[diminoten]

I dunno about some of this; working for a security company in a non-security software role gets you a lot of adjacent experience (take extra courses mandated by the company, go to extra talks, work with super smart security people), but I don't consider myself anything like an actual security expert after doing this for nearly 8 years.

There's a lot of not-security work to be done in the security industry, and it's not all work that gives you security-specific experience. I like to think I'm good at what I do, but it's not security, even though it's to help security people.

[biztos]

I've been working in Security Per Se for more than 10 years and I would also be reluctant to call myself a "security expert" -- as would most of the people I respect in the business. (Free pass for CVs in motion of course.)

This is because many of us have very specific domain knowledge which probably doesn't map to a layperson's expectation of "security expert" -- and while I don't see much "Impostor Syndrome" I would assert that most branches of Security will humble you if you really know your shit, so a great indicator of someone who doesn't is their readiness to claim broad expertise.

Yes, most of the work in "security" is just "software engineering" -- but my own experience has been that for people who care about the security angle, plenty of domain knowledge accrues over time. You might not even realize how much you have, but others do: for me there is a huge difference between working with an ops person who has internalized the adversarial worldview of Security and one who is "just a sysadmin."