Ask HN: Transitioning from game development to cybersecurity. Tips or advice?

[poutinepapi]

Hello HN!

I was let go from my gaming job a couple of months ago, and unfortunately nothing has come up yet.

Thankfully, I was thinking of moving away from the industry anyway, so this is a great opportunity to do so. I've got some savings and have given myself a year to set-up a cybersecurity consultancy business. My main target will be start-ups, and small to medium tech companies, particularly gaming ones that don't yet have a cybersecurity division, but nonetheless need one, and don't see the point of hiring a full time cybersecurity professional.

The field has always interested me, and most of my games experience is doing server side development, alongside DevOps, and then straight game dev. But server work has been the bulk, so at least I'm familiar with the basics of hardening a system against interference, mostly by players trying to cheat, and every now and again against criminal interests who have targeted our games.

I've got around 15+ years of experience as a software engineer, around half of that in plain server development, and the other half specialized in server dev for games.

I've got a bachelor's degree in software engineering, and an MSc in Computer Games Technology. I'm taking a short postgrad course in Cybersecurity at my local university, but that takes 8 months. In the meantime, I'm studying to get Security+ certified so I can start bidding for jobs and have something more backing me apart from my CV.

My question is the following, what am I missing? What else can I get or do to give myself more credibility? Does anyone have any tips on getting clients?

I'm planning on running promotions for start-ups and going to several meet-ups to distribute coupons, some booklets with free information on personal cybersecurity, and just to network.

Cheers in advance for the advice!

p.s.: I'm also setting a sister company for game dev consulting, but I'm much more familiar with that and feel much more comfortable with it, but tips for that are also welcome.

[ipython]

Some thoughts from someone who has been in the security biz for a while:

1. Security is more a mindset than anything else. Get used to finding the edge cases. Think "how can I break this..." or "how can I get around this restriction..." Many security folks I know started actually by exactly what you mentioned- figuring out how to bypass copy protection on games, how to bypass client-side checks in multi-player games, ... and so on.

2. Many pure security folks are very poor developers. You'll have a unique skillset here if you can apply it. Most security oriented folks use Python for quick scripts. If you already know python, great; otherwise, learn it and use that as a marketable skill.

3. I'm not sure about jumping head first into a consultancy. I'd recommend getting some experience in a security field first. It's hard to have credibility without some experience first.

4. Don't bother with security+. If you want creds, go and take your favorite cloud provider's security specialist exam. Cloud security is still relatively new, in high demand, and can get you immediate credibility with employers or clients.

5. I'm a big fan of real-world experience. Set up your own Linux server and try to attack it. Learn what some of the real world attacker techniques are. See some of the following:

Learn the Techniques, Tactics, and Procedures (TTPs) outlined in the MITRE ATT&CK matrix (https://attack.mitre.org/).

There are a LOT of "Capture the Flag" (CTF) events and writeups out there. Search for ones in a subfield you find interesting. Security is a HUGE topic. You'll need to specialize. Do you want to reverse engineer code? Secure cloud applications? Help companies define their identity and access management strategy? There's a CTF for all of those and then some. Do some googling around.

I have a lot more tips, so if you're interested just reply to this comment with a way I can get in touch and I'll reach out.

[poutinepapi]

I had not thinking of setting up my own server and attacking it. That sounds super fun! And will be good learning experience, cheers!

[_8j50]

As someone in the field, i only agree with #5, the rest except your last paragraph ir two is bad advice.

[gbrindisi]

Can you elaborate? As someone else in the field I found the advice quite sound

[Amedeemus]

Having dev/ops experience is a huge plus, there is a lack of security practitioners that know the pains of developers that and are able to offer technical security advice from experience.

A good place to start is by trying to distill some of your hard earned experience into a two hour session for a technical audience in the gaming industry, and offer that to potential clients. As a starting consultant, this is a low-risk way for clients to gauge your expertise and can give you a foot in the door, or at minimum valuable feedback.

Are there common security standards or regulatory compliance drivers for the gaming industry? Understanding the external security drivers for a company and being able to translate these drivers into pragmatic requirements or processes gives you a leg up compared to generic security consultants. Having knowledge of common frameworks can be beneficial. Look into NIST CSF, OWASP SAMM and the OWASP DSOMM (In order from high-level to hands-on)

If you want to pad the CV with some certifications, have a look at Paul Jerimy's certification roadmap. https://pauljerimy.com/security-certification-roadmap Skip the basic ones (such as security+), especially since you have dev experience. Go for CISSP if you want to offer managerial advice or go for the technical certs (eg. cloud provider certs) if you want to be more hands-on

For additional training, have a look at the list that NIST compiled: https://www.nist.gov/itl/applied-cybersecurity/nice/resource...

Seek out your local OWASP chapter and attend some local meetups and security conferences. Talk to your peers at these events and learn what positions they hold, what challenges they have and what tips they may offer. Many OWASP projects are looking for (dev) contributors. Have a look and see if you can contribute to some projects with your experience. This is a learning opportunity and you're helping the community, being a contributor can be a great way to show your expertise to potential clients. If you are using OWASP projects, the OWASP slack channels can be quite active and good learning resources too. OWASP conferences often have free or low-cost training too, as part of the conference.

[poutinepapi]

Cheers mate! This information is great and I'll carefully read it. Thank you so much.

[ukuina]

I hear generative AI from Azure and elsewhere is being integrated into realtime threat monitoring, any word on how effective this is and what the impact in on the hiring landscape?

https://www.microsoft.com/en-us/security/business/ai-machine...

[brudgers]

Unfortunately pretty much every action you mention kinda smells like a way of avoiding direct rejection.

Coupons, booklets, degrees, certificates, and networking are not sales.

(Neither are designing a logo renting an office and printing business cards, in case anyone wonders).

No amount of competency can compensate for a lack of sales. No amount of credentials, either.

Sales come first. Before everything else.

If you aren’t selling your business is dead.

Good luck.

[poutinepapi]

Mate... That had not even crossed my mind :O! I don't have a lot of sales experience, but I used to work at a digital agency, and that thing was just crawling with sales people, I'll phone one up and ask them about it, and mention your comment, cheers!

[jimmychoozyx]

If you have time available, consider taking an entry level inside-sales job for a few weeks or months.

They're typically OK with short term, because anyone can do the job. It just takes being able to tolerate making 100-200 phone calls per day.

A little sales experience is helpful, especially when it comes to how to present a product and how to create a strategy to overcome objections to why a person doesn't want to buy.

It will also help you get used to confidently presenting ideas to strangers--despite & becoming immune to-- the risk of rejection.

[poutinepapi]

I mean... I am unemployed, so that's not a bad idea at all, I'll look for some entry level sales positions in my area, cheers!

[brudgers]

Maybe start selling your services instead?

[logicalmonster]

I think a game developer might end up being great at some kinds of security stuff because you already are used to thinking with a defensive programming mindset.

If you were building popular multi-player games for instance, you were probably thinking a lot about systems to prevent players from cheating or finding exploits to win. A lot of common web-development is much the same thing.

[ezedv]

While coding skills are transferable, cybersecurity has its nuances. Dive into online courses like CompTIA Security+ and explore ethical hacking to bridge the gap. Networking helps too – attend cybersecurity meetups or webinars to connect with experts.

Your game dev problem-solving mindset will be a huge asset in tackling security challenges creatively.

[_8j50]

"Cybersecurity" is too general. Do you want to respond to incidents, do offensive security, vuln mgmt, vuln research, exploit dev, appsec, netsec,websec,cloudsec, setup systems for a security team or setup systems for product team with a sec speciality in their devsecops,etc...

But I gotta say, your background is best suited to focus on appsec (secure code writing) or seceng/devsecops type person. Your masters I am afraid is near useless (having worked with several masters holders), I might even make a good bet your security+ will be more valuable.

There are many certs depending on your goal and they all have value depending on where you apply. OSCP will impress anyone for entry level of anything. But imho, sec+ and cysa+ give you enough of a taste to keep you well rounded on a lot of things. The public secret is that you should get an employer that would pay a ton of money into sans certs afer that unless you end up in appsec, devsecops/seceng,vulnmgmt. Despite what edgelords say, you do learn quite a bit from difficult and lab intensive certs.

College grads and the masters holders I worked with severly lacked a hacker mindset. I think OSCP might help you with that tbh. You can't think like you are solving a programming problem or working on a coding/IT project. What you think you know in many ways will hurt you, which is one reason I am glad you are taking an entry level cert like sec+.

Just make sure you actually like security stuff, if not I highly recommend doing appsec/devsecops stuff so you are still in familiar territory.

There is a lot of work in security you don't hear much about where most people don't know how to write any code. And there are jobs where you work with assemly every day (and they pay shit from what I have seen unless your talent is top tier), there is a lot of variety. But the fundamental remains, that everyone in security has to know how threat actors work and think, security exists because bad people do, that's what it's all about at its root, not technical things.

Entry level jobs will be easy to get with just your background but in my observation, entry level is entry level, you gotta take somewhat of a crappy pay (relative to tech pay) and then after like a year your pay can improve when you have proven yourself a bit.

A lot of the stuff I do would probably be an unbearable burden if I didn't genuinely enjoy it. I work with people whose family gets in the way (spending time with them) or they do ok but do sort of the minimum with a lot of complaining because they're just there for the pay understandable, a job is a job, but they're not having fun at all.

Hooe that helped.

Oh, and stay away from startups and such and avoid ec-council certs like cancer. CTFs take a lot of time, I wouldn't waste my time on them in your position, they won't actually help you get a job unless it is a really competitive junior pentester gig and it's a tiebreaker or something.

[poutinepapi]

This was a great read. Appsec does sound like where I should be aiming for the most, and that's an area that I do enjoy. Cheers!

[zarathustra333]

Would love to talk and pick your brain a bit, have an email or discord i can contact you at?