Getting Started as a Big-Time Security Whiz

Opinion: Would-be professionals must decide whether to wear white hats or black hats and whether they want a full-fledged certificate or just some useful knowledge.

Since my e-mail address gets put at the end of many of the things that I write, I (understandably) receive e-mails from people. Some are queries about what Ive written, some are pitches about products that I havent written about but someone wishes that I would, and some are pleas. The pleas are usually the most interesting, since they usually come from folk who realize they havent got a clue and want one rather badly.

What they mostly seem to want is a clue about is how to become a big-time, big-deal, big-city security whizzo like I am. Sigh. I usually tell them that Im not, but that I just play one on TV. (Most of the people from the U.S. get the joke, but that line really throws the guys from Estonia and the like.) And then it turns out that most of the folks writing the pleas basically just want some idea of how to start in the "security field". Maybe they arent happy with the job they have and want to move into another area. Maybe they think theyll make more money "doing security". Maybe they just want a different kind of challenge. It varies.

The first question I usually pose in response to that kind of query is "What do you mean by security?" People have so many misconceptions about what the field entails. But what Im really asking them is "Are you a GoodGuy or a Cracker"? GoodGuys (also called "white hats") are interested in defending their systems, and crackers (a.k.a. the "black hats") want to get into them. Usually, you are one or the other. (Of course someone may start out as a cracker, get tired of the hassle, and then decide to get a job selling their hard-earned knowledge of busting into systems. But that doesnt happen as often as you would think. Cutting your hair and wearing a tie is a big obstacle to some people.)

A potential GoodGuy is encouraged to get certified in security by a recognized organization. Not only do you learn what you will need to know in order to do the job for someone that will pay you, but you also gain credentials that someone who will pay you wants to see that you have before they will hire you. Im thinking of something like (but not limited to) the CISSP certificate. CISSP stands for Certified Information System Security Professional. The CISSP examination consists of 250 multiple-choice questions, covering topics such as Access Control Systems, Cryptography, and Security Management Practices, and is administered by the International Information Systems Security Certification Consortium. More information about the training needed for this program can be found at

/zimages/4/28571.gifRead the full story on Ziff Davis Internets Security IT Hub: Getting Started as a Big-Time Security Whiz