Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

Do you need development or programming experience?

There are many different types of information security positions covering compliance to architecture. Do you think it is better for an information security professional to have actual development or programming experience?


I think it is very beneficial in many areas, and is good for increasing career opportunities. Here are a couple of examples:


  • Securing the SDLC 
  • Understanding coding vulnerabilities
  • COTS assessments
  • Building application level defenses 
  • Applying access control and IAM
  • Selecting the right controls
  • Describing and consulting on security requirements
  • Writing scripts
  • Understanding application/API proxies
  • Knowing how contingency and resiliency is implemented
  • Exposure to databases or data manipulation
  • Exposure to common data formats like XML and JSON


Ron Parker CISSP, CCSP


15 Replies

I believe you can function without it, but it always helps to understand the people that you are working with.

I had 10 years dev experience before moving to a security role (also 10 years).  I really see the difference in some of my security specialist colleagues especially when it comes to understanding the complex dependencies and effects that making changes in software has on other parts of a system.  To many security consultants it is clear cut that the risk of a vulnerability overrides any other consideration, but the complexity of software especially in enterprise systems makes such decisions complicated.  Understanding the development processes and the time it takes to verify knock-on effects of a change is essential and it is difficult to do if you don't have the experience.

I also see this in the CISSP materials on software development.  The assumption seems to be that many developers do not care about security, although my experience is that this is far from being the case. Often it is the security education & training that is lacking and that is for all of us to address within our organisations.

Newcomer III

The answer to all 'do you need or is it valuable questions' is very simple.


You do not need ANY particular experience or education to find a job.  However, the broader and deeper your experience and knowledge the more opportunities that will be available to you.


Depth and breadth will eventually compete with each other.  You CANNOT be a master of all.  Do what you enjoy.


I enjoy people and hate head-down analysis.  I could never be a hunter.  


I lead down well, but lead up poorly, so the management, director, CISO chain is not good for me as politics becomes more and more of the job.


I am organized and a good mediator so I lead projects and programs and there are plenty of opportunities.


Community Champion


The answer depends on what you do --- including what you deal with in your line of work, your role in an organization, and your place in its hierarchy.


For example, a CISO should have excellent managerial abilities but wouldn't need technical skills, although having these or a good know-how is a definite benefit. A penetration tester or system analyst should have technical expertise relevant to systems being used, with acceptable communication and interpersonal skills.


Skills should be backed by experience, as was concluded in many posts in the community, including this one.


To analogize, a diplomat who's adept in multiple languages that are spoken where he's stationed would be better off than one who's dependent on an interpreter...





Shannon D'Cruz,
Influencer II

> Shannon (Community Champion) posted a new reply in Career on 03-18-2019 03:04 PM

> For example, a CISO should have excellent managerial abilities but wouldn't need
> technical skills, although having these or a good know-how is a definite
> benefit.

In general, I would agree with this. However, in the case of delevopment and
programming, I would tend to suggest that this *is* a skill you should develop.
Not that you need to become a programmer, but, in the current tech and security
environment, there are too few security people who know how to program (and
too few programmers who *care* anything about security).

I would suggest learning about half a dozen languages, at least one of which should
be assember or ML. (That's "machine language," not "machine learning,"
although learning an AI language would be another specific suggestion, because
they tend to be distinct from procedural or object languages.) This means you
know "programming," not just a coding vocabulary. That might sound like a lot
to do, all at once, but you can make it a long term goal and do, perhaps, a language
a year.

====================== (quote inserted randomly by Pegasus Mailer)
Brevity is the soul of lingerie. - Dorothy Parker


Other posts:

This message may or may not be governed by the terms of or
Viewer II

Thanks for your suggestions Sharad your blog is not now trending if you want to know DevOps interview questions just visit at Courseya:-

Rocksy Kenton