You wanted to be a developer. You spent four years and thousands of dollars in school and managed to get your foot into industry. You spent a few years working a couple different gigs only to realize – this job just isn’t for you.
Do you find working in a dark room with no windows (I mean the things on the wall that let in sunlight, not the OS) to be a claustrophobic and dreary atmosphere? Do you find it tiresome to see the insides of your eyelids stained with the fluorescent glow of your preferred text editor? Maybe being a software developer isn’t for you. But there is still hope!
Hi, I’m Sean. And this is where I was not so long ago. I knew I wanted out of coding, and into security. The security-related parts of development were what interested me the most. But is it even possible to make that jump?
If you’re a developer who feels similarly, I’m here to tell you that it’s possible – and share how I did it.
You already have a great foundation of skills.
Your developer skill set is very valuable, you are not starting from zero.
For starters, most companies you will be doing security work for will be software companies, which you have presumably worked at. From working at a software company, you already know the realities of the Developer/QA/DevOps relationship and have firsthand experience with the tools they use.
Furthermore, most software companies do not implement SSDLC principles, which you may have a better insight into than security professionals with a different background.
In addition, from constantly writing and reviewing code (read: copying from Stackoverflow), you will have a much better time understanding vulnerabilities on a technical level.
Vulnerabilities in software very often exploit specific mistakes in coding, or oversights in algorithms that you probably worked through in school or your career.
How to Switch Careers
The first major thing that separates Dev/QA roles from Security roles is certifications. In a dev role, the hiring manager wants to see your work experience, your degree, and your GitHub, that’s pretty much it.
Something about when you’re switching careers to security… you want to create evidence for the hiring manager that you’re really interested in a career change and learn more about the field, so you come prepared and can speak intelligently about the subject.
Cyber security professionals ALL have certifications. The best basic one you want to start with, I believe, is Security+. It provides a good mix of ease of obtaining and applicability, but there are many other decent choices. RJ Russell, who was my
hiring manager here at Fractional CISO, believes it’s important to get so that you aren’t outshined by everyone else who has it.
While you’re getting your cert, start immersing yourself in the world of cybersecurity. There is no better place to learn more about the cutting-edge field of security than the old-fashioned media of books.
For some reading material, I’d suggest:
or good daily updates and up-to-date coverage, I’d suggest the
SANS Internet Stormcast, KrebsOnSecurity, and BleepingComputer.
Eventually, you will move on to the next stage of your career journey.
After you complete your certification and feel confident in your baseline security knowledge, it’s time to start applying. With a good resume and cover letter explaining your desire to switch careers, you should start getting interviews.
This is the part I’m most excited to tell you about…
Cyber interviews are actually fun.
I know, it’s a real shocker.
You aren’t going to have to memorize complex sorting algorithms and apply them to some random problem they give you an unrealistic time limit to solve. You won’t have to stress out when the interviewer mentions you accidentally array OOBed because you’re writing on a whiteboard. And most importantly of all, no more figuring out the O(n) runtime for your algorithm (because EVERYBODY does that on the job, right?)!
Not in cyber!
I was asked questions about my
experience and depth of knowledge, I was asked interesting, non-technical hypotheticals that were meant to expose my thought process. I was asked about my opinions on recent cybersecurity news and how I would deal with notifying a customer about an issue.
If you are interviewing with good cybersecurity companies, this is the experience you should expect.
Your certs and work experience do a lot of talking, but a lot of how you will be evaluated on is how well you interact with others. You may have to deal with clients as they are being breached, a CEO that doesn’t want to invest in a cybersecurity program, and many other difficult scenarios.
Your ability to deal with personal issues in cybersecurity matters so much more than as a dev, where you will often spend weeks working on a single project, with your main social interaction being code reviews from your team for PRs. Or having to bring Dev-Ops donuts because you broke the build.
You will also need to think about your writing skills. One thing my manager told me after I got my role at Fractional CISO, was that they really enjoyed the writing sample I gave them as part of the interview process.
I don’t think I’m the most technically dazzling writer, but
you must be able to clearly convey cybersecurity points to non-security people to succeed.
Here’s a quick summary of activities I engaged in to make the career jump, which ones I thought were valuable, and which ones were not so valuable.
Things I did that were wrong/were not worth the time:
Thinking I needed 5 certs to compete with other candidates. Telling people you are studying for a cert you don’t have, they do not care. Believing that I needed to remember port numbers, exact specifications of auth protocols off the top of my head.
What worked well:
Getting the Security+ certification. Reading cybersecurity books. Immersing myself into the cybersecurity world by keeping up with daily security news.
What matters and what I wish I did more:
Hone your organizational abilities and consistency. My colleagues at Fractional CISO are very well organized and gave me a lot of good advice for improving productivity. Becoming an efficient note taker. Security comes down to little details, and taking note of them may not seem important at the moment, but will end up being crucial information a month later. In Conclusion
Making a career change is always a difficult decision. You’re leaving a path you spent years of your life following, and it’s not a guarantee that you will succeed. At least developers looking to enter cybersecurity have related valuable skills they can build on-top of.
Build on those skills by pursuing an entry-level certification like Security+, reading security books, and paying attention to cybersecurity news, and you will be well-positioned to make the leap.
If you’re interested in starting a career in cybersecurity – whether you’re currently a developer or not – be sure to read RJ Russell’s blog about the topic, where he shares his
insights as a cybersecurity hiring manager.
Want to get great cybersecurity content delivered to your inbox? C lick here to sign up for our monthly newsletter, Tales from the Click.