A great question and one that resonates on a personal level as well. The bulk of us who practice computer security today generally share one common denominator -- the fact that we didn’t just fall into our present jobs. We all came to this field from various other jobs in the computer industry. Back in the day for me, there was simply no place to take computer-security-centric curriculum. Of course, that's changing today, with more colleges and universities offering computer security courses now.

In the past, because of the lack of formal education being offered for computer security, it was then left up to the individual to gain the specific skills needed to be a security analyst. Today, that is less true and one can certainly aim to become a security analyst taking courses and getting certifications. However, working on migrating the actual skills that you presently have, as most security analysts did before their was formal curriculum, continues to be my preferred way. You might well be surprised at the many commonalities between say system administration skills and that of the security analyst.

It is becoming more and more crucial for us to realize that our best advocate is ourselves. There will likely be no one extolling your virtues, and or handing you your dream job on a silver platter. With that in mind we have to then do our best to recognize our shortcomings and just as importantly our strong points. Much as I just alluded to, one then has to do an inventory of the skills that you possess. Just about any competent system administrator can easily transition to that coveted security analyst job.

Do all roads lead to Rome?

It stands to reason then that system administrators, hardware jockeys -- the people who take care of routers, switches and other devices -- and database administrators all have some core skills in common.

Yet it's the system administrator who is generally the one to perform all of the aforementioned jobs, unless they are lucky enough to work for a large company or the government. Let's list a brief sampling of some of the core skills, and then see how they can be easily translated to a security analyst role:

• Knowledge of Microsoft Windows,
• Knowledge of major protocols,
• Network architecture concepts,
• Familiarity with firewalls, anti-virus solutions, and content filtering programs, and
• Project management experience.

One of the core skills of any system administrator is having an excellent knowledge of the operating systems in use on their networks. For many networks today, that would mean a mix of Microsoft Windows and either Linux or BSD, since it's been my experience that most networks don't use a single operating system. This knowledge then neatly maps to computer security, because security analysts are no different in that they must also have an excellent understanding of various operating systems.

If you administer a Microsoft Windows network then you are well aware of NetBIOS and network shares. One would say they are a fundamental concept of Windows. It is also a fairly well known security risk only in so much as it is often left unprotected. For the savvy system administrator, then, it's common sense to use passwords to access network shares. This is one concrete example of system administrator knowledge being easily ported to the world of the security analyst.

Having a good knowledge of the major protocols is also part of the core system administrator skill set. After all it is the system administrator who sets up and configures the web server.

Knowing what HTTP status codes are, for example, and what they mean would be useful knowledge for both system administrators and security analysts. Understanding the need and process to lock down a web server, even only taking care of the worst misconfigurations, is also a key skill. The same applies to FTP which is likely also in use. Being able to read and understand those FTP status codes will also bear fruit to both the system administrator and the security analyst.

Both HTTP and FTP are services which are often targeted by malicious hackers. So it is no surprise that understanding how these protocols works is valuable to not only the system administrator but also the security analyst.

Network architecture is an often neglected area for most corporate networks, and system administrators are also the people who are most intimately aware of the network and its layout. With a few changes and tweaks the network can be greatly hardened to attack from both within and without. Such common practices as having a DMZ are now commonplace amongst other more advanced techniques. The whole network architecture and design is therefore a knowledge area that, again, system administrators and security analysts have in common.

Every corporate network today consist of various security devices, including firewalls, anti-virus solutions, content filters, and proxies. Usually, these are all administered by the system administrator. The only difference then between the system administrator and the security analyst is the depth of the knowledge they possess when it comes to the output of the devices. The one defining difference would be that the security analyst is able to actually parse through captured traffic and definitively say if a security alert is valid or not. There are not too many system administrators out there who are comfortable with reading captured packets. That will come with time though, the big thing that system administrators do have is that they are familiar with the setup, configuration, and maintenance of these security devices. With that knowledge you are on almost even footing with the security analyst.

Project management experience is one area of expertise that is always in demand. It is no different then whether you learned and practiced it as a system administrator or as a security analyst. The project management approach applies to any undertaking. You may ask yourself just how it is that a system administrator could gain this body of knowledge. Look at it this way. Every time your network upgrades its operating system or incorporates new services you are in effect applying project management principles to accomplish that task. Upgrading from Microsoft Windows 2000 to Microsoft Windows XP on a corporate network is no small undertaking. A lot of planning must go into it. To have successfully pulled off that upgrade means that you indeed managed a project.

How does this port to the world of the security analyst then? Often security analysts, acting as consultants, will be brought in by large companies to perform large tasks such as Threat Risk Assessments (TRA), design patch management systems as well as other like minded tasks. What all of these have in common is that they require a methodical and structured approach. While it may sound simple to perform a TRA or re-architect a network it most certainly is not. If you are not organized from the start and use a project management approach you will quickly be overwhelmed.

Taking stock

It should be evident by now that many system administrators already have the skills required to be a security analyst. Conversely, you cannot be a security analyst without having knowledge of various operating systems, major protocols such as HTTP, and other such bread and butter system administrator skills.

The relationship between the two jobs is really fairly symbiotic. A good system administrator will not only worry about having a functional network, they will also try to ensure its secure operation. You can’t secure something if you have no knowledge of how it works. A security analyst is a person with a fairly broad based body of knowledge. It is only if you choose to specialize in areas such as penetration testing or Web application security that one must build upon skills already in existence.

For most system administrators, transitioning to the world of the security analyst is not that farfetched.