[generated]

Best way to capitalize on this?

Infosec employees follow the same anemic HR compensation song and dance, often lumped in with all engineering as a category.

Security startups are known as "cockroaches," they never die but are a hard bunch to grow into unicorns.

Contracting really only seems amenable to a small bump in lifestyle business level rates.

[atatatat]

Fuck Unicorns.

What's wrong with being large enough to live well,

but still do the job correctly, and not botch your email migration?

[Nursie]

> often lumped in with all engineering as a category.

In recent years I’ve seen no evidence “Infosec people” are worth more than general engineers, and quite a lot that they are worth considerably less. And yes, this is when it comes to security matters.

The industry, as far as I can tell, is about 80% chancers who got into Infosec because they couldn’t cut it creating software.

[prepend]

This is similar to my experience. About 95% if security folks I interact with are compliance folks to audit and make sure checklists are done.

The other 5% are super smart and are basically engineers who specialize in security.

I feel like many cyber people get certs and then hope for nothing bad to happen. When something bad happens, they claim that someone else didn’t do something right or get fired and move on.

[px43]

> Best way to capitalize on this?

Have you considered starting a ransomware gang?

[batch12]

A method to transition people from related fields would be the most beneficial. Taking someone with a background in systems administration or programming and nailing on the security skillset would be more effective than taking someone who knows all security concepts and thats it.

The best way for a practitioner to personally capitalize depends on their background. For instance, someone with infrastructure support experience may make an excellent incident responder. Someone who deeply understands how systems would could be a talented pentester.

Edit: From a compensation perspective the solution is to take your growing experience to the next company willing to pay for it.

[randmeerkat]

The problem is it isn’t about nailing on the security skillset. It’s about executive motivation.“Security” is all about doing enough to shift liability and nothing more. Until executives are liable for security breaches this will continue.

[CrazyCatDog]

Actually, this smells a lot like a financing decision. Delay near term revenue to ultimately land a bigger purse down the line with additional features or bugs squashed provided the competition doesn’t beat us to the finish line. As the enterprise grows (customers/features -> lines of code) the liability associated with an attack increases—suggesting more care is needed with every release. And, knowing that you cannot keep up with scale by adding workers in parallel implies the following unsubstantiated claim:

As a piece of software grows in length, the releases must be fewer and further apart. Otherwise, the team is taking shortcuts and the liability will eventually catch up with them.

With that framework in mind: if large software company X stretches out their release schedule, their share price will fall, eventually appealing to activists who want to control/replace leadership (ironically for doing the right thing).

I’m a true and through capitalist—please don’t get me wrong, but this is creative destruction at its finest!

[atatatat]

What makes you believe you can run a unicorn size organization and not see its general level of quality for the employee/customer become shitty like the rest?