There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.
I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.
I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
How many people are hired to bring skills into an organization which are never utilized and then an ‘inspirational’ CIO decides what new skills are needed? They are already there.
LOL…happens all the time! With some CIOs, it’s not a concept, methodology, strategy etc until they come up with the idea.
Good Looks of course. Your skills might not be appreciated or used , but at least you will look pretty while being under appreciated and under utilised.
Core skills!! Practical Pragmatic Common Sense
Please post links on said articles. Security is now so broad that eventually you will need to specialise at some point anyway. Gone are the days its just a sysadmin/network engineer rolled in one.
Personally I think the only core competency (and I say competency over skill/s) I think is mandatory – and I’m sure I will get flack from people on this – is a strong understanding of hollistic security approach in an enterprise environment and how standards (e.g. the ISO27000s out there) frameworks and so on – all integrate with technical controls and processes to achieve a cohesive whole.
Everything else is pretty much secondary, as it will come down to what your role is. Pentesting skills are one thing but if all you can do is show someone how to break into a system, then you lack the fundamental skills of how to fix the root cause and build in processes into an organisation to prevent similar mistakes from happening again.
I’ve seen too many pentesters who only know how to break things and have no concept of why security fails in the enterprise in the first place. Sadly, these same people are the ones that don’t care. Sure there’s a place for technologists (or “purists” as we call them at work) but that approach only goes so far in actually getting these issues fixed in the long term.
Core skills: TCP/IP, DNS, HTTP, one scripting language, Unix/Linux and Windows
A good security consultant should do or have done some programming and sysadmin to understand how easy breaking things is …
Be able to work on a Linux system, I still can’t understand how people can do pentest with Windows
I think an understanding of how security affects the business is a core skill that all security consultants should have. Being able to answer a question like “How does this Vulnerability Management program (technology, process, policies, etc) help business achieve its goal?” is a must.