[Nextgrid]

"Security people" spend most of their time dealing with dubious compliance requirements that rarely improve security (in most cases they annoy users and force them to use even less secure workarounds) than actual security like reviewing code to catch things like this and implement policies to make sure unreviewed code doesn't make it to production.

[isbvhodnvemrwvn]

And the standards for getting into security vary, a lot. I've worked with extremely knowledgeable security researchers, and people who were promoted from helpdesk (typically in areas like compliance), with very little knowledge outside of some certificates. With the latter I often had to explain pretty basic stuff, like how digital signatures work and why the client needs to know the public key.

[Eikon]

In some cases, mandatory compliance measures even worsen security with rules such as requiring some kinds of characters in a password for instance.