventually, it's just not a priority. Any upward trajectory now is going to be from experience and soft skills.

[artie_effim]

pretty bad - hack it together with docs and stack exchange really. I did manage to deploy an app with a django, nginx, gunicorn stack which doesn't crash, so there's that. But as far as good coding skills, I don't really have any - but I'm learning as I go. I also have full management support for this, which is nice, but very rare. I more so play around with pandas and matplotlib to get what I need - pretty much just a step above shell scripting.

[spydum]

I think it's pretty risky to try to categorize all infosec people into one ranking.. But I will say most folks I bump into are not writing code for maintainability, or necessarily efficiency. Most of us stick with GEMO (good enough move on). thst being said, there are always outliers

[Grasshoppeh]

> Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.

I would like to add onto this, if you cannot virtualize this and you do not have extra computers try using raspberry pi's. You can fully customize them to act as computers (with all different operating systems), servers, super computers, routers, etc.

Its an inexpensive and practical option compared to buying expensive equipment.

[EGreg]

Question for cyber pros:

If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?

This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?

I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.

[amorphous]

I'm interested in GRC - could you explain what else to study or what certs to get to go that route? Thanks

[gt_grc]

I don't have any other recommendations for studying, but as someone who made the transition from IT to GRC, I can offer some advice about getting practical experience.

A Big Four firm is a good place to get started in a GRC career. You'll get pretty broad exposure to the field, and you'll have the opportunity to develop expertise in specific GRC domains.

If you're already working in a regulated industry (especially for a publicly traded company), you may be able to move into a GRC position at your present company. Compliance, internal audit, third party risk management, business continuity/resiliency and disaster recovery are common areas that fall under the broad GRC umbrella.

I worked in various IT roles at a financial services company, and I was able to move into a risk analyst role, then I went to a Big Four firm, and I'm now back in industry.

As far as certs go, CRISC, CISA and CISSP are the most common I've seen among GRC folks, although most of the people I've worked with didn't have any of them.