No doubt Python first. (Most of security assessment tools / Frameworks supports python payloads, Meterpretor*). Though, python as powerful scripting support you can found most of the pen-testers community is using python for writing payloads.
There is no single language technology to master the IT Security field. You must be aware of various languages like C to analyze things.
You must be well aware of Security Frameworks and their implementations to identify flaws.
Todd
Software Security TechLead
Python, C, and an instruction set like x86-64, ARM, PowerPC, MIPS etc... Note that such instruction sets are also called "architectures."
Sometimes Ruby too if you're working with metasploit or something.
The reason why these are important is because python is used for the majority of automation and tooling, C is foundational and used to illustrate and perform buffer overflows, return-oriented programming, and to decompile assembly. The final reason why C is important is because the majority of operating systems and APIs are written in C and you need to know OS APIs to better understand how to exploit it or defend it. The instruction set is probably the most important because it applies over multiple different OSes and is also what is generally used in the end to perform malicious activity. For example, "shellcode" is "instruction set code" aka machine code.
The cool thing about information security work using these languages is that you get a wide understanding of how software works. Python is your high-level language, C and asm are low-level. With those 3, there really won't be any other concepts you can't wrap your head around. Contrast that to for example only working in python, JavaScript, and C#. Having to learn C then may be confusing because you wouldn't be used to pointers in the same way you would using C or asm.