[biztos]

There is the serious end of the security business, the service end, and the fake end. Plus of course all the black-hat ends.

If you want to be in the serious end, which doesn't necessarily pay more than any other software job but can be really interesting work, I would suggest learning about anti-virus and similar attacks (there are books and tutorials) and generally making your server software game as strong as possible. Then get a job with a security company at whatever level and bust your ass looking for challenges. You can rise very quickly if you can move the dial for the customers, and "smart and gets things done" plus "gives a shit about security" is a rarer combination than you'd think.

The service part, e.g. your pen-test company, is going to be much more mercenary. Great experience if you can get it, and probably a good space to start your own company in, but of very limited value in the big world. Security companies will have huge annual contracts, pen-testers and the like will be called in occasionally to check off a box on a security audit. Either one can work for you, but it's best to know what you're getting into.

The fake end of course is companies promising something they won't actually deliver, or will deliver with gross violations of ethics and/or the law. Obviously avoid these as best you can -- for the more serious companies, having your name associated with "SEO" or other spammers can permanently blacklist you from employment at least in the US, obviously the dodgier the play the greater risk of blacklisting. Hiring managers worth their salt have a nose for this, since Ethics is way more important than Skillz for any serious security job.

In case the black-hat part isn't obvious: in many places word gets around if a talented hacker is interested in security. Mafia is mafia even for us nerds. If something sounds suspicious, I strongly suggest you don't take the meeting. (This may be less of an issue in the US.)

Best of luck to you! The world needs more smart people working for a safer Internet!

[diminoten]

I dunno about some of this; working for a security company in a non-security software role gets you a lot of adjacent experience (take extra courses mandated by the company, go to extra talks, work with super smart security people), but I don't consider myself anything like an actual security expert after doing this for nearly 8 years.

There's a lot of not-security work to be done in the security industry, and it's not all work that gives you security-specific experience. I like to think I'm good at what I do, but it's not security, even though it's to help security people.

[biztos]

I've been working in Security Per Se for more than 10 years and I would also be reluctant to call myself a "security expert" -- as would most of the people I respect in the business. (Free pass for CVs in motion of course.)

This is because many of us have very specific domain knowledge which probably doesn't map to a layperson's expectation of "security expert" -- and while I don't see much "Impostor Syndrome" I would assert that most branches of Security will humble you if you really know your shit, so a great indicator of someone who doesn't is their readiness to claim broad expertise.

Yes, most of the work in "security" is just "software engineering" -- but my own experience has been that for people who care about the security angle, plenty of domain knowledge accrues over time. You might not even realize how much you have, but others do: for me there is a huge difference between working with an ops person who has internalized the adversarial worldview of Security and one who is "just a sysadmin."