I spent a year and a half leading a large web-based identity management and single sign-on project for a Seattle-based bank. It was a really fun project, and the project was very successful, but it was only marginally a security project. Obviously there was a security component to the project, but IdM and SSO were primarily enabling technologies for the web application that was being deployed.
The lack of a significant security component to that position was one of the driving factors for me leaving that job: I felt my security skills were getting rusty. Now that I am once again surrounded by strong security professionals, I can feel myself getting back in the game (so to speak).
With this in mind, I would like to present my recommendations for maintaining one's security skills:
- Make sure you spend time with other people focused on security. If you can't work with them (e.g., your shop is too small), make sure you get involved in a group like ISSA (www.issa.org) or ISACA (more audit focused, but will do in a pinch: www.isaca.org).
- Make sure you have opportunities to attend a conference or two each year. This is important to make sure you stay current with what's coming in the security space. At conferences, I find the expo to be almost as enlightening as the sessions, since the vendors tend to showcase their new stuff at these events. I personally recommend the RSA Conference (www.rsaconference.com).
- Make sure that security is a significant portion of your responsibility and work effort. There is nothing like using skills to maintain and improve them.
- Skim the trade rags. Even reading only the headlines can give you at least an idea what's going on out there.
I'd be interested to hear any other recommendations that you have about keeping up (and improving) your security skills. Submit your responses to this posting and I will publish them in a future blog entry.