"Only the autodidacts are free." ― Nassim Nicholas Taleb, Antifragile.
This page contains our recommendations on online resources and material covering the different modules of our curriculum, which we feel consititutes a solid foundation for a career in information security. It is just one path to knowledge, mostly tested, and mostly reliable, but it's clearly not the only path. You don't have to be "perfect" on the topics covered here, just make your best effort and ensure that you don't neglect any of the sub-modules listed. You are encouraged, in true hacker spirit, to make adjustments and changes so that the process fits your personal requirements. Make this work for you.
Self-education can be an extremely efficient way of acquiring skills, and is greatly aided by the current availability of learning material, whether in the form of MOOCs or other online resources. In a sense, self-education is not informal education; it is merely education that takes the form of an individual student, rather than an institution or an education system. Autodidacts have made significant contributions in a large number of very diverse fields and we feel that the trend is likely to grow.
In order to successfully prepare yourself for a career in Information Security, you'll need some key elements:
For someone who is completely clueless in all four modules, the entire curriculum would probably take -and that is a very unscientific and rough estimate- 2000 hours to complete. This would include approximately 1000 Hours for the Computer Science material, 500 Hours for the English module, and 250 hours for each of the remaining two modules. For reference, there are 8760 Hours in one calendar year. If you were to work for 5.5 hours per day without missing any sessions, and you were able to stay focused and acquire everything you were learning during these sessions, you'd need one full year to complete the curriculum.
The first thing you should do is a self assessment on where you stand on each of the four modules, as well as in their sub-modules. Following the self-assessment -which you may and should tweak whenever needed- you should make your own self-learning schedule to match your own needs depending on how much you want to invest in this effort, and how fast you want to make your self ready.
A note here: It is our humble opinion that you should take your time to educate yourself, and not rush into it, expecting instant gratification. If you are impatient and push yourself too hard, you are more likely to learn superficially, make mistakes, dislike the whole process and burn out early.
Let's discuss two testcases.
TESTCASE I: You are a self-taught python developer with a chemistry degree, a native English speaker and an avid winter swimmer. You are fascinated by the world of Information Security and want to pursue a career in the field. Being a native English speaker and a serious amateur in winter swimming, i.e committed to it and being doing it for more than a year, you are already crossing out these two modules from your learning schedule! This means you'd need to focus only on Computer Science and Information Security. As a self-taught programmer, you'd probably be already familiar with many of the key CS subjects and would just need to study these you are not familiar with. Assuming that you are only fascinated by Information Security but have not learnt anything about it yet, you'd probably need to invest the whole 250 hours on the Infosec curriculum.
A time investment of 600 hours (350 on CS & 250 on IS) would be a reasonable study plan in your case. Assuming 3.5 hours study time per day, you should be ready in six months.
TESTCASE II: You are a fresh University graduate having just completed a 4-year Computer Science degree in a public University. You have a strong interest in Information Security and are an independent English user with a passing interest in Chess. You've already done plenty of hackme challenges and have your own github repo with python scripts to automate security testing tasks. You are comfortable using Linux and POSIX. In your case, you'd cross out the entire CS & most of the IS module as well! Many people in your group are disproportionately developed in their English communications skills, in the sense that they are fluent in reading and writing but have a fairly hard time with talking and listening. You may be sceptical about this, but unless you manage to secure a job in a basement as a security researcher, speaking and listening will eventually be necesessary to you. You should also invest some time in chess! Your analog interests will help you tremendously in the long run.
A time investment of 300 hours, distributed equally between English, Chess & IS would be a reasonable study plan in your case. Assuming 3 hours per day, you'd be ready in slightly more than three months.
Make sure you that you track your hours, and that you keep notes from your studies. If the notes are electronic it'll be easier to update and reorganise them.
In order to work in information security, you must speak English.
Almost all communication and material that you will come across will be in English, including the material that we recommend to you here. This means that you must acquire the English language as a matter of priority. This includes reading, writing, listening and speaking the language. The goal here is not to gain complete mastery of the language, but to be an independent User (B2) who will be able to communicate efficiently, both in the consumption (reading & listening) and the production (speaking & writing) department.
Do your self-assessment first. What gives you most trouble? Listening? Speaking? Writing? (We assume that it's not reading). Takes these answers into consideration and make a study plan. If you are similar to a very large number of IT geeks who spend countless hours reading and writing but rarely speak or listen to English, you'll want to invest more heavily in the two latter subjects. A few ideas on how to practice:
You must understand the building blocks of Computer Science before you can attempt to secure anything at all.
We'd like to point you towards the excellent resource Teach Yourself Computer Science, kindly compiled by Oz Nova and Myles Byrne. This guide contains all the core areas you should work on, together with high-quality resources on books and other material, in most cases freely available on the web. The baseline time investment for each of these nine topics is 100 hours, which means the the whole "teach yourself CS" project would require approximately 1000 hours, but it is unlikely that you'll be completely clueless in everything CS related. See which topics you are already familiar with and tweak your learning schedule as required. If you are a math and programming wiz, skip these two modules completely and focus on the remaining subjects.
The goal here is to gain familiarity in several core areas of Information Security, and spark your interest even more in the field.
You can do this with the assistance of some MOOCs. At the time of writing, all these courses are all freely accessible in "audit" mode, i.e you'll be able to see most of the course materials for free, but you won't be able to submit certain assignments, get grades for your work, or get a course certificate.
For a newcomer with no familiarity at all with these areas, we'd recommend investing 50 hours on each of the subjects listed below. The MOOCs are designed to take 20-30 hours each, but, bundled with any exercises and additional study material that they point to, they should easily fill up 50 hours each.
- Software Security: This is a good course from the university of Maryland teaching you some key concepts about software vulnerabiities and how they occur.
- Cryptography: A very good primer on cryptography from Stanford. Cryptography is the foundation of a surprisingly large number of elements in Information security, and, quite often, the only reliable tool we have.
- Cybersecurity Roles, Processes & Operating System Security: From IBM. This one covers several interrelated concepts around Operating System security.
- Network Security & Database Vulnerabilities: Another one from IBM, covers well the key concepts on two important areas of computer security.
Lastly, we recommend that you use the last 50 hours of the total 250 IS hours to study a topic of your choice as long as it's related to information security. It could be, for instance, blockchain security, legal aspects of cyber security, ethics of infosec, cloud security, mobile security, standards and policies, digital forensics or anything else that you are interested in.
Again, adjust your schedule here. If, by some bizarre twist of fate you are already an "expert" in Cryptography through your own independent studying, you are welcome to skip the crypto course completely.
An analog interestIt's important that you invest time in something that's interesting to you, and irrelevant to technology and computers.
Υou may be sceptical as to how this will be useful to you in relation to information security. We can tell you that, based on our experience in the field that, in all likelihood, your hobby will be equally important to your technical skills throughout your journey in information security. Perhaps one way to see this is that, through your analog endeavours, you will learn to decode and understand a completely different realm and your brain will become more agile. Alternatively, you may also simply perceive this as your break from all things digital; the time buffer you give yourself to internalise and achieve a deeper understanding of all the cool things you are learning in infosec. Try to trust us on this: the skills you acquire in the non-digital realm of your choice will be extremely useful in information security. And the more your hobby interests you, the less it will feel like working.
Your interest could be literally anything as long as it is a clearly defined discipline, and you are committed to it. It would be preferable, for your own mental health, if your interest is not dependent on a device screen; however we do realise that, as more human activities get digitised, traditionally analog endeavours like studying history are done with the assistance of a screen nowadays. So be it.
That's all! What do you think? Do you see yourself as ticking most of the boxes already? Do you have areas you are particularly weak at? Do you have any comments or questions you 'd like to address? Do you need help with something? Just ping us! If you feel you are ready to talk to us, please send us a CV & cover letter. You may also want to familiarise yourself with the assessment process in the meanwhile.