
Ask HN: Starting a career in security at 40? - johnnycarcin
For the security folks out there, what is the market like? How much weight is put on having some of the various certifications out there?<p>I have always had an interest in security, especially the red&#x2F;blue team side of things as well as the forensics area. I have spent my entire career in the world of sysadmin&#x2F;SRE&#x2F;shitty dev however so nothing on my resume shows &quot;security&quot;. The last couple of weeks I have been looking at some of the certification classes and... wow, they can get pretty crazy. The SANS online stuff is like $6k per course!<p>Being close to 40 and making six figures (not a brag, just using it for background) I am worried that it&#x27;s too late to make the jump and still be able to provide for my family. It seems like a pretty big risk to drop multiple thousands on certifications only to start at a salary much lower than I currently have. I&#x27;m not willing to impact my family by taking a potential 50% pay cut. I realize there are risks with any kind of career change, I just want to make sure I&#x27;m not going into this blind.<p>Does it make sense to go after some of these certifications, even if they are not from SANS? Is the security world hiring and paying well these days? Am I looking for too much and should just except the fact that a major pay cut would be part of the process?<p>TIA
======
tptacek
You'll do fine.

Don't waste time with certificates. They mean fuck all in the industry. Any
job that cares about them is a job you don't want.

Try to get some clarity about _what part_ of security you want to work in. All
the subfields are open to you. Do you want to do operations work? Do you want
to exercise your software development muscles? Do you want to work offense or
defense? My advice might be different depending on the answers to those
questions, but no matter what you want to do, you should be fine.

~~~
jypepin
Do you have any resources / direction to give to a software engineer who'd
want to learn more about security?

As a full stack web engineer I feel like I know nothing about security (just
like most people) and I'd love to have more knowledge about it, even maybe
work on this.

I have a small design and engineering studio, and might be interested in
getting into that kind of services, if I discover that I get interested in
this enough.

~~~
haasted
One option is to go through the security stackexchange and/or the cryptography
one. Pick a tag, sort by votes and go through the questions and responses.

[https://security.stackexchange.com/](https://security.stackexchange.com/)

[https://crypto.stackexchange.com/](https://crypto.stackexchange.com/)

------
loteck
I get the sense the biggest obstacle to your career pivot may be the
circumstances of a typical 40 year-old. You probably have bills to pay and a
lot of responsibilities that consume your non-work time.

The transition to the roles you've mentioned may require a significant period
of unpaid, expensive self re-training, and if you want that re-training to end
any time soon, you will want to spend a lot of hours on it. Can you handle
those two things?

Here's an interesting tale of someone younger than us who took a path into
security from zero.[0]

[0] [http://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-
how-...](http://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-i-
accidentally-the-whole-thing-part-2/)

~~~
imdsm
This was my thought too. As you get older you tend to add more and more
responsibilities: children, debts, and these require that you both work and
don't work too much, meaning that the time you can truly spend on a new avenue
is quite low. That's the true challenge, I think.

------
hazmazlaz
Security has a large number of unfilled positions currently:

[https://cybersecurityventures.com/jobs/](https://cybersecurityventures.com/jobs/)

[https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-
fast...](https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-
job-with-a-huge-skills-gap-cyber-security/)

[https://www.ziprecruiter.com/blog/cybersecurity-jobs-are-
sky...](https://www.ziprecruiter.com/blog/cybersecurity-jobs-are-
skyrocketing/)

and security jobs tend to be slightly higher paying than other IT positions.
With some certifications and a few years of experience you have a good chance
to be making a comparable salary to your current one.

SANS tends to be on the high end of cost for certifications. Look into the
following organizations for more options:

ISACA

ISC2

EC-Council

A background in IT and Dev is highly valuable for Security jobs. You will find
that many of your current skills are applicable.

Look at job postings in Indeed, LinkedIn, etc. job sites for roles that
interest you and look at the certifications and experience they ask for. That
will help guide your investigation into what you need to qualify.

(I have been working in the security industry for the past 10 years in various
capacities, caveat emptor etc.)

~~~
toomuchtodo
You can almost double your total comp overnight going from a devops/infra role
to an infosec role. If you're in ops, get out of ops and go into security.
More money, no on call rotation, better career trajectory.

~~~
deadmetheny
>no on call rotation

In my experience that hasn't been true at all, but the rest is definitely
accurate.

~~~
toomuchtodo
Probably true for pen testers, forensics, or immediate response. I refer to
architecture roles. I don't do on call anymore, my family comes first.

~~~
deadmetheny
Ah yeah, that makes sense (as an aside, I am jealous and hope to get there
someday). You'll almost certainly have on-call in ops, which is what OP seemed
to be most interested in.

------
trash_panda
First of all: what in particular do you find interesting of the security
field? Are you more interesting in the offensive or defensive side?

I guess that given your background, the smoothest transition will be to
something like application security engineer/devops security. There is a trend
where companies are hiring developers who also know security, to be part of
the dev team. So any bug that has an impact in security will be fixed by this
role. Also, the new architectural landscape (cloud everything) is really
changing the game, and having expertise in these solutions from a security
perspective is a very valuable skill.

I don't know of particular certifications for application security or
"DevSecOps" that will help you. I know that for example, in your situation;
CISSP is not useful. CISSP jobs are mostly boring.

If you're interested in the offensive side, then the OSCP certification is a
good bet; it shows that you understand and are able to execute a simple
pentest. It is a well regarded certification and It will mostly make up for
your lack of professional experience in the subject.

In conclusion, you're making good money right now; unless you're really bored
and unchallenged, I'll start getting into security as a hobbie, and see how
can you apply what you learn on your current job. Maybe you can even change
roles where you're at. But try to use your current experience and give it a
security twist, so you can then build on your experience instead of trying to
make up for the lack of it with bogus certifications.

~~~
johnnycarcin
Appreciate the reply!

With regards to what do I find interesting, honestly I would put offensive at
the top of the list but I do have interests in the defensive side as well as
the malware analysis. I am, what I believe, a "problem solver" by nature so I
enjoy the idea of being given some unknowns and being told to go figure it
out.

~~~
trash_panda
Of course, you're welcome. I forgot to address the salary question. Six figure
jobs are common in this industry, but experience is required to get those
jobs. I don't personally know of anyone that did the change at your age, but a
good thing is that (unless you want to go enterprise or government) the
industry is not to demanding on formalities, a lot of people don't even have
degrees. It's a field where it's easy to detect if someone really knows what
he/she's talking about. And if someone is useful and helpful, nobody will
really care your experience, academic history, etc.

If you're interested in stuff like malware analysis, then you could start
doing it as a hobby and maintain a good blog where you explain all your
analysis as you learn.

~~~
tptacek
I can easily offer an existence proof for "six figure jobs" in security that
do not require previous experience in security to obtain. I don't think we're
that far out of the mainstream.

(We're not competing with FAANGs for compensation, but that's not what "six
figures" means).

------
kapilartistry
In order of appearance of '?', here are my responses

1\. Market is pretty hot and you will be get multiple choices to pick from the
available offers 2\. Certifications have very little to do with the job (Full
Disclosure - I am currently maintaining CISSP, CCSP, GWAPT, GMOB certs ) That
being said, sometimes HR/recruiter use these for filtering candidates. You can
look at security+ certification to get a feel. 3\. It will make sense even if
its not from SANS because people who have done SANS know that a) SANS is very
expensive b) its an open bool exam 3) Does not involve hands-on. For that
matter, if you will go after coveted OSCP, then people will understand that
you have hands-on skills.

4\. You should get equivalent or more pay because the market is hot. Most of
the earlier security professionals came from SysAdmin/Dev background. You have
a better understanding of how systems/apps, so it will be easier to break them
or identify vulnerabilities.

There are several blogs (e.g. [https://tisiphone.net/category/security-
education/](https://tisiphone.net/category/security-education/)) available to
find a learning path for security, so check them out. Self learning is the
biggest skill that you will need.

PS - Started my career in Information Security 9 years back, right after
coming out of school

------
bobmagoo
It's a great time to be in security, definitely a job seeker's market. I've
been in security for ~8 years now and don't have any certs and don't see a
whole lot of value in them unless your employer/clients require them (some
consultant or government shops do). I place a much higher value on knowing
your stuff and being able to earn the respect of other engineering teams when
helping them understand more secure ways to build what they're trying to
build.

Some of the best security engineers I've known came from a network engineer or
sysadmin background. So don't worry if you don't have a "masters in security".
I'd spend some time thinking about the last large system you built. How would
someone attack it? How would you detect those attacks? What would you do if
they were successful? How could you have architected around those weaknesses?
If doing that seems like fun, my team is hiring in Seattle, feel free to drop
us a message at prodsec-recruiting@tableau.com

~~~
walrus01
Senior network engineer for an ISP here, when you have a network that spans a
number of states and provinces, it inevitably develops a huge attack surface.
Designing security features into the network is part of modern network
architecture, the two are inseparable these days. There's obvious concerns
about endpoint security (individual servers, VMs, etc) and then different
considerations for network security of routing/switching/WDM/millimeter wave
equipment at POPs.

A lot of equipment used by ISPs is barely protected at all, from what I've
seen of other peoples' networks. There's a lot of things out there like
temperature monitoring devices, UPSes, rectifiers, HVAC controls, security
card readers/relay controls, generator monitoring control systems that run
ancient shitty software, which the vendor will never patch. People spend a lot
of time isolating these things in special management networks because the cost
of replacing a big rectifier system at an older POP cannot be justified.

I would say that for somebody that wants to get into a dedicated security
role, without having specifically studied netsec stuff in detail, the best
background to have is a mixed balance of first/second-tier NOC, network
engineering, and general Linux/BSD sysadmin knowledge.

~~~
jfolkins
As someone who used to be a senior engineer for an ISP, shout-out to all the
STBs with hard coded admin creds :-)

~~~
walrus01
Shout-out to everyone who's ever worked for a large to mid-size ISP, that has
acquired and eaten/digested a smaller ISP which has already existed for 12, 15
or 20 years... _So much_ weird legacy gear in weird locations, doing weird
things. _So many_ SDH circuits and OC-whatever transport systems.

~~~
jfolkins
HAHA Are you me? This is sounds creepily familiar..

~~~
walrus01
Seems to be an endemic problem, maybe if zayo buys everyone else noone will
experience it again.

------
secatron
I started my career in security at 35, a few years ago.

I had a strong reverse engineering background from the software development
projects I'd worked on professionally, and had dabbled in security-related
things in my free time, so certifications weren't required.

It has been a pay increase rather than a pay cut, but I think that was partly
due to moving location. I've had two jobs so far, and no shortage at all of
offers when I was looking.

Having significant prior software development experience has been useful.
About half of my work so far has been writing tools to assist vulnerability
research, and the other half analyzing and discussing security bugs with the
developers responsible for making the fix, so having this background has
helped in both of these. But it depends what area of security you're aiming
for.

I would say go for it, put your resume out there, if you've done anything at
all even tangentially related to security in your working life then you have a
good chance.

To be honest, I didn't think I had a chance compared to all the elite hackers
and researchers who've been doing this sort of thing for years, and was
surprised it all worked out.

~~~
green_sec_eng
Hello, can you provide an email address where I can contact you? I am very
early in my career but it seems we've had similar paths and I would like to
ask you some questions.

------
griffinmb
I made the switch from web development to security a few years ago and
initially took a 10-15% pay cut. I didn't get any certs and wouldn't
necessarily recommend them. Instead, I joined various bug bounty programs to
get practical (and resume-lite) experience.

Having implementation experience (via webdev) in addition to the bug bounty
experience was a plus when I was interviewing.

If you're in a tech hub like SF or NYC there is plenty of security work. But,
yeah, I would expect some kind of a paycut since you are moving from a
(potentially) senior position to an entrylevel position.

~~~
eganist
> Having implementation experience (via webdev) in addition to the bug bounty
> experience was a plus when I was interviewing.

Hiring manager here. Assuming you successfully demonstrated these skills
during the interview process, the pay cut probably shouldn't have happened.

~~~
temperfidelis2x
A minor pay cut can happen for various reasons. There is not enough
information to say it should or shouldn't have happened.

~~~
eganist
Absolutely true, hence the assumptions. It also assumes the OP's prior pay
wasn't atypically high e.g. to fill a very specific need such as self driving
computer vision refinement.

I wouldn't consider a 10-15% dip a "minor" one, though. That's consistently
tens of thousands of dollars in the top ten US metro markets for these roles.

------
wglb
I was significantly older than 40 when I entered the security field after a
career in development and technical management. I would consider this phase of
my career successful.

What has worked for me is a burning curiosity about security, software and
things that go crash at night. And a desire to learn.

Two books are very helpful--The Art of Software Security Assessment, and the
Web Application Hackers Handbook. There are many resources available on the
web--CTF exercises, post mortems, instructive blog posts, scary news feeds,
free tools.

After getting into security as an application security guy, I ended up with a
gig that enabled me to build a team of 15, none who had previous security
experience, none of whom had or were expected to get certificates. The team
did (and is still doing) some terrific things, and now has expanded
responsibilities.

So look for jobs that give you a work sample product test and don't require
certificates. Make your own learning plan.

------
k4ch0w
If you get the CISSP and are a good manager you will most likely end up
triaging bugs and not actively testing. This is a compliant I have heard from
new members on our team. Security isn't always sexy, and people actually get
pissed off at me for breaking shit and halting releases. At the end of the day
too, no one gives a shit if I break into a box, they just want me to tell them
it's secure enough today. It can be a thankless job sometimes.

You don't need a SANS class, they can teach you a lot but there are places for
newbies that get more for much less. It's better to get a job and see what
they need you to do on a daily basis, then choose a SANS class to get better
at that specific skill. I'd just put your resume in now as a sysadmin and see
what happens. We hire plenty of people with devops/sysadmin backgrounds and
teach them as we go.

Certifications are pretty much not required. Some are seen as a joke and will
actually get you weeded out if they are on your resume.

Compliance is very... very dull and is seen as a joke to serious security
folks because the bar is set very low. I would say avoid this completely if
you want to enjoy coming to work. (Sorry for compliance folks out there)

Six figures is common for a lot of people on here. Security makes more than
some software devs depending on your skill level and company. I don't know
what you do now, but you would most likely be matched or higher depending on
how strong your skills are.

I'd say the hardest thing is you always have to learn new technology and keep
up to date with the latest trends. CI/CD pipelines, containerization,
blockchain (rolls eyes), cryptography, different cloud environments, smart
phones, cars, etc. You will almost definitely encounter something you have
never seen before and need to learn as much about it as possible in order to
secure it.

------
typicalrunt
40 is a great time. In fact, I went down a similar path.

Now that you've done your share of sysadmins, SRE and software developer, you
can see how things can fail. That's the heart of security. As tptacek advises,
choose an area of security to focus on and go down that path for awhile.
You'll find you will want to go further or jump to another path, but security
is a great thing. The world is going to need more security-aware people and
you can be at the forefront of it.

My current security focus is holistic defence of data flowing from customer to
company. The whole SDLC lifecycle. It's fun but super challenging because it
focuses on changing human mindsets and behaviour, but my Dev and ops skills
are essential to my technical success.

And certs are useless on their own. Don't do certs unless you can specifically
get something out of it. Your work experience is much more valuable than a
cert at this point.

~~~
jrumbut
If you don't mind, I would love to know how "changing human mindsets and
behaviour" and "Dev and ops skills ... technical success" go together for you!

Is your goal creating a development process that leads to a secure system, or
securing a system made by an existing process? How much code do you write?
Maybe some tasks you've enjoyed or a typical day would be great.

I say this because, while I've never had or wanted a title that included
security, as a dev I often find myself looking at "holistic defense of data
flowing" and attempting to improve the situation. A role based on that concept
is interesting.

------
runjake
Allow me to disagree with tptacek a little:

The OffSec Penetration Testing with Kali Linux (OSCP certification) is
excellent and outstanding and cheap.

[https://www.offensive-security.com/information-security-
trai...](https://www.offensive-security.com/information-security-
training/penetration-testing-training-kali-linux/)

While the course itself is $800, you'll most assuredly need another 60 days of
lab time for the certification. I think all-in-all it cost me $1,500 for
everything.

The course material is excellent and wide-ranging and very hands-on. If you
have a family, it's a serious investment of time. It put a serious dent into
my night time hours for a couple months.

The OCSP certification is widely-respected and not just a "paper
certification" like some of the others (c|eh). Lots of practical skills. Great
stuff.

~~~
arkadiyt
I'm just one data point but I'm a hiring security manager and if someone had
OCSP it would mean nothing to me.

~~~
tptacek
~Same. I expect in the most charitable case it means about as much to infosec
hiring managers as bootcamps do to developer hiring managers.

~~~
PeterisP
What _are_ you looking for in that case? I mean, in the absence of previous
experience doing the same thing.

The way I look at it, people come into technical security either from
operations or development backgrounds, but it's hard to distinguish someone
who has the required skills from their years in dev or ops from those who have
managed to do their core work so _without_ going into the relevant details;
their CVs are going to look pretty much the same.

A hobbyist might have practiced on some CTFs or vulnerable machine challenges,
but unless they haven't e.g. won some bug bounties or gotten some CVE
disclosures, then that won't be really visible on a job application. If
certifications aren't considered relevant by security hiring managers, what
is?

~~~
souprock
Things that would count:

You wrote a compiler, kernel, emulator, firmware, or boot loader.

You wrote a small demo, such as 4096-byte or 512-byte. Like this:
[https://en.wikipedia.org/wiki/Demoscene](https://en.wikipedia.org/wiki/Demoscene)

You have hand-optimized code via assembly language.

You have debugged software with a JTAG device or a digital logic analyser.

~~~
pvg
Why would those things count more or less than other things? It seems more
like a list of things you think are neat but trying to guess what a resume-
reader might think is neat seems like a game with very poor returns.

~~~
souprock
Well, those things fit the job I posted:
[https://news.ycombinator.com/item?id=18358038](https://news.ycombinator.com/item?id=18358038)

The common feature is low-level experience. Somebody should be comfortable
with assembly and related things.

It's true that not all security jobs are the same of course, so there will be
plenty of places wanting other stuff, but I don't know about those.

~~~
pvg
Ah that makes sense but then those things would be useful when applying for
your specific job rather than things that would be useful when looking to make
a specialization switch and are wondering whether certifications are useful.

------
deadmetheny
You're not likely to have much luck jumping straight into the R/B team
pentesting or forensics world without either some practical experience or
certification. With a firm tech background I can imagine you can re-train into
a slightly lower position on the security totem pole pretty easily though.
Certs can be a mixed bag - pretty much everyone knows they don't actually mean
a whole hell of a lot other than a basic grasp of the concepts, but some
places will still use them as HR filters. SANS exams can be helpful and are
not particularly difficult, but as you said, are very expensive. I'm not
really sure about current pay rates for sysadmin type work are, but I wouldn't
expect that significant of a pay cut, if you encounter one at all.

Security as a field in general is definitely hiring, though. You'll almost
certainly be able to get a job pretty much anywhere in a large variety of
companies. For example, here in the Midwest there's a lot of health providers,
insurance companies, and banks that have plenty of positions available at
locally competitive rates (though bear in mind this exists outside the SV wage
bubble) and they generally do not have any qualms about hiring older folks.

------
john37386
I come from a similar background as you and I've done CISSP from (ISC)2. I
always thought it would be useless as I thought that I can't learn new stuff
because I am sysadmin/SRE/shitty dev.

What I observed from a sysadmin/SRE perspective vs pure security team is that
we speak 2 different languages. We often clashed with them and it brought
frustrations on both sides.

The material cover in CISSP is very broad and not deep. I've done it on my own
and I saved $6K. The book costs 80$ and it takes 3 to 6 months to complete.
The exam is a real bitch though! Be sure to be very prepared.

In the end, it's the best moved that I've done in my career and I can now
speak with the Security mafia.

~~~
_-david-_
Which book did you get?

------
jfalcon
My career arch is much like yours but at the same time I grew up wearing a
greyhat much like how my beard is becoming: black then with time white was
added. Most employers value security and actively encourage any efforts in
increasing their security posture. Are there not efforts in your current
career to "scratch the itch" so to speak? I would agree with many that certs
are worthless unless you intend to work as a third party auditor but being
able to "talk the talk and walk the walk" matters more.

------
ninegunpi
Background in infrastructure is the best you can have - you will be far ahead
compared to many newly educated ‘security engineers’, knowing the application
domain.

What I would think about if I were you (was so 15 years ago - started as
systems engineer in telco, although has been playing around with systems since
childhood) is to try and capitalize on knowledge you’ve got - pick entrypoint
to secuirty market as ‘security for X’, where X is the type of systems you’ve
been administrating. This way, you’ll have a solid base of problem domain
experience, and will be able to easily associate new learning material and new
work challenges with experience you’ve already got.

Security is a huge domain of knowledge - being able to bite it with digestible
chunks is crucial not to turn into another checklist drone or certified skript
kiddie.

------
netman21
I was 36 when I got into security and have never looked back. The fastest,
most lucrative route to security is through a role at a vendor. Start to get
involved with security at your current job. Get to know the security team.
Work on a project with them. Get to know the sales person from an up and
coming vendor. Ask him/her abut an SE role. You can easily clear six figures.

------
Spooky23
Find complements to what you do now that are security related and move from
there. If you do devops and SRE, you’re a practitioner in security.

To the right organization, someone with your operational and Dev background is
super useful. Many security orgs came from a policy background and have
challenges because they lack experienced operations or dev focused people.

Make sure that you understand what you want to do. Map your experience to the
appropriate security lingo. Understand the core concepts in NIST 800-53

A lot of the material you’ll find on the web about the industry is consulting
focused.

------
hinkley
Just an anecdote. I took an opportunity to break into security at 35, with a
company that was willing to take a risk on a guy who showed up with a bit of
knowledge and a lot of confidence.

I did good work, but expertise was thin on the ground. I discovered that while
I like the subject matter a great deal, I didn't like is the chain of
responsibility at that organization.

At one point I felt like I couldn't leave because the system would come off
the rails if I wasn't there and I harbored some resentment. If you can find a
place where you're working in an advisory capacity you won't run into that
problem.

Are you seeing job openings where you are taking a big pay cut to work in
security? That didn't used to be the case. I used to lament that the problem
with my platonic ideal for QA people is paradoxical; the sort of person whom I
would cherish as a QA person could spend a year retraining as a security
auditor and make more money than me instead of 70% of what I'm making.

------
zellyn
\- Do the Matasano security challenges \- Talk to tptacek (tqbf on twitter):
they almost certainly have pointers and opinions

~~~
saagarjha
…or just wait for him to comment here.

------
fecak
I write resumes and consult to job seekers on search strategy topics. I've
worked with several clients this year who have transitioned from more
traditional IT/admin roles into security - for experienced pros I'd say that
IT/admin types are the most common background (as opposed to software dev) for
those seeking to enter infosec.

The value of certs depends a bit on the cert, and to be honest I don't
typically see the SANS certs. CISSP is much more common, Certified Ethical
Hacker is also pretty common, and Comp TIA Security + is one that most junior
level IT folks start with (in my experience).

Saying you make 6 figures without saying where you live makes it pretty tough
to figure out what you might make in your market. 100K is a ton of money in
some areas and peanuts in others.

~~~
johnnycarcin
That is a good point (location). I currently am located in Colorado.

------
johnnycarcin
Wow, thank you everyone for your comments! Literally every comment has
provided value and caused me to think a bit more on this. I appreciate all of
your responses and hopefully this can help others in a similar situation.

------
tabtab
40? By God, that's a young whippersnapper. I do remember starting to feel
discrimination/agism around 42, and even considered leaving IT, knowing my age
would only go up.

Go for it! The agism counter-wind is still weak at 40.

------
wessorh
I think anyone that understands how computers and networks work can make a
good security engineer. The mindset for breaking things can be taught.

It isn't too late to do something that interests you, it may be painful taking
lower pay or having to learn something that isn't directly related to your
job.

Try it as a hobby first, attend some security related conferences, like most
industries the security folks are kind and happy to share knowledge.

------
technion
I'd recommend noting down your area. You're going to get a lot of advise, and
it's probably very good advice in general. But as someone not in the US, a lot
of what I'm reading does not reflect my local market.

Edit: That similarly applies to the "current salary" discussion. Six figures
could be a lot, or very poor.

------
jiveturkey
six figures at 40 is not a brag ...

do it. you have the right background and demand is off the charts.

don’t waste time with certs. do buy a CISSP book though to make sure you know
what you need to know.

------
disposable42
Jumping in the thread since there are a lot of very helpful advices here, I
would like to know if my career change seems stupid or not?

Here is my background:

I am a SRE for a FAANG for a couple of years, sharing my time between system
development and operational work. I am almost 40, EU based, been doing that
for more than a decade.

I am more and more considering a switch to a security position, because I
start being tired of operational tasks and oncall duty.

I have a fairly good knowledge of operating system/linux internals, the
underlying mechanisms (memory layout, subsystems, io, kernel/user space, ...)
how programs work down to the cpu level (registers, stack/heap, assembly, cpu
rings, syscalls, stackframe, ...).

Some minors contributions to the Linux thanks to the Eudyptula challenge
(eudyptula-challenge.org) I've completed a few years ago, also minor patchs
for the FreeBSD kernel.

Security wise, a few years ago I was very interested in reverse engineering
(Softice, windasm, ida, understanding exe packers, debuggers detection) and
lately managed to participate in a few CTFs and done some Linux reverseme
(thanks radare2!)

Security is a very wide world, but reverse engineering/exploiting binaries
would be the thing I like the most (familiar with stack smashing, rop, format
string attack, everything low-level)

I am also starting to write an toy interpreter/compiler from scratch.

I have been talking to some security engineers from another FAANG company, and
realized that what they were doing (security audits, CVEs impact analysis, lot
of paperwork/emails/document writing) is something I am not interested in, I
like low-level technical stuff.

Hence my question: am I dreaming? Is that possible with this background to
find a security position where low-level/reverse-engineering is the main part
of the job?

What would be the best thing to start with? Find some security issues in
opensource software? reverseme write-ups?

Thanks a lot!

------
thrownaway954
get your CISSP, it cost $700 to take the exam... and you can command 100K with
your background. I didn't even have my CISSP and started off at 75K. Granted I
have 20 years in programming, DBA, Network Administration and System
Administration. You'll do just fine.

I will tell you one thing... security is pretty boring if you are a person
that likes to be in the trenches. It's more of a manager role (they even tell
you to think like a manager when getting your CISSP). Your role is to identify
a problem, document the solution and then audit the outcome. You don't ever
fix or correct problems.

------
jusob
There are plenty of unfilled positions in security. Typically, a large SaaS
company will have have several security teams: application (Product Security),
Infrastructure Security, Network Security, Device security (company laptops,
phone, etc.), Red team/penetration testing team, Response team, CIRT (external
facing), etc. With your experience, it looks like Infrastructure team might be
a good entry. No need for certifications.

------
orbital475
CERT First -> Get Security+ cert (Foundational cert, HR Filter, DoD Approved
DoDD 8570)- buy some cheap used books off ebay,cert cost ~$300 Network -> Join
local user InfoSec groups, follow netsec on Reddit, create a L/I profile -
join security groups, RSS feeds - Krebs, Hacker News Continuing Ed ->
Community college - 2 year AA degree in Computer Science/Infosec (WGU Online).

------
hi41
I had a hard time getting a job in Java and web development because I had C on
Hp nonstop experience. I found it difficult to come to terms with this. I had
a decade of experience but I still couldn't get a job in web development. From
your post it appears to be more prevalent. Why does this happen in the IT
industry? Is it because the tools used are very different?

------
potbelly83
How does the job market for security work compare to the job market for
machine learning? Is the security work more interesting? My reason for asking
is that I'm sort of in the same boat. I've got a PhD in Math (not crypto or
stats related) and have been doing back end C++ work for a while now. Looking
for a move to greener pastures.

------
coverband
Get a security job first, then ask your employer to sponsor the certification
program. Also, be aware that for any cert program, there can be multiple
domains in which you'll likely have limited to no experience. Start working on
expanding your knowledge to cover those areas.

------
swerveonem
You could take a pay cut learn the business at another firm then start your
own shop in two years, #win.

------
motohagiography
The certification discussion usually raises hackles among security people.
I've been in infosec for over 20 years, so take from this what you will.

Question is what kind of work you plan to do. If you are contracting, most
public sector contracts are awarded on a points scoring system that gives
points for certifications. Given the value of a given contract (e.g. say,
~$200k for a year) paying for a $5k-$10k option on all of them is a sound bet.
Other things could tip a points scale, but this is the advantage is what you
pay for.

From an economics standpoint, demonstrating differentiated skill is hard. In
the jargon, it means signalling costs for competence in security are very
high. Many people use papers, blogs, conference speaking, exploits, open
source contributions, and media hits to differentiate themselves, and the work
that goes into this is more than most normal people put into their careers. A
certification doesn't get you the same thing, but it will level you up to a
point where many customers/clients are indifferent to the extra value implied
by other peoples high cost signals. Is it an honest signal of skill or
technical capability? No, but it's sufficient for most procurement cases.

The market (and the ISC2) has tried (and largely succeeded in it) to make the
CISSP a bar to entry. It sounds from the OPs post that he is an individual
contributor (IC) (instead of a manager) who wants to get into security because
it is an IC role with a better future for an older worker than devops.

Realistically, a Masters in information security (distance education on this
galore) is sufficient for a drop-in director of security role, as the role is
mainly about navigating a large organization and buying technical talent as-
needed. I would say having serious technical chops will differentiate you
among security pros, where the market has become flooded with non-technical
audit and governance people whose role is as an organizational gatekeeper.

Some amazing technical security pros will scoff at this, but what most people
don't get is there is a point of diminishing marginal return on technical
skill, where the only people who can even begin to appreciate your skills need
to be at least half way there, and coincidentally, employers can't tell the
difference, and they are a lot cheaper than you are.

The professionalization of the field has meant a new class of administrators
will just buy tech expertise when they need it, and operate largely by trading
on their political veto (the black box of risk) in their respective
organizations.

If you are a technical IC who wants to rebrand as a security technical IC,
it's interesting and challenging work with a great culture around it. However,
be aware that given the expense and demand of it, the market is being flooded,
and my recommendation would be that the longer term game would be to use it as
a lever into a general management (or at least SE) role, one that you can
still find work in when you are 50.

In answer to your final question, get education that is portable that you can
leverage into that general management role. So again, Masters of infosec will
set you up for a role you can do when you are 50, whereas technical courses
only have about a 5-8 year value horizon.

~~~
jfolkins
This is a solid perspective. Thanks for sharing.

------
segmondy
Starting career X at age Y. In tech, answer is always yes. How bad do you want
it?

------
x0ner
The security market is insanely hot right now and will continue to thrive.
From my perspective, we are reaching a point where security is seen as a
commodity, not some optional process––everyone needs to know about security,
even if they aren't working in the field. From a job perspective, schools are
not able to keep up with the demand and even then, those leaving academics are
not showing strong practical skills they can apply.

SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You
are going to think about how the system functions, what is running on top of
it and how to ensure it stays online. When I interview candidates, I like see
an alternative background as it means that person is going to bring a new
perspective. "Security" as a job doesn't really make as much sense to me––you
specialize in a given area (i.e. network background folks may maintain
appliances, rule sets, detection signatures, etc.) and apply security to that
area. I see your area as a means to solve a lot of security problems.
Configurations, deployments, etc. can be checked in and accounted for with
code instead of relying on people; there's massive power in that.

When it comes to certifications, I think there's two schools of thought.
There's folks who look at the paperwork and make sure you can check the box,
giving way too much value to certifications. For those who have been around a
bit, they see the certification as practical, though no substitution for real-
world experience. If you are being cost conscious, check out some of the free
resources online for Network+[1] and Security+[2]. The important take away in
those materials are not that you _need_ a certificate, but that you should
understand the content and be confident in speaking out it.

If the red/blue side is more your style, I can't recommend enough to check out
the Offense Security courses [3]. The tool set is free, the course is
reasonably priced, it's a lot of fun and will give you real-world experience
that is far more favorable than the standard certificates. Skip the whole CEH
program as it has a poor reputation.

You mention six figures, but don't provide a scale, so it's hard to know how
much a pay-cut you would potentially take. That said, security pays well and
it's not uncommon to see salaries in the ranges of $100-200K even with less
experience. All salaries are relative, but in general, a lot of my peers are
not exceeding 200K on the base, though clear a lot more when factoring in
other incentives like stock, or bonus.

 _Background_ : Been in security my whole career (started in networking and
morphed into security) totaling close to 15 years. Like you, I have a set of
skills outside of security (sys admin, networking, dev) and it's played in my
favor a lot. Reach out to me direct if you have more questions!

[1] [https://www.cybrary.it/course/comptia-network-
plus/](https://www.cybrary.it/course/comptia-network-plus/) [2]
[https://www.cybrary.it/course/comptia-security-
plus/](https://www.cybrary.it/course/comptia-security-plus/) [3]
[https://www.offensive-security.com/](https://www.offensive-security.com/)

------
orbital475
#1 Security+ (Foundational Cert, HR filter, DoD Approved DoDD 8570) - ~$300 #2
Network - L/I profile (join groups), Reddit.com(netsec,etc.), Local InfoSec
user groups, RSS news feeds - Krebs, Hacker News #3 Degree - get an
inexpensive AA degree in Computer Science/InfoSec (@ community college or WGU
online)

------
cypherg
Get your OSCP. Learn how to automate security tools. Learn Splunk. Learn cloud
infrastructure. Use pentesterlab.com. Be able to dev in Python. Read threat
reports and become familiar with the various threat actors. Learn some hacking
history. Read all of the old zines. Do that and you'll be ahead of most.

------
devsecguy
Hey, I'm about 8 months ahead of you, I quit my dev job and studied full time
to get the OSCP and then took a job as a security consultant with the aim of
being a full-time penetration tester. Now I'm going back into development.
Security is a broad field but if you want to get into pen testing then you are
definitely in a good position skills and career-wise. And yes the security
industry is booming at the moment and will likely continue that way.

Don't bother with SANS certs, they are just too expensive and not worth for an
individual to take. I would highly recommend the OSCP, you will learn a ton
and if you pass its a very well respected cert to have. Stay away from certs
which don't have a practical element, i.e. Certified Ethical Hacker (CEH)
which only reqiures a multiple choice test, nobody cares about these kinds of
certs.

However, based on what you say in your post, I don't think its a good idea for
you to switch to security. You will likely have to take at least a few months
to study for a cert like the OSCP in order to get a junior pen tester role and
once you do get that role, you will be earning a junior's wage. Another option
would be to spend a few months doing bug bounties to prove yourself but this
will also take time to learn the ropes.

You might be lucky and not have to take a 50% pay cut, but the chances are you
will have to take at least some kind of pay cut, do you love security enough
that you are willing to do that? For me the realisation was that I was
starting at the bottom of the ladder as a pen tester despite coming from a
very well paid dev job and I was wondering "do I really enjoy this enough that
I'm willing to wait a few years until I am earning the same money I was as a
dev?". I did like working in security, but not enough to make it worth it for
me to start out at the bottom of the ladder again. Also I'm in my late
twenties with no kids..

Also one thing to keep in mind, and this varies depending on what kind
security job you have, but in pen testing at least there is a significant
amount of travel involved which isn't necessarily compensated for by your
salary (at least not at a junior level), this is one thing to keep in mind
especially since you have a family.

Finally, you mention that you "spent my entire career in the world of
sysadmin/SRE/shitty dev", I would suggest trying to look for a "non-shitty"
job in one of those fields, you already have a wealth of experience so I would
use it to get a job that you like, certainly not all dev jobs are shitty.
Maybe you need to learn a new language or framework or gain some specific
domain knowlege in order to to work on more exciting problems or in a better
enviornment? A lot of the posters in this thread seem to make it out that your
job experience will almost mean that you can walk into a security job, while
your experience is extremely beneficial, ultimately there is nothing that
prepares you for a security job more than the job itself and most pen testers
know this. Hence you will likely have to start out as a junior again. Also my
experience is based in a large city in the UK (not London), so it might vary
from location to location but I doubt the industry is that much different in
the US or anywhere really.

------
gaius
My LinkedIn feed is full of barely competent - if I’m being generous - former
cow-orkers becoming CISOs. Anyone who knows what they’re doing will certainly
make a killing in this field. Good luck!

