In InfoSec regulations are constantly being changed or updated if you're an auditor. If you focus on application security from a code perspective you'll constantly be learning new languages and frameworks. If you focus on network security new attack vectors will constantly appear and need to be mitigated based on new services, protocols, etc.
For the non-auditor roles you'll also really need to enjoy puzzles or figuring out the solution to a problem given a non-obvious set of complete information (think multi-variable calculus, you can figure out what X is but not without a lot of work).
I spent most of the past decade in the space. It is fun but it can be frustrating for the technology purist. Business isn't always interested in doing what is the "best security" -- they'll want to do a mix of compliance (which is the practice of security controls to meet regulations a business has to follow -- these may add no "real security" at all when implemented) and then enough security to minimize the risk; not often enough to really eliminate it.
For what it's worth, I found DDZ's Amazon list from this post and was motivated to write my own, which you can see at: http://amzn.to/cthr46
Here is 'infosec' in a nutshell: love computers to death and become as good a developer and mathematician as the upper-division hackers working on core systems software, then give it all up to become a glorified human debugger, co-writing "papers" with bureaucrats and opportunistic, washedup, fear-mongering have-beens.
The training and experience required is just not commensurate with the glory that can be had elsewhere. Either in developing software, OR taking the other side of the infosec game ..
_Windows Internals_ and _Internetworking with TCP/IP_ were, in a different form, on every Unix sysadmin's bookshelf in the 90s --- as "TCP/IP Illustrated" and "The Design And Implementation of the 4.4BSD Operating System" (both of which are also great books but are now very dated).
The only rough things on this list are _Network Algorithmics_, _Computational Structures_, and _Surreptitious Software_. None of them are required reading to get started.
I really wanted to add books on signal processing, RF, linear algebra, program trading, and compression, but I thought (a) it would sound self-aggrandizing and (b) there's no end to the domain-specific books I might inevitably end up adding.
For someone new to the industry (rather, 'scene') I think that booklist will take ~2 years just to grok. For an experienced hacker, specially one coming from systems programming, compiler hacking, binary analysis, emulation, or cryptography, specially one who spent his youth dipping into actual blackhat hacking and reversing, then the industry has absolutely no appeal. You can make more money writing an optimizer for an ARM processor for one phone model than you would working in the security industry.
My position is: security is not worth it, unless you're some government MCSE who ends up sent to seminars and conferences on Wireshark and IDA Pro. Infosec is churning out doe-eyed nobodies faster than Clown University. The people who actually matter, and make a difference, earned their stripes hacking out of their parents basement in their teens.
You probably should add these anyway! I for one would find it useful.
I used to work in government. It seems like everyone got degrees that made them qualified to run around chasing people about passwords. IDA Pro? Buffer overflow? Out of the question. They collected a paycheck and that was it. Infuriating.
Edit: maybe more poignantly, those people you reference are 'Information Assurance' or 'IA' professionals (mostly with titles that reflect this, such as IAM or IAO.
IA is part of the CND section of CNO - the 'fun' stuff is in CNE/CNA.
For more: http://en.wikipedia.org/wiki/Computer_network_operations
There was also some discussion of this article on Reddit too. Readers might want to check out some of the comments there:
This is what I'm doing starting August and it is a lot easier then getting into the industry, since they are even worse in their prerequisites than the rest of the IT industry, at least in Switzerland (I saw one that said "20 to 22 years old, CISSC and 5 years of industry experience").
Long story short: I might not waste my time with professors. Get out of the building and into the real world!
Since you go to NWU, you're in Chicago. You should come to Chicago OWASP. Matasano's Mike Tracy coordinates it.
(Backstory for the rest of you: Aspect "sponsors" OWASP in some manner --- I'm not clear on how --- and drama like this is why CitySec has a no sponsors rule.)
I definitely plan to--Shamiq has mentioned it in the past, I think. Full disclosure: the reason I mention it is because I was hired by Jeff Williams as a cross Aspect/OWASP intern my junior year of high school. I, obviously, take no credit for anything, but I do know that Jeff et al did put significant time and money into the project.
I don't know anyone from Aspect and they haven't contributed to the class in any way.
I'm well aware of OWASP contributions to web security, I'm actually a board member for the NY/NJ chapter (http://www.owasp.org/index.php/NYNJMetro). If I had a good reason to cite them in this instance, then I would.