How I got into Security

by Bruce Brown | 2 Comments

Martin McKeay over at the Network Security Blog asks “How did you get into Security?”  That is a good question.  Its something that I’ve been asked and what I like to ask others in the business.

Up until recently, I’ve done security my entire adult life very reluctantly.  I started off in the military as Security Policemen (now called security forces).  I was a security specialist and was groomed into law enforcement.  The description sounded like special forces.  And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do.  Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).

I had about five years learning every aspect of physical security.  I later “cross trained” into communications expecting to do some hardcore technical stuff.  And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything.  My experience in the military made it easier for me to pass the CISSP which covers a little of everything.

These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations. 

2 Comments on How I got into Security

  1. Ashish
    June 24, 2007 at 2:03 am (12 years ago)


    Wat sort of certification you think a person should have to become security analyst. Though i am working with a IT firm, as security engineer.


    June 25, 2007 at 9:43 am (12 years ago)

    If a Security Analyst knows their stuff really well and/or has a computer security degree I don’t think think they should have to have a certification. A cert does not necessarily mean your good or even smart. But the IT industry sets the standards on that stuff and they want that extra assurance that security guys are good.

    Some govt agencies (as least in North America) now absolutely require security certifications for employment.

    the ideal certification (right now) is the CISSP. But some alternatives are the CISA (really good for financial orgs), CISM, or CISSM (more for information security management).

    These are fairly difficult certifications to get but VERY respected in the security world (even over a degree sometimes which makes no sense to me).

    I would say that the Security is a good cert to start with. SANS has a bunch of decent certs as well such as the GSEC that are well respected in the industry.

    If one had to get cert I would make sure it matched their level of responsibility. For example, a lower level security guy who only looks as audit logs all day might only need a security , but a security engineer who does security policies, security audits and maybe even manages security personell might consider getting a CISSP.

    There is also the CEH which is for pentesting and the CFI for forensics.


Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *