Related to this, every security team I’ve ever interacted with barely knows how to work a computer and mostly operates off of commercially purchased scanning tools and security agents.
My theory is that security is the least desirable part of the entire software engineering stack - it’s boring, has a lot of blame and liability potential, and it’s a cost center. Heck at least infrastructure folks get to brag about things like cost optimizations.
As a result it seems to me that security attracts the kind of people who view it as a way to wear a digital uniform and badge.
I recently started a CISSP course and discovered this. I was so excited to finally be getting into security and the next thing I know I'm 3 hours into recordings about pointless jargon and control taxonomies. I know there is a place for the latter at least, but it isn't something I want to do everyday.
CISSP will have you learn the required strength of a light bulb to light the alley behind the office. OSCP will introduce you to overflowing a buffer and pwning a remote service...
My theory is that security is the least desirable part of the entire software engineering stack - it’s boring, has a lot of blame and liability potential, and it’s a cost center. Heck at least infrastructure folks get to brag about things like cost optimizations.
As a result it seems to me that security attracts the kind of people who view it as a way to wear a digital uniform and badge.