| To echo a sibling - that's not a bad thing. But let's add some context. Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field. Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting... If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare. Not to mention employable. The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works. The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught... 0: Magic acronym is "PDLC" - Product Development Life Cycle |