So you want to be a security expert

So You Want To Be a Security Expert? Repost from Bruce Schneier Blog
I receive a lot of e-mails from people looking for advice on computer security. This could be as a course in college or as a career option.
There are many subspecialties within computer security. You could be an expert in keeping systems safe from hackers or in creating unhackable software. You could be an expert in identifying security issues in software or networks. Expertise in cryptography, policies, and viruses is possible. There are many opportunities to learn different skills. Security experts don’t need to be coders.
However, I do have three pieces of advice for anyone who is interested in learning computer security.
I love security certifications. They can quickly show all of these things to potential employers.
I haven’t said anything here that isn’t true for a gazillion other areas. But security requires a certain mindset. This mindset is what I consider essential for success in this field. It can be taught, but I doubt it. This kind of thinking is not natural. Engineers don’t have this ability. Engineering is about thinking about how things could work. Security mindset is about thinking about how things could go wrong. It is about thinking like an attacker, a criminal, or an adversary.
While you don’t have the obligation to exploit any vulnerabilities that you find, if you don’t see the world in this way, you won’t notice most security issues. This is especially true if your goal is to design security systems, not just implement them. Schneier’s Law states that anyone can invent security systems so clever that they can’t be broken. Your designs will not be trusted if you have made a name for breaking other people’s designs.
One last word on cryptography. Modern cryptography can be difficult to learn. It requires advanced mathematics knowledge, in addition to the above. Your prowess in computer security is measured by what you can hack. Although the field has advanced a lot since I created this guide and self-study course in cryptanalysis a dozen years back, they are still a good place to start.
This essay first appeared on “Krebs on Security”, the second in a series that answers the question. This is the first. There will be many more.
Security Expert: Top 6 Cybersecurity Books