This will be a quick 500 – 1000 words on how to self educate in security. First, I will walk through some needed assumptions. Then I’ll wax philosophic about some of the things you should most definitely do. Then I’ll encourage you to find your own links using some clever Google searching.
I had a roommate during my undergraduate degree who walked in one day and said, “you know what, I think I’m now an expert at subject x because I’ve almost earned an undergraduate degree.” That was the day I finally lost respect for that guy.
Here is another conversation I had with a graduate (first year out of school) colleague of mine: I went and told him, “you’ll need a mentor and maybe a coach to help you identify your weaknesses and grow.” I kid you not, when referring to executives who’ve had decades of experience in security, he said, “there isn’t anyone here that can teach me things I don’t already know.”
Both of the above people, while nice, well-meaning, bright, and friends, are absolutely fucking stupid. I mean, if someone said that to me in an interview I’d never hire them. I’d call their moms to pick them up after work because I’d be afraid their stupidity will cause them to be hit by a bus.
Here are the assumptions you need to take from this point forward:
- You (and me, obviously) will never know everything we need to know to succeed in security.
- Spending a few months reading or practicing won’t make you an expert.
- You have so much to learn.
- You don’t deserve anything; all that you get in your career you will have to earn.
- Earning things isn’t simply down to your knowledge, and being good at your career isn’t just you flexing your intelligence at people.
- Certificates aren’t really that important once you are in, but they are supremely important when you are not in.
The IT Security space is massive. You probably won’t know a little about everything, but you might be able to learn a little about a lot and a lot about a little. And for now, that’s a good place to start.
Now that you are looking to make a career of this, you’ll need some key skills:
- General security knowledge
- Scripting skills
- Communication skills
- An area of focus
I think you should find some generalist text, like books about cyber security or cyber security certificates, like the Security+ from CompTIA. You should read that to get a generalist knowledge.
But also, don’t just read that, because it’s boring. Also listen to some current event podcasts, like ‘Risky Business’. Those two things will give you foundations and some insight into what’s hot right now.
Then deeper dive into something, either technical or non-technical, like GDPR. So if you want to be a hacker, build a virtual machine and hack away. If you want to do development, learn about big data and automation. If you want to be in sales engineering, get your hands on some kit and play around.
The key here is to pick a single thing, along with generalist education, and get into it. You don’t have to stick there. I thought I wanted to be a penetration tester/ethical hacker. But I’m rubbish at hacking, so I don’t do it. I’m an acceptable technical architect, but I sometimes miss small details and the problem with architecture is that you suffer when you miss small details. So I find my niche – consulting and such. You will find yours as well.
Go to Google and start searching. I won’t give you links because it’ll limit you. But I will give words:
- CompTIA Security+
- Fortinet, Palo Alto, Check Point
- Asymmetric cryptography
Have at it.