by johnnycarcin on 11/19/18, 4:34 PM with 111 comments
I have always had an interest in security, especially the red/blue team side of things as well as the forensics area. I have spent my entire career in the world of sysadmin/SRE/shitty dev however so nothing on my resume shows "security". The last couple of weeks I have been looking at some of the certification classes and... wow, they can get pretty crazy. The SANS online stuff is like $6k per course!
Being close to 40 and making six figures (not a brag, just using it for background) I am worried that it's too late to make the jump and still be able to provide for my family. It seems like a pretty big risk to drop multiple thousands on certifications only to start at a salary much lower than I currently have. I'm not willing to impact my family by taking a potential 50% pay cut. I realize there are risks with any kind of career change, I just want to make sure I'm not going into this blind.
Does it make sense to go after some of these certifications, even if they are not from SANS? Is the security world hiring and paying well these days? Am I looking for too much and should just except the fact that a major pay cut would be part of the process?
TIA
by tptacek on 11/19/18, 6:31 PM
Don't waste time with certificates. They mean fuck all in the industry. Any job that cares about them is a job you don't want.
Try to get some clarity about what part of security you want to work in. All the subfields are open to you. Do you want to do operations work? Do you want to exercise your software development muscles? Do you want to work offense or defense? My advice might be different depending on the answers to those questions, but no matter what you want to do, you should be fine.
by loteck on 11/19/18, 5:37 PM
The transition to the roles you've mentioned may require a significant period of unpaid, expensive self re-training, and if you want that re-training to end any time soon, you will want to spend a lot of hours on it. Can you handle those two things?
Here's an interesting tale of someone younger than us who took a path into security from zero.[0]
[0] http://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-...
by hazmazlaz on 11/19/18, 5:43 PM
https://cybersecurityventures.com/jobs/
https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast...
https://www.ziprecruiter.com/blog/cybersecurity-jobs-are-sky...
and security jobs tend to be slightly higher paying than other IT positions. With some certifications and a few years of experience you have a good chance to be making a comparable salary to your current one.
SANS tends to be on the high end of cost for certifications. Look into the following organizations for more options:
ISACA
ISC2
EC-Council
A background in IT and Dev is highly valuable for Security jobs. You will find that many of your current skills are applicable.
Look at job postings in Indeed, LinkedIn, etc. job sites for roles that interest you and look at the certifications and experience they ask for. That will help guide your investigation into what you need to qualify.
(I have been working in the security industry for the past 10 years in various capacities, caveat emptor etc.)
by trash_panda on 11/19/18, 5:42 PM
I guess that given your background, the smoothest transition will be to something like application security engineer/devops security. There is a trend where companies are hiring developers who also know security, to be part of the dev team. So any bug that has an impact in security will be fixed by this role. Also, the new architectural landscape (cloud everything) is really changing the game, and having expertise in these solutions from a security perspective is a very valuable skill.
I don't know of particular certifications for application security or "DevSecOps" that will help you. I know that for example, in your situation; CISSP is not useful. CISSP jobs are mostly boring.
If you're interested in the offensive side, then the OSCP certification is a good bet; it shows that you understand and are able to execute a simple pentest. It is a well regarded certification and It will mostly make up for your lack of professional experience in the subject.
In conclusion, you're making good money right now; unless you're really bored and unchallenged, I'll start getting into security as a hobbie, and see how can you apply what you learn on your current job. Maybe you can even change roles where you're at. But try to use your current experience and give it a security twist, so you can then build on your experience instead of trying to make up for the lack of it with bogus certifications.
by kapilartistry on 11/19/18, 5:41 PM
1. Market is pretty hot and you will be get multiple choices to pick from the available offers 2. Certifications have very little to do with the job (Full Disclosure - I am currently maintaining CISSP, CCSP, GWAPT, GMOB certs ) That being said, sometimes HR/recruiter use these for filtering candidates. You can look at security+ certification to get a feel. 3. It will make sense even if its not from SANS because people who have done SANS know that a) SANS is very expensive b) its an open bool exam 3) Does not involve hands-on. For that matter, if you will go after coveted OSCP, then people will understand that you have hands-on skills.
4. You should get equivalent or more pay because the market is hot. Most of the earlier security professionals came from SysAdmin/Dev background. You have a better understanding of how systems/apps, so it will be easier to break them or identify vulnerabilities.
There are several blogs (e.g. https://tisiphone.net/category/security-education/) available to find a learning path for security, so check them out. Self learning is the biggest skill that you will need.
PS - Started my career in Information Security 9 years back, right after coming out of school
by bobmagoo on 11/19/18, 5:45 PM
Some of the best security engineers I've known came from a network engineer or sysadmin background. So don't worry if you don't have a "masters in security". I'd spend some time thinking about the last large system you built. How would someone attack it? How would you detect those attacks? What would you do if they were successful? How could you have architected around those weaknesses? If doing that seems like fun, my team is hiring in Seattle, feel free to drop us a message at prodsec-recruiting@tableau.com
by wglb on 11/20/18, 4:19 PM
What has worked for me is a burning curiosity about security, software and things that go crash at night. And a desire to learn.
Two books are very helpful--The Art of Software Security Assessment, and the Web Application Hackers Handbook. There are many resources available on the web--CTF exercises, post mortems, instructive blog posts, scary news feeds, free tools.
After getting into security as an application security guy, I ended up with a gig that enabled me to build a team of 15, none who had previous security experience, none of whom had or were expected to get certificates. The team did (and is still doing) some terrific things, and now has expanded responsibilities.
So look for jobs that give you a work sample product test and don't require certificates. Make your own learning plan.
by secatron on 11/19/18, 6:34 PM
I had a strong reverse engineering background from the software development projects I'd worked on professionally, and had dabbled in security-related things in my free time, so certifications weren't required.
It has been a pay increase rather than a pay cut, but I think that was partly due to moving location. I've had two jobs so far, and no shortage at all of offers when I was looking.
Having significant prior software development experience has been useful. About half of my work so far has been writing tools to assist vulnerability research, and the other half analyzing and discussing security bugs with the developers responsible for making the fix, so having this background has helped in both of these. But it depends what area of security you're aiming for.
I would say go for it, put your resume out there, if you've done anything at all even tangentially related to security in your working life then you have a good chance.
To be honest, I didn't think I had a chance compared to all the elite hackers and researchers who've been doing this sort of thing for years, and was surprised it all worked out.
by griffinmb on 11/19/18, 5:33 PM
Having implementation experience (via webdev) in addition to the bug bounty experience was a plus when I was interviewing.
If you're in a tech hub like SF or NYC there is plenty of security work. But, yeah, I would expect some kind of a paycut since you are moving from a (potentially) senior position to an entrylevel position.
by k4ch0w on 11/19/18, 7:36 PM
You don't need a SANS class, they can teach you a lot but there are places for newbies that get more for much less. It's better to get a job and see what they need you to do on a daily basis, then choose a SANS class to get better at that specific skill. I'd just put your resume in now as a sysadmin and see what happens. We hire plenty of people with devops/sysadmin backgrounds and teach them as we go.
Certifications are pretty much not required. Some are seen as a joke and will actually get you weeded out if they are on your resume.
Compliance is very... very dull and is seen as a joke to serious security folks because the bar is set very low. I would say avoid this completely if you want to enjoy coming to work. (Sorry for compliance folks out there)
Six figures is common for a lot of people on here. Security makes more than some software devs depending on your skill level and company. I don't know what you do now, but you would most likely be matched or higher depending on how strong your skills are.
I'd say the hardest thing is you always have to learn new technology and keep up to date with the latest trends. CI/CD pipelines, containerization, blockchain (rolls eyes), cryptography, different cloud environments, smart phones, cars, etc. You will almost definitely encounter something you have never seen before and need to learn as much about it as possible in order to secure it.
by typicalrunt on 11/19/18, 7:29 PM
Now that you've done your share of sysadmins, SRE and software developer, you can see how things can fail. That's the heart of security. As tptacek advises, choose an area of security to focus on and go down that path for awhile. You'll find you will want to go further or jump to another path, but security is a great thing. The world is going to need more security-aware people and you can be at the forefront of it.
My current security focus is holistic defence of data flowing from customer to company. The whole SDLC lifecycle. It's fun but super challenging because it focuses on changing human mindsets and behaviour, but my Dev and ops skills are essential to my technical success.
And certs are useless on their own. Don't do certs unless you can specifically get something out of it. Your work experience is much more valuable than a cert at this point.
by runjake on 11/19/18, 7:52 PM
The OffSec Penetration Testing with Kali Linux (OSCP certification) is excellent and outstanding and cheap.
https://www.offensive-security.com/information-security-trai...
While the course itself is $800, you'll most assuredly need another 60 days of lab time for the certification. I think all-in-all it cost me $1,500 for everything.
The course material is excellent and wide-ranging and very hands-on. If you have a family, it's a serious investment of time. It put a serious dent into my night time hours for a couple months.
The OCSP certification is widely-respected and not just a "paper certification" like some of the others (c|eh). Lots of practical skills. Great stuff.
by deadmetheny on 11/19/18, 5:48 PM
Security as a field in general is definitely hiring, though. You'll almost certainly be able to get a job pretty much anywhere in a large variety of companies. For example, here in the Midwest there's a lot of health providers, insurance companies, and banks that have plenty of positions available at locally competitive rates (though bear in mind this exists outside the SV wage bubble) and they generally do not have any qualms about hiring older folks.
by john37386 on 11/19/18, 5:38 PM
What I observed from a sysadmin/SRE perspective vs pure security team is that we speak 2 different languages. We often clashed with them and it brought frustrations on both sides.
The material cover in CISSP is very broad and not deep. I've done it on my own and I saved $6K. The book costs 80$ and it takes 3 to 6 months to complete. The exam is a real bitch though! Be sure to be very prepared.
In the end, it's the best moved that I've done in my career and I can now speak with the Security mafia.
by jfalcon on 11/19/18, 5:56 PM
by ninegunpi on 11/19/18, 6:31 PM
What I would think about if I were you (was so 15 years ago - started as systems engineer in telco, although has been playing around with systems since childhood) is to try and capitalize on knowledge you’ve got - pick entrypoint to secuirty market as ‘security for X’, where X is the type of systems you’ve been administrating. This way, you’ll have a solid base of problem domain experience, and will be able to easily associate new learning material and new work challenges with experience you’ve already got.
Security is a huge domain of knowledge - being able to bite it with digestible chunks is crucial not to turn into another checklist drone or certified skript kiddie.
by netman21 on 11/19/18, 5:49 PM
by Spooky23 on 11/19/18, 6:25 PM
To the right organization, someone with your operational and Dev background is super useful. Many security orgs came from a policy background and have challenges because they lack experienced operations or dev focused people.
Make sure that you understand what you want to do. Map your experience to the appropriate security lingo. Understand the core concepts in NIST 800-53
A lot of the material you’ll find on the web about the industry is consulting focused.
by hinkley on 11/19/18, 7:29 PM
I did good work, but expertise was thin on the ground. I discovered that while I like the subject matter a great deal, I didn't like is the chain of responsibility at that organization.
At one point I felt like I couldn't leave because the system would come off the rails if I wasn't there and I harbored some resentment. If you can find a place where you're working in an advisory capacity you won't run into that problem.
Are you seeing job openings where you are taking a big pay cut to work in security? That didn't used to be the case. I used to lament that the problem with my platonic ideal for QA people is paradoxical; the sort of person whom I would cherish as a QA person could spend a year retraining as a security auditor and make more money than me instead of 70% of what I'm making.
by zellyn on 11/19/18, 6:09 PM
by fecak on 11/19/18, 6:22 PM
The value of certs depends a bit on the cert, and to be honest I don't typically see the SANS certs. CISSP is much more common, Certified Ethical Hacker is also pretty common, and Comp TIA Security + is one that most junior level IT folks start with (in my experience).
Saying you make 6 figures without saying where you live makes it pretty tough to figure out what you might make in your market. 100K is a ton of money in some areas and peanuts in others.
by johnnycarcin on 11/19/18, 8:07 PM
by tabtab on 11/19/18, 6:44 PM
Go for it! The agism counter-wind is still weak at 40.
by wessorh on 11/19/18, 5:38 PM
It isn't too late to do something that interests you, it may be painful taking lower pay or having to learn something that isn't directly related to your job.
Try it as a hobby first, attend some security related conferences, like most industries the security folks are kind and happy to share knowledge.
by technion on 11/19/18, 9:22 PM
Edit: That similarly applies to the "current salary" discussion. Six figures could be a lot, or very poor.
by jiveturkey on 11/19/18, 7:09 PM
do it. you have the right background and demand is off the charts.
don’t waste time with certs. do buy a CISSP book though to make sure you know what you need to know.
by disposable42 on 11/21/18, 8:09 PM
Here is my background:
I am a SRE for a FAANG for a couple of years, sharing my time between system development and operational work. I am almost 40, EU based, been doing that for more than a decade.
I am more and more considering a switch to a security position, because I start being tired of operational tasks and oncall duty.
I have a fairly good knowledge of operating system/linux internals, the underlying mechanisms (memory layout, subsystems, io, kernel/user space, ...) how programs work down to the cpu level (registers, stack/heap, assembly, cpu rings, syscalls, stackframe, ...).
Some minors contributions to the Linux thanks to the Eudyptula challenge (eudyptula-challenge.org) I've completed a few years ago, also minor patchs for the FreeBSD kernel.
Security wise, a few years ago I was very interested in reverse engineering (Softice, windasm, ida, understanding exe packers, debuggers detection) and lately managed to participate in a few CTFs and done some Linux reverseme (thanks radare2!)
Security is a very wide world, but reverse engineering/exploiting binaries would be the thing I like the most (familiar with stack smashing, rop, format string attack, everything low-level)
I am also starting to write an toy interpreter/compiler from scratch.
I have been talking to some security engineers from another FAANG company, and realized that what they were doing (security audits, CVEs impact analysis, lot of paperwork/emails/document writing) is something I am not interested in, I like low-level technical stuff.
Hence my question: am I dreaming? Is that possible with this background to find a security position where low-level/reverse-engineering is the main part of the job?
What would be the best thing to start with? Find some security issues in opensource software? reverseme write-ups?
Thanks a lot!
by thrownaway954 on 11/19/18, 6:23 PM
I will tell you one thing... security is pretty boring if you are a person that likes to be in the trenches. It's more of a manager role (they even tell you to think like a manager when getting your CISSP). Your role is to identify a problem, document the solution and then audit the outcome. You don't ever fix or correct problems.
by jusob on 11/20/18, 4:10 AM
by orbital475 on 11/19/18, 7:23 PM
by hi41 on 11/19/18, 10:27 PM
by potbelly83 on 11/20/18, 1:20 AM
by coverband on 11/19/18, 7:36 PM
by swerveonem on 11/19/18, 7:19 PM
by motohagiography on 11/19/18, 6:09 PM
Question is what kind of work you plan to do. If you are contracting, most public sector contracts are awarded on a points scoring system that gives points for certifications. Given the value of a given contract (e.g. say, ~$200k for a year) paying for a $5k-$10k option on all of them is a sound bet. Other things could tip a points scale, but this is the advantage is what you pay for.
From an economics standpoint, demonstrating differentiated skill is hard. In the jargon, it means signalling costs for competence in security are very high. Many people use papers, blogs, conference speaking, exploits, open source contributions, and media hits to differentiate themselves, and the work that goes into this is more than most normal people put into their careers. A certification doesn't get you the same thing, but it will level you up to a point where many customers/clients are indifferent to the extra value implied by other peoples high cost signals. Is it an honest signal of skill or technical capability? No, but it's sufficient for most procurement cases.
The market (and the ISC2) has tried (and largely succeeded in it) to make the CISSP a bar to entry. It sounds from the OPs post that he is an individual contributor (IC) (instead of a manager) who wants to get into security because it is an IC role with a better future for an older worker than devops.
Realistically, a Masters in information security (distance education on this galore) is sufficient for a drop-in director of security role, as the role is mainly about navigating a large organization and buying technical talent as-needed. I would say having serious technical chops will differentiate you among security pros, where the market has become flooded with non-technical audit and governance people whose role is as an organizational gatekeeper.
Some amazing technical security pros will scoff at this, but what most people don't get is there is a point of diminishing marginal return on technical skill, where the only people who can even begin to appreciate your skills need to be at least half way there, and coincidentally, employers can't tell the difference, and they are a lot cheaper than you are.
The professionalization of the field has meant a new class of administrators will just buy tech expertise when they need it, and operate largely by trading on their political veto (the black box of risk) in their respective organizations.
If you are a technical IC who wants to rebrand as a security technical IC, it's interesting and challenging work with a great culture around it. However, be aware that given the expense and demand of it, the market is being flooded, and my recommendation would be that the longer term game would be to use it as a lever into a general management (or at least SE) role, one that you can still find work in when you are 50.
In answer to your final question, get education that is portable that you can leverage into that general management role. So again, Masters of infosec will set you up for a role you can do when you are 50, whereas technical courses only have about a 5-8 year value horizon.
by segmondy on 11/19/18, 6:38 PM
by x0ner on 11/19/18, 6:04 PM
SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You are going to think about how the system functions, what is running on top of it and how to ensure it stays online. When I interview candidates, I like see an alternative background as it means that person is going to bring a new perspective. "Security" as a job doesn't really make as much sense to me––you specialize in a given area (i.e. network background folks may maintain appliances, rule sets, detection signatures, etc.) and apply security to that area. I see your area as a means to solve a lot of security problems. Configurations, deployments, etc. can be checked in and accounted for with code instead of relying on people; there's massive power in that.
When it comes to certifications, I think there's two schools of thought. There's folks who look at the paperwork and make sure you can check the box, giving way too much value to certifications. For those who have been around a bit, they see the certification as practical, though no substitution for real-world experience. If you are being cost conscious, check out some of the free resources online for Network+[1] and Security+[2]. The important take away in those materials are not that you _need_ a certificate, but that you should understand the content and be confident in speaking out it.
If the red/blue side is more your style, I can't recommend enough to check out the Offense Security courses [3]. The tool set is free, the course is reasonably priced, it's a lot of fun and will give you real-world experience that is far more favorable than the standard certificates. Skip the whole CEH program as it has a poor reputation.
You mention six figures, but don't provide a scale, so it's hard to know how much a pay-cut you would potentially take. That said, security pays well and it's not uncommon to see salaries in the ranges of $100-200K even with less experience. All salaries are relative, but in general, a lot of my peers are not exceeding 200K on the base, though clear a lot more when factoring in other incentives like stock, or bonus.
Background: Been in security my whole career (started in networking and morphed into security) totaling close to 15 years. Like you, I have a set of skills outside of security (sys admin, networking, dev) and it's played in my favor a lot. Reach out to me direct if you have more questions!
[1] https://www.cybrary.it/course/comptia-network-plus/ [2] https://www.cybrary.it/course/comptia-security-plus/ [3] https://www.offensive-security.com/
by orbital475 on 11/19/18, 7:25 PM
by cypherg on 11/20/18, 4:35 PM
by devsecguy on 11/20/18, 2:51 PM
Don't bother with SANS certs, they are just too expensive and not worth for an individual to take. I would highly recommend the OSCP, you will learn a ton and if you pass its a very well respected cert to have. Stay away from certs which don't have a practical element, i.e. Certified Ethical Hacker (CEH) which only reqiures a multiple choice test, nobody cares about these kinds of certs.
However, based on what you say in your post, I don't think its a good idea for you to switch to security. You will likely have to take at least a few months to study for a cert like the OSCP in order to get a junior pen tester role and once you do get that role, you will be earning a junior's wage. Another option would be to spend a few months doing bug bounties to prove yourself but this will also take time to learn the ropes.
You might be lucky and not have to take a 50% pay cut, but the chances are you will have to take at least some kind of pay cut, do you love security enough that you are willing to do that? For me the realisation was that I was starting at the bottom of the ladder as a pen tester despite coming from a very well paid dev job and I was wondering "do I really enjoy this enough that I'm willing to wait a few years until I am earning the same money I was as a dev?". I did like working in security, but not enough to make it worth it for me to start out at the bottom of the ladder again. Also I'm in my late twenties with no kids..
Also one thing to keep in mind, and this varies depending on what kind security job you have, but in pen testing at least there is a significant amount of travel involved which isn't necessarily compensated for by your salary (at least not at a junior level), this is one thing to keep in mind especially since you have a family.
Finally, you mention that you "spent my entire career in the world of sysadmin/SRE/shitty dev", I would suggest trying to look for a "non-shitty" job in one of those fields, you already have a wealth of experience so I would use it to get a job that you like, certainly not all dev jobs are shitty. Maybe you need to learn a new language or framework or gain some specific domain knowlege in order to to work on more exciting problems or in a better enviornment? A lot of the posters in this thread seem to make it out that your job experience will almost mean that you can walk into a security job, while your experience is extremely beneficial, ultimately there is nothing that prepares you for a security job more than the job itself and most pen testers know this. Hence you will likely have to start out as a junior again. Also my experience is based in a large city in the UK (not London), so it might vary from location to location but I doubt the industry is that much different in the US or anywhere really.
by gaius on 11/19/18, 8:08 PM