Ask HN: Career change from general java dev to cyber security/machine learning

39 points by gdfer ↗ HN
I received a computer science degree ~12 yrs ago and have worked successfully in the field as programmer, team lead and dev manager. Most of my experience comes from developing enterprise apps in Java.

While I've had a successful career thus far, consistently get great reviews & make a good wage, I am also getting ... bored I guess.

I'm considering various options -one idea that's piqued my interest lately is furthering my education a bit (would have to do online learning) and making a transition to working in a more specialized area of comp sci such as cyber security or machine learning. I don't have much experience in cyber security (have done some pen testing/fixing of java web apps -OWASP type stuff) and have virtually no experience with AI/machine learning concepts. I just find these things fascinating.

I guess I'm curious: Has anyone made a similar career change from a more general developer type of role to something like cyber security or machine learning? How did that go for you? What should my expectations be and what are some suggestions for investigating and going about this?

Lastly -I don't work in or near a big city and would probably have to work remotely (I've been doing remote Java consulting successfully for a while) or move. Not sure if these specializations are conducive to remote workers so I wonder if anyone can shed any light on that.

15 comments

[ 3.1 ms ] story [ 43.7 ms ] thread
>I don't work in or near a big city and would probably have to work remotely

The specializations are both conducive to remote work. However, they aren't conducive to remote work for people that don't have a good amount of experience in that role.

You can definitely make the switch to either of those things, but you have a long road ahead. If you know specifically what sub-field of security interests you, I might be able to give you some more insight.

I am actually in a similar boat. I have done a lot of java work, and was active on the security side of things in my previous role. I mostly worked on compliance, but I did some pen testing.

I can see compliance not being friendly to remote where pen testing would be a lot more friendly.

I know security is a big field, but I would love to hear any insight that you have on it.

I found this website pretty helpful for investigating a career path change to cyber security and it contains information about more specific jobs within the cyber security field. http://www.cyberdegrees.org/jobs/

I guess I have a couple of interests ... developing secure code & architectures as well as hacking/defending against hackers (ethical hacking).

From some of the job descriptions in the link above, things like: Penetration Tester (ethical hacking), Security Analyst / Security Auditor, Forensics Expert

Of the two I'd get more involved in machine learning. For a couple of reasons:

1. Ultimately I think it'll be easier to get a remote job. ML is in high demand and requires dedicated, focused hacking time. This means remote is more do-able. Generalizing -- Cyber security interfaces significantly with people and process across the whole of an organization, so tends to require more face time.

2. It's easier to experiment and learn ML on your own. Grab a project, come up with some ideas and then get them up on Github. That's much hard to do in the security realm.

If I were you, I'd see if you can carve out some time for a passion project. Pick up a ML framework and see what you can do. Put it up on Github, write some blogs. You'll see how passionate about the space you are, plus build out the start of a CV.

Definitely like the idea of carving out time for a passion project and going from there. I'll probably start out with a couple of MOOCS or something in each field and give some thought to what that passion project will be.
Respectfully, none of what you said has been my experience.

Remote work is available for competent security engineers and consultants in spades. Entire teams at Optiv are distributed across continents (or they were when I worked there, back when it was Accuvant). Delve outside AmaGooBookSoft and you'll find many companies are quite amenable to remote employees for their internal teams, too. Check /r/netsec's hiring posts.

As for learning on your own - I'd cautiously disagree here. If your goal is to learn appsec and you're already a competent developer, you can do that by picking up literally one or two textbooks and participating in bug bounties. Job offers will be more or less thrown at you if you have a pulse and have found more than, say, three non-trivial vulnerabilities in recognizable programs. The companies themselves will often try to recruit you.

Machine learning is, like a lot of software engineering, easy to pick up and play with over a weekend, yes. But it is more difficult to become competitively competent right now for two reasons: 1) the field is exploding with incoming talent looking to capitalize on the new AI wave and 2) the amount of research you'll want to keep up with to stay informed is much higher than infosec.

To be fair though, I still believe someone can pick up machine learning. It's just that (most of) information security is rather more straightforward to ramp up to competency, in terms of resources available.

"you can do that by picking up literally one or two textbooks and participating in bug bounties" is a good idea and certainly something I hadn't considered. My main concern was bootstrapping yourself into the area, so that's an interesting approach.

I read "cyber security" a bit more broadly. You can certainly be a great appsec-type -- but I still personally believe spending time in and around organizations is really important to be in security. Do take your point there are large domains and specializations where that's less true.

Arguably this will be the same in ML at some stage. In actuality I think devops-for-ML or testing-for-ML is a more agreeable place to get started. It's pretty underserviced right now.

Ultimately I think best to follow the passion. Give both a try and see what feels best.

There are subfields of infosec where organizational understanding and savvy is important. But if you're a technologist, most of the real action in the field is in appsec and, at it's most specialized, high-status end, vulnerability research. Appsec doesn't much care where you're located, or really even how well you understand the org chart of your target.
I know little about either or, but there's a micro masters course (five courses in total) on cyber security over at edx which started five weeks ago, give or take. You could audit the class to check it out. With your experience and what we've seen so far, shouldnt take you much to catch up. That is, if your time permits it.
Thanks, yeah, I was looking at cyber security specialization at courseera and will take a peek at edx too. Definitely all comes down to time for me since I still work full time and am raising kids but I can find a way to carve out the time.
I went from lead dev (and head of development with 10 years experience) to security consultant about 6 months ago, as security was always a hobby of mine.

If you look at my previous comments I always say the same thing: get the OSCP certification. It will definitely get you an interview but the course is hard and demanding.

Also, get ready to take a paycut and a role downgrade as 4 years of pentesting have more value than 10 years of development.

Obviously you bring other skills to the table like better client communication and knowing how things work under the hood, but you'll have to take a step back before you take two steps forward.

I definitely recommend you go that way, but think hard before you do, and please be sure it's not because you're "bored".

Last but not least, prepare to travel to clients. Sure there is the "internet" and "vpn" but a lot of clients have internal apps need testing and do not give you remote access.

If you have any questions I'll be happy to help out.

Thanks, helpful for sure. Yeah I'm not looking just because I'm "bored", I suppose it's a myriad of reasons but that is one of them.

Why did you decide to make the change to security consultant?

How were your security skills before you decided to make the change? You said it was a hobby, but for how long? I'm thinking I'll have to carve off time for a while to invest into learning the new hobby then see where I'm at in 6 months time.

The reason I switched was because pen testing is in really high demand and will stay that way for a few years to come. Also, I didn't want to get full time into management at this point.

My security skills were average (hobby for about 10 years but mostly because I was a web developer) but like I said the OSCP did most of the work in terms of getting the interview and doing any technical test. The course itself took about 2 months, 6 hours every day after work, and fulltime weekends!

My suggestion would be to do the OSCP course and if you like it then go for it. There is also vulnhub.com which has a lot of CTF VMs where you can practice (I personally dislike CTFs because I find them unrealistic).

I didn't make quite the transition you are talking about, but I went from a general software lead position to being a security and systems engineer at a cloud provider and it has worked out rather well. I suspected that I would enjoy my new job and I have, I definitely get to learn a lot of new things everyday and my resume is looking pretty slick now.