Ask HN: Starting a career in security at 40?

190 points by johnnycarcin ↗ HN
For the security folks out there, what is the market like? How much weight is put on having some of the various certifications out there?

I have always had an interest in security, especially the red/blue team side of things as well as the forensics area. I have spent my entire career in the world of sysadmin/SRE/shitty dev however so nothing on my resume shows "security". The last couple of weeks I have been looking at some of the certification classes and... wow, they can get pretty crazy. The SANS online stuff is like $6k per course!

Being close to 40 and making six figures (not a brag, just using it for background) I am worried that it's too late to make the jump and still be able to provide for my family. It seems like a pretty big risk to drop multiple thousands on certifications only to start at a salary much lower than I currently have. I'm not willing to impact my family by taking a potential 50% pay cut. I realize there are risks with any kind of career change, I just want to make sure I'm not going into this blind.

Does it make sense to go after some of these certifications, even if they are not from SANS? Is the security world hiring and paying well these days? Am I looking for too much and should just except the fact that a major pay cut would be part of the process?

TIA

113 comments

[ 3.0 ms ] story [ 179 ms ] thread
I made the switch from web development to security a few years ago and initially took a 10-15% pay cut. I didn't get any certs and wouldn't necessarily recommend them. Instead, I joined various bug bounty programs to get practical (and resume-lite) experience.

Having implementation experience (via webdev) in addition to the bug bounty experience was a plus when I was interviewing.

If you're in a tech hub like SF or NYC there is plenty of security work. But, yeah, I would expect some kind of a paycut since you are moving from a (potentially) senior position to an entrylevel position.

> Having implementation experience (via webdev) in addition to the bug bounty experience was a plus when I was interviewing.

Hiring manager here. Assuming you successfully demonstrated these skills during the interview process, the pay cut probably shouldn't have happened.

A minor pay cut can happen for various reasons. There is not enough information to say it should or shouldn't have happened.
Absolutely true, hence the assumptions. It also assumes the OP's prior pay wasn't atypically high e.g. to fill a very specific need such as self driving computer vision refinement.

I wouldn't consider a 10-15% dip a "minor" one, though. That's consistently tens of thousands of dollars in the top ten US metro markets for these roles.

I get the sense the biggest obstacle to your career pivot may be the circumstances of a typical 40 year-old. You probably have bills to pay and a lot of responsibilities that consume your non-work time.

The transition to the roles you've mentioned may require a significant period of unpaid, expensive self re-training, and if you want that re-training to end any time soon, you will want to spend a lot of hours on it. Can you handle those two things?

Here's an interesting tale of someone younger than us who took a path into security from zero.[0]

[0] http://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-...

This was my thought too. As you get older you tend to add more and more responsibilities: children, debts, and these require that you both work and don't work too much, meaning that the time you can truly spend on a new avenue is quite low. That's the true challenge, I think.
From the blog: "Know what you're getting yourself into, [OSCP] took me 292 days full-time"
You don't give enough information, "security" is meaningless as a solo term. You need to go into specifics at to what exactly you see yourself doing.

If we are talking threat intelligence/analytics then I would say that you're taking on a huge gambit that will most probably not pay off. These jobs will be amongst the first that will go away / automated and do not require deep skills. Certifications are a complete waste of money.

The jobs in security that have a future and pay well are research-related: vulnerability research, reverse-engineering, exploit development, toolset r&d. Certifications are (again) entirely useless. All you gotta do is prove that you have the skills necessary, which take years to acquire and even more years to master.

Personally, I would say don't bother. You are too old and too far behind.

He did say what he was interested in:

    I have always had an interest in security, especially the red/blue team side of things as well as the forensics area.
You should try replying to the actual post, not the one you constructed in your head.
He also said "With regards to what do I find interesting, honestly I would put offensive at the top of the list".
I think anyone that understands how computers and networks work can make a good security engineer. The mindset for breaking things can be taught.

It isn't too late to do something that interests you, it may be painful taking lower pay or having to learn something that isn't directly related to your job.

Try it as a hobby first, attend some security related conferences, like most industries the security folks are kind and happy to share knowledge.

I come from a similar background as you and I've done CISSP from (ISC)2. I always thought it would be useless as I thought that I can't learn new stuff because I am sysadmin/SRE/shitty dev.

What I observed from a sysadmin/SRE perspective vs pure security team is that we speak 2 different languages. We often clashed with them and it brought frustrations on both sides.

The material cover in CISSP is very broad and not deep. I've done it on my own and I saved $6K. The book costs 80$ and it takes 3 to 6 months to complete. The exam is a real bitch though! Be sure to be very prepared.

In the end, it's the best moved that I've done in my career and I can now speak with the Security mafia.

In order of appearance of '?', here are my responses

1. Market is pretty hot and you will be get multiple choices to pick from the available offers 2. Certifications have very little to do with the job (Full Disclosure - I am currently maintaining CISSP, CCSP, GWAPT, GMOB certs ) That being said, sometimes HR/recruiter use these for filtering candidates. You can look at security+ certification to get a feel. 3. It will make sense even if its not from SANS because people who have done SANS know that a) SANS is very expensive b) its an open bool exam 3) Does not involve hands-on. For that matter, if you will go after coveted OSCP, then people will understand that you have hands-on skills.

4. You should get equivalent or more pay because the market is hot. Most of the earlier security professionals came from SysAdmin/Dev background. You have a better understanding of how systems/apps, so it will be easier to break them or identify vulnerabilities.

There are several blogs (e.g. https://tisiphone.net/category/security-education/) available to find a learning path for security, so check them out. Self learning is the biggest skill that you will need.

PS - Started my career in Information Security 9 years back, right after coming out of school

First of all: what in particular do you find interesting of the security field? Are you more interesting in the offensive or defensive side?

I guess that given your background, the smoothest transition will be to something like application security engineer/devops security. There is a trend where companies are hiring developers who also know security, to be part of the dev team. So any bug that has an impact in security will be fixed by this role. Also, the new architectural landscape (cloud everything) is really changing the game, and having expertise in these solutions from a security perspective is a very valuable skill.

I don't know of particular certifications for application security or "DevSecOps" that will help you. I know that for example, in your situation; CISSP is not useful. CISSP jobs are mostly boring.

If you're interested in the offensive side, then the OSCP certification is a good bet; it shows that you understand and are able to execute a simple pentest. It is a well regarded certification and It will mostly make up for your lack of professional experience in the subject.

In conclusion, you're making good money right now; unless you're really bored and unchallenged, I'll start getting into security as a hobbie, and see how can you apply what you learn on your current job. Maybe you can even change roles where you're at. But try to use your current experience and give it a security twist, so you can then build on your experience instead of trying to make up for the lack of it with bogus certifications.

Appreciate the reply!

With regards to what do I find interesting, honestly I would put offensive at the top of the list but I do have interests in the defensive side as well as the malware analysis. I am, what I believe, a "problem solver" by nature so I enjoy the idea of being given some unknowns and being told to go figure it out.

Of course, you're welcome. I forgot to address the salary question. Six figure jobs are common in this industry, but experience is required to get those jobs. I don't personally know of anyone that did the change at your age, but a good thing is that (unless you want to go enterprise or government) the industry is not to demanding on formalities, a lot of people don't even have degrees. It's a field where it's easy to detect if someone really knows what he/she's talking about. And if someone is useful and helpful, nobody will really care your experience, academic history, etc.

If you're interested in stuff like malware analysis, then you could start doing it as a hobby and maintain a good blog where you explain all your analysis as you learn.

I can easily offer an existence proof for "six figure jobs" in security that do not require previous experience in security to obtain. I don't think we're that far out of the mainstream.

(We're not competing with FAANGs for compensation, but that's not what "six figures" means).

With that extra detail, it appears you are seeking the sort of job I posted in the hiring thread:

https://news.ycombinator.com/item?id=18358038

You say that "nothing on my resume shows "security"" and that is fine... look, the job posting doesn't say it either. Certifications don't count for anything. Most of us here don't show up with "security" or certifications on a resume.

That said, the skill you list as "sysadmin/SRE/shitty dev" (for "SRE" being either "software release engineer" or "site reliability engineering") probably isn't going to cut it. Something more low-level is usually needed. You almost need to be good at assembly language.

You should be aware that you just described three very different roles --- "offensive security" (scanner jockey -> netpen -> appsec -> vuln research / red team), defensive security (secops -> seceng -> security management), and malware analysis (malware analysis -> malware analysis -> still more malware analysis).

For you, the most important question might be how much you enjoy coding.

Security has a large number of unfilled positions currently:

https://cybersecurityventures.com/jobs/

https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast...

https://www.ziprecruiter.com/blog/cybersecurity-jobs-are-sky...

and security jobs tend to be slightly higher paying than other IT positions. With some certifications and a few years of experience you have a good chance to be making a comparable salary to your current one.

SANS tends to be on the high end of cost for certifications. Look into the following organizations for more options:

ISACA

ISC2

EC-Council

A background in IT and Dev is highly valuable for Security jobs. You will find that many of your current skills are applicable.

Look at job postings in Indeed, LinkedIn, etc. job sites for roles that interest you and look at the certifications and experience they ask for. That will help guide your investigation into what you need to qualify.

(I have been working in the security industry for the past 10 years in various capacities, caveat emptor etc.)

You can almost double your total comp overnight going from a devops/infra role to an infosec role. If you're in ops, get out of ops and go into security. More money, no on call rotation, better career trajectory.
>no on call rotation

In my experience that hasn't been true at all, but the rest is definitely accurate.

Probably true for pen testers, forensics, or immediate response. I refer to architecture roles. I don't do on call anymore, my family comes first.
Ah yeah, that makes sense (as an aside, I am jealous and hope to get there someday). You'll almost certainly have on-call in ops, which is what OP seemed to be most interested in.
Secops people have on-call rotations. Pretty much nobody else does.
Potentially, if you find that magic role and are qualified. I am too cautious to say you could 2x from a 6 figure salary without putting in a few years getting experience and proving yourself first. Not saying it isn't possible, but overnight is probably an exaggeration. If you're willing to travel and do consulting it's realistic, but it sounds like OP may not be willing to go that route.
Sometimes you have to leap off the cliff and build your wings on the way down.
It's a great time to be in security, definitely a job seeker's market. I've been in security for ~8 years now and don't have any certs and don't see a whole lot of value in them unless your employer/clients require them (some consultant or government shops do). I place a much higher value on knowing your stuff and being able to earn the respect of other engineering teams when helping them understand more secure ways to build what they're trying to build.

Some of the best security engineers I've known came from a network engineer or sysadmin background. So don't worry if you don't have a "masters in security". I'd spend some time thinking about the last large system you built. How would someone attack it? How would you detect those attacks? What would you do if they were successful? How could you have architected around those weaknesses? If doing that seems like fun, my team is hiring in Seattle, feel free to drop us a message at prodsec-recruiting@tableau.com

Senior network engineer for an ISP here, when you have a network that spans a number of states and provinces, it inevitably develops a huge attack surface. Designing security features into the network is part of modern network architecture, the two are inseparable these days. There's obvious concerns about endpoint security (individual servers, VMs, etc) and then different considerations for network security of routing/switching/WDM/millimeter wave equipment at POPs.

A lot of equipment used by ISPs is barely protected at all, from what I've seen of other peoples' networks. There's a lot of things out there like temperature monitoring devices, UPSes, rectifiers, HVAC controls, security card readers/relay controls, generator monitoring control systems that run ancient shitty software, which the vendor will never patch. People spend a lot of time isolating these things in special management networks because the cost of replacing a big rectifier system at an older POP cannot be justified.

I would say that for somebody that wants to get into a dedicated security role, without having specifically studied netsec stuff in detail, the best background to have is a mixed balance of first/second-tier NOC, network engineering, and general Linux/BSD sysadmin knowledge.

(comment deleted)
As someone who used to be a senior engineer for an ISP, shout-out to all the STBs with hard coded admin creds :-)
Shout-out to everyone who's ever worked for a large to mid-size ISP, that has acquired and eaten/digested a smaller ISP which has already existed for 12, 15 or 20 years... So much weird legacy gear in weird locations, doing weird things. So many SDH circuits and OC-whatever transport systems.
HAHA Are you me? This is sounds creepily familiar..
Seems to be an endemic problem, maybe if zayo buys everyone else noone will experience it again.
You're not likely to have much luck jumping straight into the R/B team pentesting or forensics world without either some practical experience or certification. With a firm tech background I can imagine you can re-train into a slightly lower position on the security totem pole pretty easily though. Certs can be a mixed bag - pretty much everyone knows they don't actually mean a whole hell of a lot other than a basic grasp of the concepts, but some places will still use them as HR filters. SANS exams can be helpful and are not particularly difficult, but as you said, are very expensive. I'm not really sure about current pay rates for sysadmin type work are, but I wouldn't expect that significant of a pay cut, if you encounter one at all.

Security as a field in general is definitely hiring, though. You'll almost certainly be able to get a job pretty much anywhere in a large variety of companies. For example, here in the Midwest there's a lot of health providers, insurance companies, and banks that have plenty of positions available at locally competitive rates (though bear in mind this exists outside the SV wage bubble) and they generally do not have any qualms about hiring older folks.

I was 36 when I got into security and have never looked back. The fastest, most lucrative route to security is through a role at a vendor. Start to get involved with security at your current job. Get to know the security team. Work on a project with them. Get to know the sales person from an up and coming vendor. Ask him/her abut an SE role. You can easily clear six figures.
My career arch is much like yours but at the same time I grew up wearing a greyhat much like how my beard is becoming: black then with time white was added. Most employers value security and actively encourage any efforts in increasing their security posture. Are there not efforts in your current career to "scratch the itch" so to speak? I would agree with many that certs are worthless unless you intend to work as a third party auditor but being able to "talk the talk and walk the walk" matters more.
The security market is insanely hot right now and will continue to thrive. From my perspective, we are reaching a point where security is seen as a commodity, not some optional process––everyone needs to know about security, even if they aren't working in the field. From a job perspective, schools are not able to keep up with the demand and even then, those leaving academics are not showing strong practical skills they can apply.

SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You are going to think about how the system functions, what is running on top of it and how to ensure it stays online. When I interview candidates, I like see an alternative background as it means that person is going to bring a new perspective. "Security" as a job doesn't really make as much sense to me––you specialize in a given area (i.e. network background folks may maintain appliances, rule sets, detection signatures, etc.) and apply security to that area. I see your area as a means to solve a lot of security problems. Configurations, deployments, etc. can be checked in and accounted for with code instead of relying on people; there's massive power in that.

When it comes to certifications, I think there's two schools of thought. There's folks who look at the paperwork and make sure you can check the box, giving way too much value to certifications. For those who have been around a bit, they see the certification as practical, though no substitution for real-world experience. If you are being cost conscious, check out some of the free resources online for Network+[1] and Security+[2]. The important take away in those materials are not that you _need_ a certificate, but that you should understand the content and be confident in speaking out it.

If the red/blue side is more your style, I can't recommend enough to check out the Offense Security courses [3]. The tool set is free, the course is reasonably priced, it's a lot of fun and will give you real-world experience that is far more favorable than the standard certificates. Skip the whole CEH program as it has a poor reputation.

You mention six figures, but don't provide a scale, so it's hard to know how much a pay-cut you would potentially take. That said, security pays well and it's not uncommon to see salaries in the ranges of $100-200K even with less experience. All salaries are relative, but in general, a lot of my peers are not exceeding 200K on the base, though clear a lot more when factoring in other incentives like stock, or bonus.

Background: Been in security my whole career (started in networking and morphed into security) totaling close to 15 years. Like you, I have a set of skills outside of security (sys admin, networking, dev) and it's played in my favor a lot. Reach out to me direct if you have more questions!

[1] https://www.cybrary.it/course/comptia-network-plus/ [2] https://www.cybrary.it/course/comptia-security-plus/ [3] https://www.offensive-security.com/

The certification discussion usually raises hackles among security people. I've been in infosec for over 20 years, so take from this what you will.

Question is what kind of work you plan to do. If you are contracting, most public sector contracts are awarded on a points scoring system that gives points for certifications. Given the value of a given contract (e.g. say, ~$200k for a year) paying for a $5k-$10k option on all of them is a sound bet. Other things could tip a points scale, but this is the advantage is what you pay for.

From an economics standpoint, demonstrating differentiated skill is hard. In the jargon, it means signalling costs for competence in security are very high. Many people use papers, blogs, conference speaking, exploits, open source contributions, and media hits to differentiate themselves, and the work that goes into this is more than most normal people put into their careers. A certification doesn't get you the same thing, but it will level you up to a point where many customers/clients are indifferent to the extra value implied by other peoples high cost signals. Is it an honest signal of skill or technical capability? No, but it's sufficient for most procurement cases.

The market (and the ISC2) has tried (and largely succeeded in it) to make the CISSP a bar to entry. It sounds from the OPs post that he is an individual contributor (IC) (instead of a manager) who wants to get into security because it is an IC role with a better future for an older worker than devops.

Realistically, a Masters in information security (distance education on this galore) is sufficient for a drop-in director of security role, as the role is mainly about navigating a large organization and buying technical talent as-needed. I would say having serious technical chops will differentiate you among security pros, where the market has become flooded with non-technical audit and governance people whose role is as an organizational gatekeeper.

Some amazing technical security pros will scoff at this, but what most people don't get is there is a point of diminishing marginal return on technical skill, where the only people who can even begin to appreciate your skills need to be at least half way there, and coincidentally, employers can't tell the difference, and they are a lot cheaper than you are.

The professionalization of the field has meant a new class of administrators will just buy tech expertise when they need it, and operate largely by trading on their political veto (the black box of risk) in their respective organizations.

If you are a technical IC who wants to rebrand as a security technical IC, it's interesting and challenging work with a great culture around it. However, be aware that given the expense and demand of it, the market is being flooded, and my recommendation would be that the longer term game would be to use it as a lever into a general management (or at least SE) role, one that you can still find work in when you are 50.

In answer to your final question, get education that is portable that you can leverage into that general management role. So again, Masters of infosec will set you up for a role you can do when you are 50, whereas technical courses only have about a 5-8 year value horizon.

This is a solid perspective. Thanks for sharing.
- Do the Matasano security challenges - Talk to tptacek (tqbf on twitter): they almost certainly have pointers and opinions
> tptacek

I am waiting for his seminal thoughts on this actually...really.

…or just wait for him to comment here.
I write resumes and consult to job seekers on search strategy topics. I've worked with several clients this year who have transitioned from more traditional IT/admin roles into security - for experienced pros I'd say that IT/admin types are the most common background (as opposed to software dev) for those seeking to enter infosec.

The value of certs depends a bit on the cert, and to be honest I don't typically see the SANS certs. CISSP is much more common, Certified Ethical Hacker is also pretty common, and Comp TIA Security + is one that most junior level IT folks start with (in my experience).

Saying you make 6 figures without saying where you live makes it pretty tough to figure out what you might make in your market. 100K is a ton of money in some areas and peanuts in others.

That is a good point (location). I currently am located in Colorado.
get your CISSP, it cost $700 to take the exam... and you can command 100K with your background. I didn't even have my CISSP and started off at 75K. Granted I have 20 years in programming, DBA, Network Administration and System Administration. You'll do just fine.

I will tell you one thing... security is pretty boring if you are a person that likes to be in the trenches. It's more of a manager role (they even tell you to think like a manager when getting your CISSP). Your role is to identify a problem, document the solution and then audit the outcome. You don't ever fix or correct problems.

Find complements to what you do now that are security related and move from there. If you do devops and SRE, you’re a practitioner in security.

To the right organization, someone with your operational and Dev background is super useful. Many security orgs came from a policy background and have challenges because they lack experienced operations or dev focused people.

Make sure that you understand what you want to do. Map your experience to the appropriate security lingo. Understand the core concepts in NIST 800-53

A lot of the material you’ll find on the web about the industry is consulting focused.

Background in infrastructure is the best you can have - you will be far ahead compared to many newly educated ‘security engineers’, knowing the application domain.

What I would think about if I were you (was so 15 years ago - started as systems engineer in telco, although has been playing around with systems since childhood) is to try and capitalize on knowledge you’ve got - pick entrypoint to secuirty market as ‘security for X’, where X is the type of systems you’ve been administrating. This way, you’ll have a solid base of problem domain experience, and will be able to easily associate new learning material and new work challenges with experience you’ve already got.

Security is a huge domain of knowledge - being able to bite it with digestible chunks is crucial not to turn into another checklist drone or certified skript kiddie.

You'll do fine.

Don't waste time with certificates. They mean fuck all in the industry. Any job that cares about them is a job you don't want.

Try to get some clarity about what part of security you want to work in. All the subfields are open to you. Do you want to do operations work? Do you want to exercise your software development muscles? Do you want to work offense or defense? My advice might be different depending on the answers to those questions, but no matter what you want to do, you should be fine.

Do you have any resources / direction to give to a software engineer who'd want to learn more about security?

As a full stack web engineer I feel like I know nothing about security (just like most people) and I'd love to have more knowledge about it, even maybe work on this.

I have a small design and engineering studio, and might be interested in getting into that kind of services, if I discover that I get interested in this enough.

Look for a local group such as Security BSides - go to the meetups, get to know other professionals, learn from them, and get involved with their events.
Does this still ring true for someone with no experience in the industry?

I figure a certification is an effective "proof of expertise" when there's no employment history to back you up.

I think what he means with certifications is that they'll get you the jobs you don't really want.

For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you know this field, you know that this certification is worthless; it's just an expensive piece of paper. So, if you get a job that requires you to be CEH, it's telling a lot about the company itself, you don't want to work there.

Same goes for the other certs, CISSP is OK but it doesn't really prove you can actually do useful work, and the jobs that require them are not the most interesting ones. The other popular one is OSCP, which I think is quite OK. It shows a minimal level of competence.

But I tend to agree with the feeling that certification in this field do more harm than good. What we need is more professionalism and good engineering.

EDIT: To clarify my point on OSCP, it is good in the sense that they force you to do hands on work. But, it is very narrow and most of what you learn are "tricks". An OSCP holder is proven to know what a pentest it, how to go about with it, and has a lot of sometimes useful tricks under his belt. It will not tell you whether someone really knows how applications and systems works.

Agree on the other certs -- but have you actually looked at the requirements for OSCP?

I think it's a bit more in depth than you believe.

OP is right. OSCP is an entry level certificate in pentesting. That doesn't mean it's easy to get, and the people that have it will certainly have put in the time.

Security skills are just not something you tend to pick up in 4 hours flat.

source: have both OSCP and OSCE, and I work in the industry

OSCP covers a significant part of my actual subfield in security, and I think it's pretty silly.
Well that's no good, I'd been told by others in the field it was a good cert. Guess I won't waste my time with it.
Certifications are a way to bypass HR filters, and allow you to negotiate higher salaries. I agree that in terms of imparting actual skills and knowledge they are of minimal value. Being mentored by your peers, being involved in the community, and learning by doing are by far the best ways to learn Security. Certificates are relatively easy to earn and have high ROI in terms of salary and negotiating power in my experience.
This is what everyone who voluntarily paid for a certificate tells themselves. As a hiring manager (for ~10 years now) in software security who talks to a lot of other hiring managers, I am pretty confident that the supposed ROI for certification is not there. Also: if you're dealing directly with HR filters when trying to get a job somewhere, you're already playing to lose. A much higher ROI would be gained by learning how to seriously pursue a targeted role.
The value of a (good) certification is that Rumsfeld’s Law applies: you don’t know what you don’t know. Even if you never finish the programme you will at least pick up an idea of what you need to learn, the common vocabulary etc.
If you want to pay for a forcing function, that's fine, but be clear with yourself that that's all you're really paying for.

Certainly I would push back hard on the idea that a certification of any sort is something you need to obtain a first job in the field.

Thank you for sharing your experience. I think there is a lot of truth in what you said. It is probably very situation dependent - in my case getting that first cert and paying out of pocket is how I broke in from IT Ops and got my first security consulting gig. The resulting pay bump paid for the cost of the cert in 6 months. For all certs thereafter I've had my employers pay for it as part of a benefits package. Obviously this is only a single data point, but many of my colleagues have similar stories so I feel like it can't be completely unique to me. YMMV.
How would you practice this craft? Is practicing on pentesting websites (like https://www.hackthebox.eu/) a good idea?

Or is there a better way to learn the various tools?

Edit: I have also completed some of the challenges on http://cryptopals.com/ a while back to get better with developing Python code.

Start here:

https://trailofbits.github.io/ctf/

Cryptopals is great! :) If you've gotten all the way through set 6 and are interested in a first software security gig, get in touch. Those challenges have been a pretty excellent predictor for us.

I second this. I moved from systems engineering to the security field without issue. Security organizations now more than ever need a full spectrum of developers, system engineers/sysadmins and operations folks. You likely already have all the skills you need to find a decent position somewhere. Your existing skills should translate quite well.
I generally agree with you on your points, but I'll share an anecdote.

I once had a friend ask me about getting a certificate in an unrelated field from one of those ultra for-profit schools they advertise during the day on TV. I told her it was basically worthless and that places that cared about that cert and those schools probably weren't worth working at.

Long story short, she went ahead and got the cert from the money mill, got a job at a place that cared about it, and despite my personal distaste for it all, she ended up loving the job and is very happy there a decade later. So...YMMV.

So I think it's hard to categorically say the OP will hate those places when in fact they might find them perfectly suitable. Some people just really like the kind of work those places do and are perfectly happy having a handful of 3-5 letter certification acronyms after their name on their business card.

As the question of whether they're worth the paper they're printed on and if those companies that care about those things are worth the air that comes out of their central heating, I have to say I personally agree with you. They probably aren't helping humanity or the security field any and I keep far far away myself.

But to your other point, the security field is tremendously huge and honestly a lot of it is paperwork pushing certification, compliance and accreditation stuff.

Sorry but this "fuck certs" mentality just does not hold true for the security industry. It might be true in software but not here. The security industry is much more regulated than software, and with good reason - how is a company looking to hire penetration testers or blue-teamers supposed to tell between somebody who is doing they're job and somebody who isn't? If a security professional does they're job properly then you won't notice anything at all.

Yes certs are not everything, but they are proof to an extent of ones ability. Some certs like the CEH are worthless but others like the OSCP or CRT (in the uk) are definitely not worthless.

The whole "fuck certs I dont need a piece of paper to show I can do something" is somewhat juvenile and really only applies to the software industry. Most other industries have some form of regulation.

I strongly disagree. What matters in the security field is the ability to program, a desire to learn, and an deep interest in security itself.
Absolutely those are all important qualities but the idea that certs are completely worthless just doesn't hold any weight.

Can I ask if you apply the same logic to the lawyers? Do you think the bar exam is pointless? What about chartered accountants? Or Engineers? Should pilots have to pass a test? What about drivers license tests? Are they just worthless pieces of paper too?

The practice of law is an older field. When I hire a lawyer, I presume that they have sat for the bar, but my inquiry goes much deeper. If I need a contract reviewed, I try to ascertain if candidate lawyers have experience reviewing contracts, and look for recommendations for that service. If someone were to sue me, I would look for a lawyer who is experienced at litigation. In this case, a lawyers certification, which is the bar exam, is a known test for the knowledge of law, which is done after serious study.

Certifications such as the CISSP don't tell me as a hiring manager anything about a candidate's skill in the required areas. As a buyer of security services, a shop with CISSP services often has a negative correlation with quality of an application penetration test.

I've been in the security industry since 1997. The last 13 years of that were spent building consulting teams --- amusingly, the first of which was one of the largest app pentesting firms in the country, and the current one is focused on "blue-teamers", as you put it. I have no idea what "regulations" you're referring to, and am certain that certifications --- very much including OSCP --- mean fuck-all in the real world.
In the UK at least there has been a strong drive to regulate security companies through organisations like CREST and CHECK. The problem is that its an industry with a massive amount of hidden information. If somebody does a pen test on an corporate network and says "we didn't find any vulnerabilities" how does a company know if they have actually done a thorough check or if the network is genuinely secure?

Yes in an ideal world we wouldn't need certifications or exams or anything but this isn't an ideal world.

I don't know what part of "there are no certificates required to do this kind of work" I'm failing to communicate. My last company was acquired by NCC Group, a UK public company, and I haven't met anyone from the UK side who was certified either.
I never once said that certifications are required to do this work though did I?
I started my career in security at 35, a few years ago.

I had a strong reverse engineering background from the software development projects I'd worked on professionally, and had dabbled in security-related things in my free time, so certifications weren't required.

It has been a pay increase rather than a pay cut, but I think that was partly due to moving location. I've had two jobs so far, and no shortage at all of offers when I was looking.

Having significant prior software development experience has been useful. About half of my work so far has been writing tools to assist vulnerability research, and the other half analyzing and discussing security bugs with the developers responsible for making the fix, so having this background has helped in both of these. But it depends what area of security you're aiming for.

I would say go for it, put your resume out there, if you've done anything at all even tangentially related to security in your working life then you have a good chance.

To be honest, I didn't think I had a chance compared to all the elite hackers and researchers who've been doing this sort of thing for years, and was surprised it all worked out.

Hello, can you provide an email address where I can contact you? I am very early in my career but it seems we've had similar paths and I would like to ask you some questions.
Starting career X at age Y. In tech, answer is always yes. How bad do you want it?
40? By God, that's a young whippersnapper. I do remember starting to feel discrimination/agism around 42, and even considered leaving IT, knowing my age would only go up.

Go for it! The agism counter-wind is still weak at 40.

six figures at 40 is not a brag ...

do it. you have the right background and demand is off the charts.

don’t waste time with certs. do buy a CISSP book though to make sure you know what you need to know.

You could take a pay cut learn the business at another firm then start your own shop in two years, #win.