What does it take to be a security professional?

[M Taylor]

On Mon, Nov 05, 2001 at 03:49:56PM -0500, Adam Fields wrote:
> 
> So, I ask the following question - "what does it take to be a security
> professional?". What should I learn in order to be able to confidently
> offer security services to my clients? I'm looking for journals,
> readings, certifications, broad topics... the works.

The obvious but serious and important question which is
related, "what does it take to be a computer professional?" To
which, I think the best place may be to start by a) act like a
professional, b) consider joining a professional organization 
like ACM, IEEE, BCS, etc to help you with a.

So what professional groups, certifications, degrees are worth-
while for the new security / cryptography professional?

I don't have a very good answer for that, and I don't think
anyone else has a complete answer either. Professional
organizations to be aware of include ISC2 (CISSP certification),
SANS (GIAC certs), ISACA, ACM, IEEE, IACR, and others I haven't
heard of. The first 3 also (primarily?) offer certification as
well. 

There are many different discplines with computer security:
from information system auditing to network intrustion 
detection to cryptography that most people can only master
a small domain and be aware of the other areas. 

I think that looking at the CISSP certification might be a
useful starting point, it also has a value relating to employment
and contract work; IT Security Managers and Contractors are
decent paid positions. It also provides a wide view of the field
so that you can start to realise the range of issues and areas,
which you may choose to presue further in greater depth. 

I think there is also a security engineer role which isn't
typically called such, but is also a cross-displinary role which
involves the more technical side of software, system, and network
developments. I think Ross Anderson's book Security Engineering
is the closest thing to a guide for this sort of role. The
"periodical" for such a role would be Peter G Neumann's RISKS
digest.

Understanding what goes wrong is good. As well as understanding
the balance of risks and rewards, something security types often
overlook. An understanding of risk management, insurance, and
statistics would do no professional any harm.

For academic courses, check Avi Rubin and Bruce Schneier's lists
 http://avirubin.com/courses.html
 http://www.counterpane.com/courses.html

Me, I'm still trying to figure this out myself, so far it does not
appear to be a great time to shift careers or take a lot of risks.
So I would be interested in other suggestions myself. 



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com