I am, by many measures, almost uniquely badly qualified* to talk about IT security, given that my degree is in English Literature and Theology (I did two years of each, finishing with the latter), and the only other formal university qualification I have is an MBA. Neither of these seem to be great starting points for a career in IT security. Along the way, admittedly, I did pick up a CISSP qualification and took an excellent SANS course on Linux and UNIX security, but that’s pretty much it. I should also point out in my defence that I was always pretty much a geek at school***, learning Pascal and Assembly to optimise my Mandelbrot set generator**** and spending countless hours trying to create simple stickman animations.
The rest of it was learnt on the job, at seminars, meetings, from colleagues or from books. What prompted me to write this particular post was a post over at IT Security guru, 9 out of 10 IT Security Pros Surveyed Favour Experience over Qualifications – FireMon, a brief analysis of a survey disclosed on Firemon’s site.
This cheered me, I have to say, given my background, but it also occurred to me that I sometimes get asked what advice I have for people who are interested in getting involved in IT Security. I’m wary providing a one-size-fits-all answer, but there’s one action, and three books, that I tend to suggest, so I thought I’d share them here, in case they’re useful to anyone.
- get involved in an Open Source project, preferably related to security. Honestly, this is partly because I’m passionate about Open Source, but also because it’s something that I know I and others look for on an CV*****. You don’t even need to be writing code, necessarily: there’s a huge need for documentation, testing, UI design, evangelism****** and the rest, but it’s great exposure, and can give you a great taster of what’s going on. You can even choose a non-security project, but considering getting involved in security-related work for that project.
Three books******* to give you a taste of the field, and a broad grounding:
- Security Engineering: A Guide to Building Dependable Distributed Systems, by Ross Anderson. I learned more about security systems from this book than any other. I think it gives a very good overview of the field from a point of view that makes sense to me. There’s deep technical detail in here, but you don’t need to understand all of it on first reading in order to get a lot of benefit.
- Practical Cryptography, by Bruce Schneier. Schneier has been in the field of security for a long time (many of his books are worth reading, as is his monthly email, CRYPTO-GRAM), and this book is a follow-up to his classic “Applied Cryptography”. In Practical Cryptography, he admitted that security was more than just mathematics, and that the human element is also important. This book goes into quite a lot of technical depth, but again, you don’t have to follow all of it to benefit.
- Cryptonomicon, by Neal Stephenson. This is a (very long!) work of fiction, but it has a lot of security background and history in it, and also gives a good view into the mindset of how many security people think – or used to think! I love it, and re-read it every few years.
I’m aware that the second and third are unashamedly crypto-related (though there’s a lot more general security in Cryptonomicon than the title suggests), and I make no apology for that. I think that a basic grounding in cryptography is vital for anyone wishing to make a serious career in IT Security. You don’t need to understand the mathematics, but you do need to understand, if not how to use crypto correctly, then at least the impact of using it incorrectly********.
So, that’s my lot. If anyone has other suggestions, feel free to post them in comments. I have some thoughts on some more advanced books around architecture which I may share at some point, but I wanted to keep it pretty simple for now.
*we could almost stop the sentence here**, to be honest.
**or maybe the entire article.
***by which I mean “before university”. When Americans ask Brits “are you at school?”, we get upset if we’ve already started university (do we really look that young?).
****the Pascal didn’t help, because BBC BASIC was so fast already, and floating point was so difficult in Assembly that I frankly gave up.
*****”Curriculum Vitae”. If you’re from North America, think “Resumé”, but it’s Latin, not French.
******I know quite a lot about evangelism, given my degree in Theology, but that’s a story for another time.
*******All of these should be available from a decent library. If your university/college/town/city library doesn’t have these, I’d lobby for them. You should also be able to find them online. Please consume them legally: authors deserve to be paid for their work.
********Spoiler: it’s bad. Very bad.
One thought on “Getting started in IT security – an in/outsider’s view”