I ran a poll on Twitter recently, trying to ask this question in an open way, to see what people thought. I was surprised that a lot of folks not only voted, but also shared some strong opinions. This was the final vote count:
I tried to make it OK to vote "yes", since the InfoSec community is typically open and inclusive of all kinds of people, and I didn't intend for a "yes" vote to be construed as negative. Not sure I accomplished that goal, but in any case the comments offered were maybe even more telling of the community's views than the numeric result of the poll.
The question turned out to be much more controversial than I expected. Several people were adamant that coding, especially writing scripts to automate tasks, is an essential part of the InfoSec job. Then there were others who had more of the attitude of “it takes a village”, and suggested that many different skills are of value to InfoSec professionals.
Coding skills are clearly both valuable and valued
This poll changed my views on the necessary skills I would recommend for those aspiring to work in InfoSec. The ability to write code to automate processes would be advantageous for anyone trying to get into the field. At the same time, so would a background in network engineering, system administration or help desk. There are many paths that lead to InfoSec careers. Not everyone that works in InfoSec comes from a coding background, but the comments suggest that those who do find it helpful. And while not everyone in InfoSec is proficient in coding/scripting, this ability sure seems to help those who are.
Coding skills allow folks in InfoSec to be more effective
Probably my favorite comment of the bunch, from Jeremiah Grossman:
But quite a few folks either didn't like to write code or felt it was not a core competency. Here's one example, but there were many more. I particularly like how Andrew phrased his tweet!
Coding allows InfoSec folks to automate repetitive tasks
This is a critical point because humans are notoriously bad at consistently performing repetitive tasks without making mistakes. Plus, automation allows practitioners to do more important things, like analyze activity on their network and train users to show more restraint before clicking on everything they see,
InfoSec practitioners who can code can also automate patching and other security maintenance, set up controls to block certain recognized events at the firewall level, recognize events that should require taking a box offline and running additional scanning for vulnerabilities or malware. By being able to automate such tasks, the InfoSec practitioner is more likely to be able to sleep at night as well.
Honestly, coding skills help immensely. You don't have to be a wizard. Basic literacy is sufficient.
— Bill Paxil (@Soulmech) September 28, 2017
Some specifics suggested
From reading all the comments and a few DMs, it looks like shell scripting, Python, Ruby and Powershell are recommended options. A practitioner wouldn't have to be proficient in all of these - proficiency in even one is likely to enable them to do accomplish required automation of tasks quite handily. Those in application security (AppSec) would of course have different coding proficiency needs.
I'd advise anyone who is considering getting into InfoSec or already working in InfoSec to pick up at least one automation language / scripting capability. Does this suggest that those without coding skills are without worth to the community? Hell no! There are plenty of awesome jobs in InfoSec where coding isn't necessary. But if you're at university and have to choose between taking programming or basket weaving, you should probably wait until retirement to start making those baskets!
About the Author: Kate Brew
Kate has over 15 years experience in product management and marketing, primarily in information security.