[biztos]

I've been working in Security Per Se for more than 10 years and I would also be reluctant to call myself a "security expert" -- as would most of the people I respect in the business. (Free pass for CVs in motion of course.)

This is because many of us have very specific domain knowledge which probably doesn't map to a layperson's expectation of "security expert" -- and while I don't see much "Impostor Syndrome" I would assert that most branches of Security will humble you if you really know your shit, so a great indicator of someone who doesn't is their readiness to claim broad expertise.

Yes, most of the work in "security" is just "software engineering" -- but my own experience has been that for people who care about the security angle, plenty of domain knowledge accrues over time. You might not even realize how much you have, but others do: for me there is a huge difference between working with an ops person who has internalized the adversarial worldview of Security and one who is "just a sysadmin."