What skillsets are required to be an expert in the cyber security profession?
Which programing language to you think is best?
Where should the focus be, on servers or networking?
Server and networking both as there are a lot to cover in both the services and infrastructure. But if I have to make a choice I'd go for learning the services from RFCs, and it's dataflow.
Strategic Planning, Organizing and Execution.
I feel it depends which area of security you really want to be in. In terms of expertise, I would categorise security professional based on their preference of security areas. The ISC2 CISSP exam domain is a prime example of areas you could choose as a profession and develop your skillset accordingly. Talking from a CISSP point of view I feel that you need to have a skills that match your your job description, the industry you're already working in or the job you want to be in. However, I personally feel that you need to have deep knowledge of everything and should always be thinking security and applying your knowledge to bring security improvements and awareness. I would say policy writing skills is a great starting point to build on a successful Information Security programme.
To answer the second part of your question. I would again say that it depends on individuals' preference. If you want to get into Penetration and software testing then yes I would say probably start with Python scripting. But if you want to get yourself involved in a Security leadership role then I would say not to waste your time. Having said that, I have great faith in learning and I believe that any extra skill help you in one way or other. Organisations prefer individuals with multiple skillsets with some requiring knowledge of programming languges, Linux scripting etc, I would say, you need to evaluate your strengths and weaknesses, where do you want to be in security in 2 years time etc. And then take things from there don't just rush into learning something without having a clear direction.
I have professional qualifications in Networking and did server and system admin stuff at Uni. At work, I work closely with both the system and network admins. I feel that it definitely gives you edge over other professionals. As I said, having extra knowledge is always beneficial in security as you can advise the teams better to improve their security posture. There are tons of resources available online freely so if I were you, I would focus on both networking and server side of security.
No offense but there is no way any one of us can be an expert in information security. Thats like saying you are an expert mechanic but never touched a lamborgini before.
Security is such a wide broad industry from physical security, server and network security, architecture, threat and vulnerability management, policy and gov, etc. that is practically impossible to be an expert in all areas. That said you can definitely be a SME in a few areas or specialize in one preferred area.
In terms of programming languages this almost has no relevance unless you are looking to get into pentesting. (eg. Someone responsible for compliance doesn't need programming experience). If pentesting is the route then languages like Python, Perl, PowerShell and C.
Despite my 25 years of IS experience I am unable to give a simple answer to the first question.
All depends on the security domain that is your target.
A pentester does not the same job as a server hardener or someone creating security policies.
As in construction, an electrician or plumber will not have the same tools, some will be shared, others will be specific.
For many security area scripting tools are usefull.
For the second question the focus could / should be the data rather than server or network.
Servers are used to calculate or store information.
The network is used to transport information.
Radiaoactive material or frozen food are not stored or moved in the same manner.
You must first know what you are handling before thinking how to store or transport it.
Confidential data must be protected and encrypted at rest and in motion.
Public data does not require the same level of protection.