Lately I have been asked the same question from multiple people -“How do I get into Computer Security?” (I also seem to be getting the “My home computer is infected, what do I do?” a lot but that’s a different blog post). I figured I’d write down my ideas on what it takes to get into Computer or Information Technology (IT) Security and point people to this post in the future.

First, you must have a desire to understand how things work. To me, to become good at IT Security, you must develop technical skills. You have to become someone that really only thinks about how things work and once you figure it out, determine if the workings of that system can be used in ways that the original designers did not intend. You need to always be in this mindset. To understand how things work, you need the skills to understand and dissect that system. This can also be called learning to be a hacker. In my opinion, becoming good at IT Security is synonymous with becoming a hacker in the truest definition of what a hacker is (not what the media calls a hacker and what the term hacker means can be a blog post all on its own).

Next, create a Twitter account. Yes, as lame as it may sound, create that Twitter account and go follow a bunch of folks in the security community. You will learn about things days and weeks before the information hits news sites. You will see sites and blog posts that you would have never found by just searching the Internet.

Next become an expert at an operating system. I think that Linux is the best choice, but being an expert with Windows is not without merit because when you land that awesome IT security job most likely the majority of the computers in the organization will be Windows based.

The best way to learn Linux is to dive right in and install it and start using it. Getting a book to help you along is a good idea, but nothing will beat the hands on experience of tinkering with it. Mastering Windows is important too – it may or may not be easier for you. Perhaps the best way is to shoot for a certification but again, nothing beats hands on experience. So really you should learn both, however, being considered an expert in one or the other should be your goal.

Another really important aspect is learning networking, specifically TCP/IP, the language of the Internet. Depending on your level of knowledge, you should start out with a general concept book, such as Network + type training material. Next move on to more advanced material like TCP/IP Illustrated. Knowing TCP/IP is fundamental – everything you deal with will interface with it.

Finally, you will need to know scripting and programming. Your level of exposure to programming concepts will determine what you do here. There are many languages to choose from, one of the most common, but maybe not the easiest to start with it C++. Perl is a good choice to start with and Python is the latest hotness for a lot of security stuff as is Ruby (Metasploit). Knowing bash scripting in Linux will also be very helpful. Becoming conversant in one or more of these languages should be a goal, but know that it will not happen overnight. This can end up being one of the largest time investments on this list.

Maybe the most important point is that this is not going to be a one-week training course you sign up and pay for, this is a life-long endeavor. Once you get into it you will learn that there are subsets to IT Security that you can further specialize in such as forensics, malware analysis, intrusion detection, or penetration testing (and more) and each with their own detailed body of knowledge. It is an exciting journey that will often be rewarding and occasionally frustrating. You will learn new things all of the time and build upon those. It is a journey I am still on and I learn new things every day.

Written by @itsecderek