you cant build the house on a sandy foundation so the saying goes. I am not sure who said that but it makes sense you cant build a 100-floors building on shaky foundation. The same is for your security career. You need to have the basic foundation for whatever path you choose whether being a pentester or a GRC consultant.
From Pentester’s view, you will need to understand how the computer, networks, applications, storage and cloud works at very rudimental and fundamental level. the good pentester is a crafty penetester just like an artist, picasso? Tools will help you but thinking in and outside the box is needed, that is only possible if you have the fundamental and know how the machine works.
That’s been my approach in my career and i could see some progress since when i started back in 2007. Know the fundamentals and keep yourself updated.
This might not be a good comparison, or one may think it is a weird one. For the past three decades technologists and cyber security vendors have worked hard to produce the best of the breed when it comes to technical security controls based on hardware, and now transitioning to sofware based or software defined alternatives. Around the same time the bad guys, whatever hat colour they wear, they have also been busy trying to poke holes on these controls, and they only need one good strike out of 1000000 tries. To be fair, they have been successful to say the least.
But what have slowly evolved is the Human firewall as defense, where organisations still believe hardware or software based firewall is the only good security controls to stop bad guys from the internet getting in their organisations. Well, if you have been counting, this is the long war, and every now and then the good guys may win , but playing a long game, the bad guys have an upper hand.
Regardless of advancement of technology, the human still remains to be the weakest link in the chain, and the organisations should invest reasonable well in fortifying the human firewall, because at the end of the day, you may have all the hardware and software good shiny updated firewalls, but if you dont have strong human firewall, you will always fell victim.
The other day a friend ask me how should one start a security career? What is the best path, course to study or security certification to go to? Well, my answer always starts with do CISSP certification. Why do I say that ? Why not ISO 27001 why not SABSA?
One simple reason, CISSP cover a lot of domains originally about 10 domains and now squeezed to 8 domains. CISSP to me cover a big ground and good for security generalist and a good introduction to security as predatory course. Second reason is CISSP requires a lot of effort, preparation and time investment to pass the exam. Even when one don’t pass the exam the knowledge gained is valuable and eye open to security world.
So that’s basically my simple reasons. Security over the years have matured and now you can be a specialist in any of the below field
– penetration testing and threat hunting
– incident response
– threat intelligence
– security operations and devOps
– secure development
– cloud security
– security architecture
– Governace, risk and compliqnce
– and many more. All these domains have their own certifications, so find your passion and develop your area of competence and be called an expert. I guarantee you it won’t be overnight success. Good lucky.