Becoming an information security expert boils down to expansive technical knowledge, breadth of experience, and education. This means that you’ll need to learn a lot more than just security, so you’ll likely start on the “blue team,” and then work your way into the “red team.”
The “red team, blue team” nomenclature comes from the military. In military attack-defend training exercises, one group (the blue team) tries to defend a target against a group of combatants (the red team). In this type of war game, the red team challenges the effectiveness of the blue team, helping improve their response in the event of a real-world attack.
The IT security world justifiably borrowed these phrases.
“Blue team, go!”
You’ll typically start off your security career on the blue team.
On the friendly team, you’ll be building the castle walls and defending them with discovery tools, firewalls, filters, access controls, and other physical and virtual security features. What’s the castle in this case? The network.
In a recent surprise Google Hangout, security trainer Keith Barker said (at 7:43) the best way to get security experience is to “get into an IT job and then outgrow it.” It’s up to you which way you grow, so get the network fundamentals down before anything else, and then focus your energy on learning security. Keith also said to ask for security responsibilities in your office, and try things out (with permission of course).
Putting that advice into the context of certifications, you’ll also want to record your progress with industry benchmarks, which means starting with a CompTIA Network+ and then earning the CompTIA Security+. It all begins with the blue team.
“Red team, go!”
Once you get experience building the castle’s defenses, then you can start trying to knock them down. On the red team, you’ll be identifying and exploiting vulnerabilities, conducting remote and client-side attacks, penetration testing, deploying tunneling techniques, and attacking by any other vector you find.
Your objective: find the holes before the bad guys do, and then tell the blue team how to prevent the attack.
Certifications like ISACA CISA, (ISC)2 CISSP 2015, and Certified Ethical Hacker (CEH) prove to an employer that you know how to look for vulnerabilities, but prepare yourself. The higher echelons of IT security, particularly pen testing, are typically very technical. For instance, if you want to be a successful penetration tester, you should probably know all the languages you can manage including Python, Bash, Linux, Ruby, Perl, PowerShell, Assembly, and C, along with an in-depth knowledge of databases, operating systems, networking, and memory. You have to know everything.
As an information security expert, you will need experience on both the “red team” and the “blue team.” Basically, the industry is set up so that you should know to build the castle before you try to breach its walls.
P.S. – Not a subscriber? Start your free week.