It is a rare week that passes without someone asking me, “What is the best way to get started as a security consultant?”.
However, before I give you my answer, I feel I should first point out that everything I’m about to write is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was recruiting the same question, they might have very different things that they are looking for. L’acheteur se méfiera!
Onward to my own particular answer though. For the last twenty years, I have personally read thousands of CVs and interview hundreds of people that are looking to make a start in the security industry. An industry which is unusually demanding of its consultants: requiring both extreme breadth and depth of knowledge. Knowledge that is built up in layers, one upon another, with each new layer intimately dependent on the previous one.
Many of the people I interviewed have incredibly polished and impressive CVs, complete with long lists of skills, credentials and training courses. Alas though, once the interview starts it is common to find that there is no substance behind the polish. The skills lists are just an aspiration; no real knowledge underpins the claims.
For someone starting out, I would say the most important thing to do is to make sure you understand the basics really well, and if you don’t know it really well, leave it off your CV. There is no point learning about XSS if you don’t understand HTML. No point in learning HTML if you don’t know HTTP. No point in learning HTTP if you don’t know IP. No point in learning IP if you don’t understand basic maths and technology concepts like modulus, endian-ness, and non-decimal radix.
Don’t attempt to run before you have mastered walking. Begin at the beginning…
No comments:
Post a Comment