[batch12]

A method to transition people from related fields would be the most beneficial. Taking someone with a background in systems administration or programming and nailing on the security skillset would be more effective than taking someone who knows all security concepts and thats it.

The best way for a practitioner to personally capitalize depends on their background. For instance, someone with infrastructure support experience may make an excellent incident responder. Someone who deeply understands how systems would could be a talented pentester.

Edit: From a compensation perspective the solution is to take your growing experience to the next company willing to pay for it.

[randmeerkat]

The problem is it isn’t about nailing on the security skillset. It’s about executive motivation.“Security” is all about doing enough to shift liability and nothing more. Until executives are liable for security breaches this will continue.

[CrazyCatDog]

Actually, this smells a lot like a financing decision. Delay near term revenue to ultimately land a bigger purse down the line with additional features or bugs squashed provided the competition doesn’t beat us to the finish line. As the enterprise grows (customers/features -> lines of code) the liability associated with an attack increases—suggesting more care is needed with every release. And, knowing that you cannot keep up with scale by adding workers in parallel implies the following unsubstantiated claim:

As a piece of software grows in length, the releases must be fewer and further apart. Otherwise, the team is taking shortcuts and the liability will eventually catch up with them.

With that framework in mind: if large software company X stretches out their release schedule, their share price will fall, eventually appealing to activists who want to control/replace leadership (ironically for doing the right thing).

I’m a true and through capitalist—please don’t get me wrong, but this is creative destruction at its finest!