I'm trying to shift my career from IT Auditor to more of a true IT position. I currently have CISA and I'm working on CISSP. Should I learn basic coding? And if so, what coding language should I take? Am I better off taking a live course at a local university or should I try to self-teach via online learning sites?
Any help/advice appreciated.
If you're working on your CISSP, it won't require that you know how to program, but it certainly doesn't hurt.
If I had the time, I would love to learn Python as it is heavily used in the industry. If you like the classroom environment, you take classes at the local college or possibly local chapters might have some additional resources. Online, I would check out cybrary.it - the online cyber library! They have a slew of free material.
Depends on where you see yourself in InfoSec. Coming from the audit (business side) of the house means you will likely gravitate to a more generalist type of role and less likely a super niche application security role. Still it is very helpful to be able to automate simple tasks, grep log files and all the other cool things we do.
For the CISSP unto itself? No. Most InfoSec people come from the infrastructure rolls with the next group coming from the administration side of the house. The later group generally has some basic PowerShell and VBScript experience but also tend to shy away from application security.
"Dev-types", particularly full stack developers tend to have "mad dev skillz" in comparison to the first two groups for obvious reasons and tend to be heavily found in application security and to a lesser extent risk management parts of the field.
As far as I am concerned audit provides the best "last mile" training before a career in InfoSec as it provides the business reasoning behind security in the first place.
Programming and development are just one segment of a very large field.
If you haven't done any programming, a course might be good, since there is more
to programming than coding. But if you just want to learn the language, get the
system installed and grab a book or an online course. (Book is better than course.)
Please take to heart Grandpa Rob's observation that programming is more than coding. Over several decades I have watched young coders who knew the coding language quite well totally screw up programs because no one ever taught them principles of programming, how to develop a program architecture, how to incorporate error checking and other protections. Much of the security mess we have faced for years has resulted from coders releasing code that worked when end user treated the program correctly, but failed, sometimes with serious security consequences, when a user accidentally or intentionally input unexpected content for a variable.
Good software is written by a team with architects and programmers at the top, telling coders what to write for the different modules in the overall program.
Class, who can tell us why we still have buffer overflow problems in commercial programs?
As others have said, you do not have to know programming, or even coding, to pass the CISSP exam, or to do many of the jobs that a CISSP is called for, but it will definitely help you to understand basic principles of programming and how to implement them with a representative coding language like Python.
I agree with what everyone here has posted. Python is a great language to start with and will allow you to become familiar with the main concepts of programming and logic. From there it really depends on what you want to apply your skills to that will determine which language suits your needs best. In my experience, the most difficult part of switching to new languages is learning the differences in syntax. It isn't as difficult as going from say, Spanish to Mandarin but more like switching from Los Angeles English to London English.
I would also strongly recommend working through the book, "The Elements of Computing Systems" by Naom Nisan and Shimon Schocken...aka "Nand To Tetris." This will walk you through the very basic concepts of logic gates all the way through machine code, assembly code, and ultimately programming your very own Tetris game. I think it's valuable to know what is going on "under the hood" when programming.
Whilst any language would teach you something about programming, it depends what you're trying to get out of the effort. You could look at the CSSLP before diving into a programming course, unless you have a lot of time on your hands. Going through the OWASP top 10 and SAN top 25 common vulnerabilities would teach you something if you have some appreciation of programming. It depends if you want to work in AppSec or in a more general InfoSec field.
Coding always helps, always. But you have to be aware of what your goal of coding is before you start.
When it comes to choosing a language there are three I highly recommend
Well, I suggest to learn first of all Java and C#laguages (both, not only one), and the associated best practices. Even if courses are an advantage, the best thing to do is to practice the coding activity. So my suggestion is: start coding for fun. It helps you in facing the logic behind the best practices in security.
I hope you are doing well and would have started learning programming. I am a little late to see your post hence the delay in response. I would suggest learning Python as its one such language that is used for multiple purposes and fields such as (Data Science, System Administration, Automation, Testing, Security etc).
See if you can subscribe to https://linuxacademy.com/, here you will learn a lot about Cloud services from different vendors, Linux, Security and Cloud Security, Python for system administration and lot of other courses.