Competencies

I've been working in the tech world for the better part of 30 years. I've worked as a "sysadmin", a "programmer" (don't call them software engineers), a smart card and crypto engineer, OS driver writer, and now as a security architect. Most of that time was spent working on the back of the backend, taking care of the dirty work of keeping things going.

Over the years several people have asked me what are the key things you would want to learn and be proficient at in order to do this job. Well, here's the answer.

Please don't take this too seriously, but understand the overall focus. Young "engineers" today tend not to care, or at least not care enough about the foundations, fundamentals, and the basics of how things work. They just want to "write beautiful things". OK then...

These are the key competencies you should have:

• How an operating system (OS) works, regardless of which OS. Know the basics, the differences, how they interact with hardware, with other programs, and with the users. Focus on learning Unix and Linux. Those two will give you a lot of power in the tech world. You have to be comfortable working with them, specially on a shell (a terminal with a command line interface).
• How TCP/IP works, its history, format, and changes over the years. Understand after that how ARP works, how routing tables works, how the internet works, what is a DNS and how it works, and how firewalls and proxies do their jobs.
• Understand how to code in at least one low (assembler) or semi-low (C) level language. Become proficient in writing simple, organized, and readable code.
• Learn secure coding. There is no other way.
• How databases work, and what are the different types of databases, along with their pro's and con's.
• Understand how HTML, Javascript, PHP, Java, and other web application-related technology works. The more you do, the better you'll be able to help both front and back ends when needed.
• Basic understanding of cryptography. Differences between symmetric and asymmetric cryptography. How they are applied to everyday technology and its shortcomings.
• How SSL, and TLS work.
• Understand how "the cloud" works, along with concepts like "serverless", "containers", and "virtual machines".
• How to read CVE releases and assess the risk and business impacts based on its CVSS score and/or description. Clearly understand the scores are relative and you must factor current controls present in your environment. This is useful to both security and engineers alike.
• Basic security concepts, like the differences between a vulnerability, a threat, risk, and how each inform the other. What is authentication and what is authorization. This is a good thing to know generally speaking, so go learn.
• Understand where technology is going and why. Learn about "zero trust", "crypto currency", "blockchains", and other hyped buzzwords. They are important concepts to know.
• Finally, understand some of the compliance frameworks: PCI, SOX, HIPPA, GDPR, etc.

As you can see there is a lot here, but this list is not all inclusive. There is more, much more. Start here. It'll build a solid foundation. If you focus on the fundamentals, you will be able to learn better later, and switch work within the tech world as you find yourself attracted to other parts of it.

Happy new year.