I saw an interesting post on twitter earlier today about how often people trying to get into security have one or two certifications but no context. The example that was given was “they didn’t even know what a /24 network was”.
I absolutely agree context is critical, and if you’re a student looking to get into security, here are some things to consider.
Do you know how to set up a simple network (ie, router, firewall, DHCP, DNS, a few workstations)? Can you troubleshoot a connectivity problem? Have you ever written any code? Do you know how to use a compiler? Do you have a Linux box at home, and have you had to troubleshoot a package that wouldn’t build? Do you understand dependencies and libraries and how wrong that can go? Have you written simple scripts in Perl, bash, etc? Ever had to configure a web server? DNS server?
Or, if you’re coming at it from a less technical angle…
Have you studied criminology/psychology? Can you explain logical fallacies and how they can be used to push people towards making poor decisions? Have you ever conducted basic low-risk social engineering exercises? (Tail-gating, getting information someone is normally reluctant to give)? Do you understand privacy regulations and how they apply to the collection and storage of PII? Do you know what PII is? Ever picked a lock?
It turns out, most of us who ended up in security came here not just because we were security nerds, but because of a fascination with how other stuff worked (networks, applications, code, people) and pulled on a string that lead to security. Every truly passionate and successful security professional I know isn’t just a “security nerd” but is also deeply fascinated by other things, and how they work, and that’s what lead them to security and makes them good at it.
Personally, I think the things that lead many of us to security in the past (networks are a biggie) are relevant but less important than new areas (DevOps, cloud, code, human psychology) and would encourage those entering the field to look at new areas. In a few years (today!) jobs at the intersection of security and cloud, or security and machine learning will be in high demand. Understanding how algorithms go wrong and have biases, having built machine learning models and learned how to protect them from poisoning, plus a million other developing fields will yield fantastic results.
Security is a lifestyle choice, not a certification.