HOWTO become a security expert, Bruce Schneier style

Brian Krebs is conducting a series of interviews with computer experts on how they got into the field and what they'd advise others to do if they want to break in themselves. The first one, an interview with Thomas Ptacek, ran last month. The latest is from Bruce Schneier:

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

* Study: Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there — and blogs — that teach different aspects of computer security out there. Don’t limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.

* Do: Computer security is fundamentally a practitioner’s art, and that requires practice. This means using what you’ve learned to configure security systems, design new security systems, and — yes — break existing security systems. This is why many courses have strong hands-on components; you won’t learn much without it.

* Show: It doesn’t matter what you know or what you can do if you can’t demonstrate it to someone who might want to hire you. This doesn’t just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.

How to Break Into Security, Schneier Edition


  1. One time, while I was waiting for a Southwest flight – they are always late – I had a nice chat with a security expert who had spent years as a professional safe cracker and robber. He had done pretty well, but eventually he got caught. When he was released from prison, he found he could work as a security consultant specializing in physical security. If nothing else, he understand how the bad hats worked, so he could now do a good job as a white hat. In fact, he was on his way out on a consulting gig. I can’t recommend this as a career path, but it was an interesting story to hear.

  2. Study / Do / Show – isn’t this a roadmap to creating a career in just about any arena?

Comments are closed.