[dguido]

I don't think I agree with this, at all. It depends on what you do in security.

If you work as a pentester or network security staff, then you might be trading a career in software development for a career in operations. In that career, it's more likely that you will be challenged _use_ tools, build processes, or fight political battles for consensus, rather than build software.

On the other hand, there are many firms that hire primarily for security engineering and focus on building software. Any skills you have in software development will stay current, and your work in security would make you a better, and more desirable, software engineer.

Anecdotally, I can name many people who have made the jump from security engineering to positions like VP of Engineering, CTO, or simply software engineering.

[sillysaurus3]

See the sibling comment. Both stories are common, but I think my story is far more common. We don't have data so it's impossible to know, but of course you'd see a lot of people go from security engineering to VP or CTO -- those are the winners. Survivorship bias is a nasty beast.

[dguido]

I've only seen people make poor choices and limit their own careers. It's nothing inherent in the field of security that forces people to let their dev skills atrophy while turning into script kiddies or non-technical managers. You should be aware of what you are doing when entering ANY new field.

Obviously, if you enter a job where you have to "fight for dev time" as the sibling comment you refer to mentions, then your skills as a dev will suffer. That's not a good career path if you think you might want to return to software development one day. Find a job in security engineering, of which there are many, where you have to fight to take breaks from coding instead.

I think people have a confirmation bias that the security industry is made entirely of "netsec/pentesting" jobs since the news cycle is driven by hype from bug hunters, consultants, and vendor FUD. There are enormous numbers of people working on designing and building new security tools, capabilities, and research. Do that.

Finally, I'd like to say that if my own company wound down tomorrow, I am confident that every single one of my ~30 engineers could find a job in software engineering in an instant.

[the_cyber_pass]

Coming from someone who holds your company in high regard and loved your companies work in the CGC I really have to disagree. You can be neither a script kiddie or a non-technical manager and still have webdev shops view you with suspicion for much the same reason node shops might see someone who has a lot of Java on their resume as someone who may not be a good fit because of 'technical baggage.' We can say that someone just needs to 'git gud' but I do think it's important to acknowledge that many times their are biases that get placed which are not always 100% rational.

Edit: Also I do believe your claim about all 30 of your engineers being able to find work elsewhere. You have to admit the average employee you have probably isn't reflective of anywhere near the average of the industry or even the enthusiast community.

[dguido]

That sucks, and I'm sorry to hear that. I guess we can both agree that firms with such immature views probably don't deserve your resume to begin with.

[the_cyber_pass]

Happens and I wont pass judgement. The IoT explosion has been the best thing to happen for me in years career wise and now I get to combine the best of both worlds.