Sorry but this "fuck certs" mentality just does not hold true for the security industry. It might be true in software but not here. The security industry is much more regulated than software, and with good reason - how is a company looking to hire penetration testers or blue-teamers supposed to tell between somebody who is doing they're job and somebody who isn't? If a security professional does they're job properly then you won't notice anything at all.
Yes certs are not everything, but they are proof to an extent of ones ability. Some certs like the CEH are worthless but others like the OSCP or CRT (in the uk) are definitely not worthless.
The whole "fuck certs I dont need a piece of paper to show I can do something" is somewhat juvenile and really only applies to the software industry. Most other industries have some form of regulation.
I've been in the security industry since 1997. The last 13 years of that were spent building consulting teams --- amusingly, the first of which was one of the largest app pentesting firms in the country, and the current one is focused on "blue-teamers", as you put it. I have no idea what "regulations" you're referring to, and am certain that certifications --- very much including OSCP --- mean fuck-all in the real world.
In the UK at least there has been a strong drive to regulate security companies through organisations like CREST and CHECK. The problem is that its an industry with a massive amount of hidden information. If somebody does a pen test on an corporate network and says "we didn't find any vulnerabilities" how does a company know if they have actually done a thorough check or if the network is genuinely secure?
Yes in an ideal world we wouldn't need certifications or exams or anything but this isn't an ideal world.
I don't know what part of "there are no certificates required to do this kind of work" I'm failing to communicate. My last company was acquired by NCC Group, a UK public company, and I haven't met anyone from the UK side who was certified either.
Absolutely those are all important qualities but the idea that certs are completely worthless just doesn't hold any weight.
Can I ask if you apply the same logic to the lawyers? Do you think the bar exam is pointless? What about chartered accountants? Or Engineers? Should pilots have to pass a test? What about drivers license tests? Are they just worthless pieces of paper too?
The practice of law is an older field. When I hire a lawyer, I presume that they have sat for the bar, but my inquiry goes much deeper. If I need a contract reviewed, I try to ascertain if candidate lawyers have experience reviewing contracts, and look for recommendations for that service. If someone were to sue me, I would look for a lawyer who is experienced at litigation. In this case, a lawyers certification, which is the bar exam, is a known test for the knowledge of law, which is done after serious study.
Certifications such as the CISSP don't tell me as a hiring manager anything about a candidate's skill in the required areas. As a buyer of security services, a shop with CISSP services often has a negative correlation with quality of an application penetration test.
Hey, I'm about 8 months ahead of you, I quit my dev job and studied full time to get the OSCP and then took a job as a security consultant with the aim of being a full-time penetration tester. Now I'm going back into development. Security is a broad field but if you want to get into pen testing then you are definitely in a good position skills and career-wise. And yes the security industry is booming at the moment and will likely continue that way.
Don't bother with SANS certs, they are just too expensive and not worth for an individual to take. I would highly recommend the OSCP, you will learn a ton and if you pass its a very well respected cert to have. Stay away from certs which don't have a practical element, i.e. Certified Ethical Hacker (CEH) which only reqiures a multiple choice test, nobody cares about these kinds of certs.
However, based on what you say in your post, I don't think its a good idea for you to switch to security. You will likely have to take at least a few months to study for a cert like the OSCP in order to get a junior pen tester role and once you do get that role, you will be earning a junior's wage. Another option would be to spend a few months doing bug bounties to prove yourself but this will also take time to learn the ropes.
You might be lucky and not have to take a 50% pay cut, but the chances are you will have to take at least some kind of pay cut, do you love security enough that you are willing to do that? For me the realisation was that I was starting at the bottom of the ladder as a pen tester despite coming from a very well paid dev job and I was wondering "do I really enjoy this enough that I'm willing to wait a few years until I am earning the same money I was as a dev?". I did like working in security, but not enough to make it worth it for me to start out at the bottom of the ladder again. Also I'm in my late twenties with no kids..
Also one thing to keep in mind, and this varies depending on what kind security job you have, but in pen testing at least there is a significant amount of travel involved which isn't necessarily compensated for by your salary (at least not at a junior level), this is one thing to keep in mind especially since you have a family.
Finally, you mention that you "spent my entire career in the world of sysadmin/SRE/shitty dev", I would suggest trying to look for a "non-shitty" job in one of those fields, you already have a wealth of experience so I would use it to get a job that you like, certainly not all dev jobs are shitty. Maybe you need to learn a new language or framework or gain some specific domain knowlege in order to to work on more exciting problems or in a better enviornment? A lot of the posters in this thread seem to make it out that your job experience will almost mean that you can walk into a security job, while your experience is extremely beneficial, ultimately there is nothing that prepares you for a security job more than the job itself and most pen testers know this. Hence you will likely have to start out as a junior again. Also my experience is based in a large city in the UK (not London), so it might vary from location to location but I doubt the industry is that much different in the US or anywhere really.
