[trash_panda]

First of all: what in particular do you find interesting of the security field? Are you more interesting in the offensive or defensive side?

I guess that given your background, the smoothest transition will be to something like application security engineer/devops security. There is a trend where companies are hiring developers who also know security, to be part of the dev team. So any bug that has an impact in security will be fixed by this role. Also, the new architectural landscape (cloud everything) is really changing the game, and having expertise in these solutions from a security perspective is a very valuable skill.

I don't know of particular certifications for application security or "DevSecOps" that will help you. I know that for example, in your situation; CISSP is not useful. CISSP jobs are mostly boring.

If you're interested in the offensive side, then the OSCP certification is a good bet; it shows that you understand and are able to execute a simple pentest. It is a well regarded certification and It will mostly make up for your lack of professional experience in the subject.

In conclusion, you're making good money right now; unless you're really bored and unchallenged, I'll start getting into security as a hobbie, and see how can you apply what you learn on your current job. Maybe you can even change roles where you're at. But try to use your current experience and give it a security twist, so you can then build on your experience instead of trying to make up for the lack of it with bogus certifications.

[johnnycarcin]

Appreciate the reply!

With regards to what do I find interesting, honestly I would put offensive at the top of the list but I do have interests in the defensive side as well as the malware analysis. I am, what I believe, a "problem solver" by nature so I enjoy the idea of being given some unknowns and being told to go figure it out.

[souprock]

With that extra detail, it appears you are seeking the sort of job I posted in the hiring thread:

https://news.ycombinator.com/item?id=18358038

You say that "nothing on my resume shows "security"" and that is fine... look, the job posting doesn't say it either. Certifications don't count for anything. Most of us here don't show up with "security" or certifications on a resume.

That said, the skill you list as "sysadmin/SRE/shitty dev" (for "SRE" being either "software release engineer" or "site reliability engineering") probably isn't going to cut it. Something more low-level is usually needed. You almost need to be good at assembly language.

[trash_panda]

Of course, you're welcome. I forgot to address the salary question. Six figure jobs are common in this industry, but experience is required to get those jobs. I don't personally know of anyone that did the change at your age, but a good thing is that (unless you want to go enterprise or government) the industry is not to demanding on formalities, a lot of people don't even have degrees. It's a field where it's easy to detect if someone really knows what he/she's talking about. And if someone is useful and helpful, nobody will really care your experience, academic history, etc.

If you're interested in stuff like malware analysis, then you could start doing it as a hobby and maintain a good blog where you explain all your analysis as you learn.

[tptacek]

I can easily offer an existence proof for "six figure jobs" in security that do not require previous experience in security to obtain. I don't think we're that far out of the mainstream.

(We're not competing with FAANGs for compensation, but that's not what "six figures" means).

[tptacek]

You should be aware that you just described three very different roles --- "offensive security" (scanner jockey -> netpen -> appsec -> vuln research / red team), defensive security (secops -> seceng -> security management), and malware analysis (malware analysis -> malware analysis -> still more malware analysis).

For you, the most important question might be how much you enjoy coding.