For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.
Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.
Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.
If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.
IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.
As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.
Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.
<edit - word choice>
There are many different kinds of security roles such as risk, compliance and security reviews (very little programming), penetration testing (programming and scripting to various degrees depending on the work) and security software development (full-time programming).
How good one is at programming would of course usually depend on the individual. In the rest of the software industry, there are all kinds of roles (some of which involve programming and some do not) and the ones that do involve programming have programmers of all kinds and calibre. It is no different in computer security.
I have over 12 years of experience in this field now in various positions where my various colleagues and I have written large security products in C, C++ and Java, as well as smaller security solutions in Python and Go. Most of the times programming is just a means to an end which is true for many other fields as well. It is usually math, algorithms, crypto, protocols, etc. that are more interesting and that we need to be well versed with along with being skilled at programming. Also, I would like to share two of my earlier posts around this subject:
- https://news.ycombinator.com/item?id=14873475 (about demand and job prospects in security software development)
- https://news.ycombinator.com/item?id=12545851 (about math and software development in the computer security field)
I might work on improving eventually, it's just not a priority. Any upward trajectory now is going to be from experience and soft skills.
I would like to add onto this, if you cannot virtualize this and you do not have extra computers try using raspberry pi's. You can fully customize them to act as computers (with all different operating systems), servers, super computers, routers, etc.
Its an inexpensive and practical option compared to buying expensive equipment.
If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?
This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?
I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.
A Big Four firm is a good place to get started in a GRC career. You'll get pretty broad exposure to the field, and you'll have the opportunity to develop expertise in specific GRC domains.
If you're already working in a regulated industry (especially for a publicly traded company), you may be able to move into a GRC position at your present company. Compliance, internal audit, third party risk management, business continuity/resiliency and disaster recovery are common areas that fall under the broad GRC umbrella.
I worked in various IT roles at a financial services company, and I was able to move into a risk analyst role, then I went to a Big Four firm, and I'm now back in industry.
As far as certs go, CRISC, CISA and CISSP are the most common I've seen among GRC folks, although most of the people I've worked with didn't have any of them.
1. CS Basics (concepts)
Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
2.Low level programming
Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
3. Networking 
You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it.
Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
4. Web standards
Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
5. Known threats and vunerabilities
In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed?
You should also practice with every other security threat known like XSS, SQL Injection, etc.
 depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
> Recommended path:
> 1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
> 2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
> 3. Networking  You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
> 4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
> 5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.
>  depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
> This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
> Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
Great answer. Look at an offensive security certified professional course for a basic affordable course that covers all of the above.
Data Science might be useful if you want to work in Security Information Management or in malware analysis: big companies try to identify "weird behavior" in their networks, based on "normal behavior" records.
"Where can I learn cyber security stuff?"
Well, that depends on the stuff you are interested in...
You should focus at first on learning "system administration" and at least a programming language like Python or Ruby. Network protocols would also be a bonus.
Then, if you want to learn "offensive techniques" or "penetration testing", I suggest that you try websites like RootMe https://www.root-me.org/?lang=en or Cryptopals cryptopals.com.
Once you'll have resolved by yourself some of these challenges, you'll be able to try the "industrialized approach" of penetration testing. For this, this book is quite cool: https://www.nostarch.com/pentesting.
If you're more interested in "defensive techniques", you have tons of resources online.
Secure Coding Best Practices:
=> These documents will help you to understand what are the main risks in your apps
For "general" cybersecurity:
- ISO27001 standard
- The NIST Cybersecurity Framework https://www.nist.gov/cybersecurity-framework
=> These documents will help you to understand what are the main risks in an organization based on their assets.
Towards that end, just about anything you learn can be applied in some way towards security. The conventional recommendations others have made will get your foot in the door, but ultimately security is a lifestyle of never-ending learning and imaginative reasoning about systems.
So to directly answer your questions, yes, there are links between data science and security (others have mentioned its use in things like malware research, but going the other way it's also important to store your data securely to prevent theft, destruction, or tampering) and you can learn something about information security pretty much anywhere in-depth information about computers is taught. Which information is relevant to your interests will just depend on which aspect of security is of interest to you.
Alex Stamos, the CISO of Facebook, likened the causes of security breaches to a pyramid. The bottom of the pyramid, where the vast majority of security breaches happen (perhaps 80%), are caused by basic fraud: shared passwords, phishing, asking the user to do something like self-XSS. Of the remainder, perhaps 80% of security breaches are done through the more common, more mundane attacks like unpatched vulnerabilities or misconfigurations. It's only a fraction of a fraction of a percent of attacks that are done using zero-day vulns.
As much as what you said is relevant for security, I would argue that engineers think that security is more of an engineering problem set than it is.
(disclaimer: I didn't pass the Capstone project, and never got around to trying it again)
Back then it was free if you didn't need a certificate, may still be.
There are multiple layers involved here and really understanding each one would take time.
Next would come understanding browsers, browser although it is an app, it is a world in itself. How an http request flows through a browser, how an http response is rendered, what are various layers involved. TCP/IP stack to physical layer, wifi/usb. It is extremely vast and very interesting.
And once you have gained enough experience , you will be able to clearly see the similarities and differences between various software stacks, both bottom-up and top-down, right from hardware level to your application's code and vice versa. And then reasoning about security of the stack at various layers would become straightforward.
In terms of conferences, I find Blackhat(http://www.blackhat.com/) Conference is a very good source of keeping oneself up to date with world of security( including applying Data Science to Security)
"Cyber Security Base with F-Secure is a course series by University of Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. The course series is free and open for anyone to attend."
 Of course, you can this only freely in a country that remotely cares about the education of its citizens (e.g. most European countries, where you can go to university for a hew hundred Euros per year). Otherwise, the risk of a huge debt is probably not worth it.
You don't need college, what you need is a desire to learn everyday.
This is true, but in my opinion this advice misses the point.
Of course, if you are older and finally developed this skill, you don't need anything more. However, the questioner seems to be on the beginning of this journey.
Recommending "just learn everyday" is like telling fat people to exercise and not to eat too much. Of course that's true, but misses the point: How to get there?
Having people around you who motivate you to learn, who know and acknowledge what you are doing, and who are willing (and paid for) to help you if you get stuck - this is exactly what young and/or inexperienced people need, and a very good starting point until they are finally able to get along with the internet and nobody's assistance anymore.
* It is neatly packaged, wonderful UX and a little sweetening of humour that makes it palatable to the layman
* It gives code examples that provide a little bit more in-depth exploration for the enthusiastic or aspirational novice
* It has a nice structure such that single exploits can be shared. For example, after a client of ours was hacked via a SQL injection on their website, we were able to show them the SQL injection exercises to demystify the topic a little bit and to make it seem less intimidating
* It's a great go-to starter. When I go to schools for careers fairs, I always give this link out to kids who are interested in security work.
Buy the 3rd version book (used) and then try the labs as you go through the lecture vids/chapters http://csapp.cs.cmu.edu/3e/labs.html but avoid the 'global edition' as it's filled with errata, or just know there is mistakes.
You will learn assembly/C and also Return Oriented Programming, stack protections and how they work, buffer overflow attacks, implicit casting grenades, cache optimization, how the linker works, ect. Then you sign up for that old Matasano CTF https://microcorruption.com/login
When you complete it apply to NCC Group who I believe now owns microcorruption. Start at the bottom, work your way into a policy/advisory role somewhere else after gaining experience and applying for certs https://ciso.eccouncil.org/ Having data science experience is likely helpful since you can produce shiny presentations that board rooms like to see when you become their CISO
They are hosted by lots of different groups at different levels. There are CTF's aimed from high school through the DEFCON CTF. This is a directory: https://ctftime.org/
It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.
Now that “cyber” is a thing that can lead to a CEO losing their head, most companies are roughly in the middle somewhere. Sure, there will be a fall-guy and finger pointing, but it’s better to at least not be completely negligent.
“If the risk can be transferred to other parties” - that’s pontentially a business avenue OP wants to pursue. AcmeCorp can buy OPs shiny datascienceDefender(tm) network monitor.
A lot of tech-first companies (and don’t forget, some legacy companies are desperately trying to become these) care a massive amount about security, so there is definitely volume of work with people who genuinely want to improve the state.
I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.
There is no replacement for mentorship and getting your hands dirty with real world systems.
I will now shamelessly plug the community I learned the most from: https://hashbang.sh
Data Science can be applied in many different ways, (somewhat) Recently LightCyber was acquired by PANW  and I believe that if you are in data science that may be something that tickles your itch.
if I may give advice, asking a more specific question to a search engine may also get you ona path with additional information. 'cyber security' is a pretty large umbrella and much of it may bore you while only a small handful is interesting... so try to be more specific rather than say 'stuff'
I'm sure there are fields where data science is useful, like anomaly detection, malware classification etc.
This first misnomer, is that there's one security thing. There are several. The offensive security folks (penetration testers) are far different than the advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security Operations Centers), secure development, and more - it's a wide field. The first thing to ask yourself is "what does security mean to me, and what do I want to do with it".
Give the first part of your question, I'll assume you're interested in software-based security (development) as opposed to infrastructure (network security, physical security, systems security), or the offensive side.
On the other hand, if you just want to 'get into security' - then learn a little bit about networking, and go find a job as a 'Network Operations Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs in the security industry, that can serve as entry points, and help you learn about the other parts of the industry in depth, whilst getting paid.
Echoing what @santigobalsuto and others have mentioned.
1. CS - Understand how software works, not just how to code, but how things happen on machines. What are CPU registers? Write some assembly - nearly every single week my staff uses assembly to test an exploit. It's one hell of a lot easier to make a good developer a decent security professional than the other way around - just trust me on this.
2. Take philosophy and propositional logic courses - Good security folks are terrific critical thinkers. They learn to understand what risk means, and how to contextualize it for an organization. In other words the approach to risk and tolerance is completely different for Home Depot than it is for Evernote.
3. Learn Software Testing (not Quality Assurance). Combining this with critical thinking means you can start to pick apart software, even networks, from varying vantage points. If you combine this with your CS knowledge, it can really help you understand how to attack an application, or an organization.
4. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4 servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical switch, ideally something with a TAP port (but you can replice with VMWare easily enough). Create VMs, play with things like Security Onion, create and destroy networks - use traffic generators... have a great time.
5. Read about standards - it helps to understand what NIST is for, what CVEs are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what they are, why they matter, how they apply. Then grab a copy of Nexpose Community Edition, and scan your lab - play around.
6. Rebuild your lab, iterating on what you've learned above.
"What are the best information security certifications?" @ Quora. The problem is that it's a massive list. Even if you pick a short list / subset of this list, it's far too much work to get started.
Honestly, I would join/start a club at your school or in your neighborhood. Find people with similar interests. Work together on a single certification. Start small and target a single subset of "cybersecurity".
Honestly, I would start by trimming down the list by filtering out what you aren't close to achieving yet. If a cert requires access to Cisco hardware or assembly language programming skills, there is no point in working on one of those certs first.
It’s very hard these days to be a complete and effective generalist in security, let alone be good at a range of security stuff while also being great at data science.
I’d consider focusing on appsec for a year, get a job attacking or defending apps for a year, and then you’ll have a basic understanding of the problem space.
It is hard to overstate the value of the chance to test (and demonstrate) your skills against a live production site.
There's a reason that cyber is used, because you need something to disambiguate it from all the other kinds of security.
Imagine you're a policy person at the pentagon (or equivalent), if someone talks about security then that doesn't narrow it down to all the other kinds of security going on there.
You could use "info sec" but there are agencies who deal with a lot of information which doesn't necessarily mean this space either. They've been dealing with information security since their inception most of which I suspect is focused around people and not machines.
Cyber security makes it clear to those people what you're talking about.
To someone who works in SV and spends all day with developers the context is other way around, and in that context cyber sounds asinine and if you talk about security someone immediately knows it's security in your space.
That's my guess at why you tend to see 'info-sec' in the private space and 'cyber security' in the public space.
There's... a company around LA area that does cyber and data science. I would think they apply data science to logs and such to figure out abnormality. Likewise if you count email spam detection as a cyber security thing.
For cyber security, take Network+ or just grab a Network+ book. I believe that's where you should start first in cyber security.