Jason Andress, Ph.D., CISM, CISSP, GPEN, ISSAP
I was having a discussion with someone the other day on what it takes to be a good information security professional. Looking at the problem from a high level, we might say that it takes a certain amount of technical aptitude, a moderate level of computing and networking knowledge, and, if we measure against other industries, what might be considered to be an unhealthy level of curiosity. To fill more advanced positions, we might look for specific security knowledge, but often security professionals cross over from other computing and network-related areas and have a background in areas such as development, system administration and networking.
One of the other main factors that I often find lacking in such discussions, however, is drive. The burning need to be learning, digging at a problem, building new things, sharing with others, taking things apart, and generally staying in motion and continuing to develop. The vast majority of the really skilled security professionals that I know are firmly in this group. These are the folks that I see presenting at conferences, working on open source security tools, and spending their own time and money to go to school. They do these things not because anyone necessarily demanded that they do these things, but because they saw a need, they love what they do, or they just wanted to improve themselves and their skills. These are the people with whom I want to work.
As a metaphor for the security professional, I would point you to the shark. Certain sharks, like the great white, will suffocate and die if they stop swimming. These sharks need to continually force water through their gills in order to breathe, so they really can never stop moving. So to all you security folks out there, keep swimming.