[bostik]

I keep telling to people who want to get into infosec one thing over and over: most of the infosec work is not about breaking [into] things, it's about incredibly boring reporting.

The truly interesting bits are on what to investigate/automate, what to report from it - and how.

If you're really good, I recommend to focus your long-term efforts into usability. Security gets a bad rap because far, far, FAR too often increasing security of <something> means reducing that thing's usability. But if you can find a way to improve <something> in a way which makes it more secure and more usable, you can't keep people away.

Fact of life: people gravitate towards convenience.

[winternett]

I keep telling people that the person who applies the patches needs to be qualified, paid, AND TRAINED just as much as the guy who wrote the fancy paper on maintaining security, and that development and infrastructure need to be more simplified, otherwise security will likely not be implemented properly... companies rarely heed the warning. And that leads to breaches that PR teams get paid a LOT within companies fight furiously to squash.