[wglb]

I was significantly older than 40 when I entered the security field after a career in development and technical management. I would consider this phase of my career successful.

What has worked for me is a burning curiosity about security, software and things that go crash at night. And a desire to learn.

Two books are very helpful--The Art of Software Security Assessment, and the Web Application Hackers Handbook. There are many resources available on the web--CTF exercises, post mortems, instructive blog posts, scary news feeds, free tools.

After getting into security as an application security guy, I ended up with a gig that enabled me to build a team of 15, none who had previous security experience, none of whom had or were expected to get certificates. The team did (and is still doing) some terrific things, and now has expanded responsibilities.

So look for jobs that give you a work sample product test and don't require certificates. Make your own learning plan.