
Ask HN: Career change from general java dev to cyber security/machine learning - gdfer
I received a computer science degree ~12 yrs ago and have worked successfully in the field as programmer, team lead and dev manager. Most of my experience comes from developing enterprise apps in Java.<p>While I&#x27;ve had a successful career thus far, consistently get great reviews &amp; make a good wage, I am also getting ... bored I guess.<p>I&#x27;m considering various options -one idea that&#x27;s piqued my interest lately is furthering my education a bit (would have to do online learning) and making a transition to working in a more specialized area of comp sci such as cyber security or machine learning. I don&#x27;t have much experience in cyber security (have done some pen testing&#x2F;fixing of java web apps -OWASP type stuff) and have virtually no experience with AI&#x2F;machine learning concepts. I just find these things fascinating.<p>I guess I&#x27;m curious: Has anyone made a similar career change from a more general developer type of role to something like cyber security or machine learning? How did that go for you? What should my expectations be and what are some suggestions for investigating and going about this?<p>Lastly -I don&#x27;t work in or near a big city and would probably have to work remotely (I&#x27;ve been doing remote Java consulting successfully for a while) or move. Not sure if these specializations are conducive to remote workers so I wonder if anyone can shed any light on that.
======
jwilliams
Of the two I'd get more involved in machine learning. For a couple of reasons:

1\. Ultimately I think it'll be easier to get a remote job. ML is in high
demand and requires dedicated, focused hacking time. This means remote is more
do-able. Generalizing -- Cyber security interfaces significantly with people
and process across the whole of an organization, so tends to require more face
time.

2\. It's easier to experiment and learn ML on your own. Grab a project, come
up with some ideas and then get them up on Github. That's much hard to do in
the security realm.

If I were you, I'd see if you can carve out some time for a passion project.
Pick up a ML framework and see what you can do. Put it up on Github, write
some blogs. You'll see how passionate about the space you are, plus build out
the start of a CV.

~~~
dsacco
Respectfully, none of what you said has been my experience.

Remote work is available for competent security engineers and consultants in
spades. Entire teams at Optiv are distributed across continents (or they were
when I worked there, back when it was Accuvant). Delve outside AmaGooBookSoft
and you'll find many companies are quite amenable to remote employees for
their internal teams, too. Check /r/netsec's hiring posts.

As for learning on your own - I'd cautiously disagree here. If your goal is to
learn appsec and you're already a competent developer, you can do that by
picking up literally one or two textbooks and participating in bug bounties.
Job offers will be more or less thrown at you if you have a pulse and have
found more than, say, three non-trivial vulnerabilities in recognizable
programs. The companies themselves will often try to recruit you.

Machine learning is, like a lot of software engineering, easy to pick up and
play with over a weekend, yes. But it is more difficult to become
competitively competent right now for two reasons: 1) the field is exploding
with incoming talent looking to capitalize on the new AI wave and 2) the
amount of research you'll want to keep up with to stay informed is much higher
than infosec.

To be fair though, I still believe someone can pick up machine learning. It's
just that (most of) information security is rather more straightforward to
ramp up to competency, in terms of resources available.

~~~
jwilliams
"you can do that by picking up literally one or two textbooks and
participating in bug bounties" is a good idea and certainly something I hadn't
considered. My main concern was bootstrapping yourself into the area, so
that's an interesting approach.

I read "cyber security" a bit more broadly. You can certainly be a great
appsec-type -- but I still personally believe spending time in and around
organizations is really important to be in security. Do take your point there
are large domains and specializations where that's less true.

Arguably this will be the same in ML at some stage. In actuality I think
devops-for-ML or testing-for-ML is a more agreeable place to get started. It's
pretty underserviced right now.

Ultimately I think best to follow the passion. Give both a try and see what
feels best.

~~~
tptacek
There are subfields of infosec where organizational understanding and savvy is
important. But if you're a technologist, most of the real action in the field
is in appsec and, at it's most specialized, high-status end, vulnerability
research. Appsec doesn't much care where you're located, or really even how
well you understand the org chart of your target.

------
howlett
I went from lead dev (and head of development with 10 years experience) to
security consultant about 6 months ago, as security was always a hobby of
mine.

If you look at my previous comments I always say the same thing: get the OSCP
certification. It will definitely get you an interview but the course is hard
and demanding.

Also, get ready to take a paycut and a role downgrade as 4 years of pentesting
have more value than 10 years of development.

Obviously you bring other skills to the table like better client communication
and knowing how things work under the hood, but you'll have to take a step
back before you take two steps forward.

I definitely recommend you go that way, but think hard before you do, and
please be sure it's not because you're "bored".

Last but not least, prepare to travel to clients. Sure there is the "internet"
and "vpn" but a lot of clients have internal apps need testing and do not give
you remote access.

If you have any questions I'll be happy to help out.

~~~
gdfer
Thanks, helpful for sure. Yeah I'm not looking just because I'm "bored", I
suppose it's a myriad of reasons but that is one of them.

Why did you decide to make the change to security consultant?

How were your security skills before you decided to make the change? You said
it was a hobby, but for how long? I'm thinking I'll have to carve off time for
a while to invest into learning the new hobby then see where I'm at in 6
months time.

~~~
howlett
The reason I switched was because pen testing is in really high demand and
will stay that way for a few years to come. Also, I didn't want to get full
time into management at this point.

My security skills were average (hobby for about 10 years but mostly because I
was a web developer) but like I said the OSCP did most of the work in terms of
getting the interview and doing any technical test. The course itself took
about 2 months, 6 hours every day after work, and fulltime weekends!

My suggestion would be to do the OSCP course and if you like it then go for
it. There is also vulnhub.com which has a lot of CTF VMs where you can
practice (I personally dislike CTFs because I find them unrealistic).

------
phaus
>I don't work in or near a big city and would probably have to work remotely

The specializations are both conducive to remote work. However, they aren't
conducive to remote work for people that don't have a good amount of
experience in that role.

You can definitely make the switch to either of those things, but you have a
long road ahead. If you know specifically what sub-field of security interests
you, I might be able to give you some more insight.

~~~
lazy_gator
I am actually in a similar boat. I have done a lot of java work, and was
active on the security side of things in my previous role. I mostly worked on
compliance, but I did some pen testing.

I can see compliance not being friendly to remote where pen testing would be a
lot more friendly.

I know security is a big field, but I would love to hear any insight that you
have on it.

------
Teichopsia
I know little about either or, but there's a micro masters course (five
courses in total) on cyber security over at edx which started five weeks ago,
give or take. You could audit the class to check it out. With your experience
and what we've seen so far, shouldnt take you much to catch up. That is, if
your time permits it.

~~~
gdfer
Thanks, yeah, I was looking at cyber security specialization at courseera and
will take a peek at edx too. Definitely all comes down to time for me since I
still work full time and am raising kids but I can find a way to carve out the
time.

------
hacknat
I didn't make quite the transition you are talking about, but I went from a
general software lead position to being a security and systems engineer at a
cloud provider and it has worked out rather well. I suspected that I would
enjoy my new job and I have, I definitely get to learn a lot of new things
everyday and my resume is looking pretty slick now.

