[phil21]

Yep. The vast majority of "security" folks I've worked with could be described as "compliance" folks instead.

Almost nothing is done for actual real infosec, and in many cases their existence actually is a step backwards.

A real security minded company (and I've worked for some) don't have such a silly thing. Everyone is considered part of the security "team" since that's the only way secure services and software actually get built.

Hiring some random dude to run halfass tools against hosts and generate reports is simply checking a compliance box and only serves to act as a CYA for the organization and more importantly it's officers. Almost no one actually cares about real data security, in my experience.