Security Competencies

I've been working in the security and tech worlds for over 25 years. Over the years, several people have asked me what are the key things you would want to learn and be proficient at in order to do this job. I will give you the answer I was given by my first boss, at my first real security job: you need to understand the fundamentals.

He told me that in order to break or protect something you need to first understand how it works, and what the technology behind it is. The first four months in my job were spent reading. He gave me books on TCP/IP, DNS, operating systems, databases, firewalls, software design, ASM and C. He said: until you read and understand all this, I can’t teach you how to break stuff.

Yes, learning the basics of stuff.

Please don't take this too seriously, but understand the overall focus. Young "engineers" today tend to not care, or at least not care enough about the fundamentals and the basics of how things work. They just want to "write code and express themselves". Well, ok… But...

So, here are the key competencies you should have:

• How an operating system (OS) works, regardless of which OS. Know the basics, the differences, how they interact with hardware, with other programs, and with the users. Focus on learning Unix and Linux. You have to be comfortable working with them, specially on a shell (a terminal with a command line interface).
• How TCP/IP works, its history, format, and changes over the years. Understand how ARP works, how routing tables works, how the internet works, what is a DNS and how it works, and how firewalls and proxies do their jobs.
• Understand how to code in at least one low level language (assembler) and one semi-low level one (C). Become proficient in writing simple, organized, and readable code.
• Learn secure coding.
• Understand how databases work, and what are the different types of databases, along with their pro's and con's.
• Understand how HTML, Javascript, PHP, Go, Ruby on Rails, Java, and other web application-related technology works. The more you do, the better you'll be able to protect or break front and back ends when needed.
• Have a basic understanding of cryptography. The differences between symmetric and asymmetric cryptography. How they are applied to everyday technology and its shortcomings.
• How SSL, and TLS work.
• Understand how "the cloud" works, along with concepts like "serverless", "containers", and "virtual machines".
• Understand how to read CVE releases and assess the risk and business impacts based on its CVSS score and/or description. Clearly understand the scores are relative and you must factor current controls present in your environment. This is useful to both security and engineers alike.
• Have a good knowledge of security concepts, like the differences between a vulnerability, a threat, a risk, and how each inform the other. What is authentication and what is authorization. This is a good thing to know generally speaking, so go learn.
• Understand where technology is going and why. Learn about "zero trust", "crypto currency", "blockchains", and other hyped buzzwords. They are important concepts to know.
• Finally, understand some of the compliance frameworks: PCI, SOX, HIPPA, GDPR, etc.

As you can see there is a lot here, but this list is not all inclusive. There is more, much more. Start here. It'll build a solid foundation. If you focus on the fundamentals, you will be able to learn better later, and switch work within the tech world as you find yourself attracted to other parts of it.