One problem we have today, with the attention to cyber security, is that everyone wants to get into the game. And frankly there are all too many ‘security professionals’ and even ‘security companies’ that simply don’t have sufficient skills.  So what makes a good security professional? Here is what I consider the most basic skillset:
First and foremost you need a solid understanding of computers.  Yes a CS/CIS/BIS degree would be good, but without that, a basic skillset equivalent to the CompTIA A+/Network+ certification and a good knowledge of operating systems should be the minimum before you start to study security. Whether you are a security admin, forensic examiner, pen tester, or some other security professional, you have to understand hardware, operating systems, networks, etc. before you can work effectively in security.   It is best if you had a few years in some IT role (tech support, network admin, programmer, web developer, etc.) before embarking on security.  It would be a good idea to at least be comfortable with database technology and routers as well.
Next you must have a strong working knowledge of general security principles. Understand the concepts behind authentication, CIA, least privileges, IDS/IPS, anti malware, etc.  Something equivalent to CompTIA CASP or CISSP.
Then you need at least some working knowledge of forensics and pen testing. Even if you do not intend to specialize in either of those. I think any security professional should have an introductory course in both forensics and pen testing.  Pen testing will help you understand attack vectors so you can better defend against them. Forensics will improve your incident response.

In my opinion the skillset just outlined is the baseline for security professionals.  And in this field more is always better.  If you are going to specialize in forensics or pen testing, then you absolutely need to go beyond this baseline.

Beyond that, learning more about specific technologies (IDS/IPS, SSL/TLS, Kerberos, etc.) and getting a deeper knowledge of the operating system you are trying to protect,  must be an ongoing process. I tell students that this is not a field that you learn a skillset and execute that skillset repetitively for the next several years. Security requires constant learning, constantly expanding your skills.

Also note, I use certifications as a guide to skill level. I am not claiming you must have certifications, just the skillset represented by those certifications.


Chuck Easttom