It's not difficult to become the local security expert -- the person others look to when they need network resources secured, the person they point to when they want to source someone in their attempts to reform security policy, and the person organisations like ZDNet Australia and sister site TechRepublic ask to write about security.
In other words, barring perhaps the ability to compose a well-written essay without grammatical and spelling errors, it's not too difficult to be a security pro. There are really only five steps to it.
1. Get outside of your comfort zone
Use software that isn't familiar to you. Learn about new technologies. I don't mean you should try a different antivirus solution -- I mean you should use something fundamentally different.
If you're an MCSE who's done nothing but manage Active Directory domains professionally, set up a network at home using Linux and FreeBSD systems. If you're a multi-OS geek who has Linux, Windows, and MacOS X desktops at home -- and maybe even an old BeOS or Amiga system -- take a shot at setting up a backup server and an automated logging server, and then go on to build a firewall and router from scratch.
I've done much of that already, but I've got my eye on Plan 9 as a new operating system challenge. Just as I have, if you get out of your comfort zone and learn about different technologies, you'll start to learn things about the technologies you already use when you find your old assumptions about how things work don't hold up to scrutiny.
2. Learn some programming
Even just a little bit will help you understand more about how software architecture plays a major role in overall system security. More than a little bit will teach you even more about it.
When you learn how to write drivers for a given operating system, for instance, you'll learn something about the security weaknesses of that OS. When you learn how to write code that interacts with the file system, you'll learn something about how file system design and OS privilege separation matters where the rubber meets the road, so to speak.
3. Read voraciously
Join some mailing lists, for a start. Good lists to join include open source community lists, programming lists, and the Security-Basics list at SecurityFocus.
That's for learning principles of security. To keep up with what's shaking in the security realm, so you're always on top of the latest security news, almost nothing can beat the BugTraq list. While you're at it, read what other security experts such as Bruce Schneier (and ZDNet Australia's very own Munir Kotadia) have to say.
Get your hands on some good books about security and read them. Security "cookbooks" are surprisingly useful, and a keen mind can grow to understand quite a lot about security principles from the "recipes" in these books by considering why and how they work.
4. Check your assumptions at the door
Secrecy does not equal security, you don't always get what you pay for, and security features don't always make you more secure. I'm not saying you should ignore everything you think you know -- just double-check it, triple-check it, and always be open to the idea that what you think you know may be wrong.
5. Finally, think for yourself
Don't just take someone's word for it when you're told something about security. Think it through, consider it carefully, and verify it for yourself, if at all possible. Consider what might be missing from what you're told, and consider the source. Everyone has an agenda, so you need to consider the goals of your sources. You also need to be aware of your own agendas, so you can avoid the trap of confirmation bias.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
4%
4%
Although your suggestion of reading BugTraq may help keep you aware of newly discovered vulnerabilities in some well known and many unknown programs, a security guru needs to have the big picture on what is happening throughout the entire security scene.
I once was given advice by a Senior Vice President of a Fortune 20 company who told me to always operate from the clouds - meaning to be able to view and watch everything that is happening - as compared to an 'in the trench view' where you have a great view of something within the trench but you are totally blind as to what is happening in the rest of the battlefield or even within the country or global perspective.
So rather than rely on a Bugtraq for breaking news I find it is far better to make the SecurityNewsPortal.com a daily part of my security reading. With one visit to one web site I can see the headlines that are making the news from all the security related web sites. This gives me a great view from the clouds where I can see trends or events forming or breaking across the entire spectrum.
I would only recommend this news site because it is independent and simply agregates the news from all available and high profile news sources. Truly a one stop shop for security gurus to keep on top of the 'big picture'. And as a bonus they also echo all the latest Bugtrac vulnerabilities and exploits ;)
http://www.SecurityNewsPortal.com