Trapped in the net
Michèle Trebo
The Information Security learning landscape. What will you need to be successful?
My Name is Yann Santschi, and I am currently the newest addition the scip Team. In this article I want to share my information security journey so far and want to showcase some of the learning opportunities that we currently have. Important to note here, these are my experiences. For everyone it is different and there are no partnerships with any of these platforms.
Previously there were some articles published in the past regarding the learning landscape and what to focus on when starting out in information security. Some of the information in this article is based on the article of Andrea Hauser Security Testing – Options for lateral entry and Stefan Friedli’s article Information Security – three things you need to hear so it will definitely make sense to read them in advance. Especially since this article will not specifically cover things like universities or apprenticeships but rather the self-taught aspect of InfoSec. Adding to this, an update should be given on some of the best upcoming learning platforms and learning solutions.
Just briefly I want to go over my professional experience to give some context on the information following. I started my IT journey in 2015 with an Apprenticeship at a large Swiss financial institute. I got a great overview of all distinct aspects of IT by having various stages in teams all thematically distributed all over the IT field. Afterwards I did consulting with a rather conceptual focus and now I am back with hands-on technical work. Meanwhile I also started studying information and cyber security in a Bachelors format at the HSLU. This is where I am currently.
While learning many things by working with them or them being introduced during the Bachelor, I also enriched this experience with quite a lot of other learning tools, people’s knowledge and experiences gathered through trial-and-error.
In short, I agree with my colleague Andrea in her Article already mentioned, you will need the following prerequisites:
Since those were already well explained in Andrea’s article, read what it takes in there.
If you do not already have a good IT foundation, you should start by learning about programming, computer networks, operating systems and how websites work. The most important steps in all of this are to apply skills and to have fun while doing it. But how?
Something that also helped me were some very entertaining and containing lots of great information were videos of different Youtubers, my favourites are NetworkChuck , The Morpheus and Fireship. Only stay at a topics as long as you have fun with it. Move on as soon as you think it is boring. You won’t learn more or better by pushing through, but rather by having fun and experimenting with stuff.
Choose the topic first. Then choose your level. It made sense for me to start with Penetration Testing, because I had the most curiosity about it. If you want to start out with that and want to strengthen your understanding of core concepts you could do some TryHackMe courses . This is a paid learning platform providing many different entry level courses and introductions to different topics. You can have a free account to access some of the content. They are focused on being beginner friendly and provide a broad bandwidth of offensive and defensive courses. A good and free alternative to THM could be the OverTheWire Wargames . They offer a bit more advanced labs, where you do not get to much of an explanation, but you are encouraged to learn about different attacks and problems by trying it out. Depending on the topic you would like to do, you can start a path and to advance to the next level you will need the password of the previous one. Another great option is the HackTheBox Academy. These courses are a bit expensive, but they are worth it. Especially when you want to go further into the CTF realm. The best CTF platform, in my opinion, is HackTheBox. They offer great training with many practical applications. In my experience you will already need some knowledge to be able to get through the learning path. But you will get a great understanding of potential attacks, how to further enhance them and how to defend against them. This was the way to go for me. I am still working on my HTB CPTS Certification. And last but not least, if you are especially interested in webapps, check out the PortSwigger labs . They have exceptionally good explanations and labs on webapps.
If you are even more advanced you can try to go for the OSCP Certification by OffSec. This certification is a staple in the Information Security space. Or if you want to go into a managerial direction I recommend the CISSP Certification which delivers a very broad overview of all the InfoSec fields.
Some more resources I came across while learning, they are particularly good as well:
And if you are really advanced you can start out with Bug Bounties on HackerOne , they also have a web security training.
As you see, there are so many different resources to choose from. And there are many more learning platforms, and I’m sure they are great as well. Those were just the one’s that I personally used. Just try one and see if you like it. If not, try another until you find one you like. Again it is all about fun. There is no perfect resource, but the combination of them will make it perfect. The more advanced you will get, the more up-to-date you will need to be. Therefore you should start to read about new techniques and try them out. A useful source for this, could be our articles as well as other blogposts and for some reason Twitter or X, whatever you want to call it, is a good source for information as well.
Our experts will get in contact with you!
Michèle Trebo
Lucie Hoffmann
Michael Schneider
Andrea Hauser
Our experts will get in contact with you!