[d4mi3n]

They may not have one, or have one that’s so underwater with larger issues that the rest of the org doesn’t know how to route things to them.

Hiring for technical security is hard—you need engineering expertise to find good people, and then you need someone with an infosec background to vet them.

Finding a combination of both is surprisingly rare and you usually find infosec folks who can define but not implement a security program, or an engineer that can implement a security program with no idea how to run or grow it.

I need more peers in this space. If you’re reading this and are a software engineer looking for a transition please do reach out—email is in my profile. There’s a huge demand for security engineers and not nearly enough engineers interested in doing it.

[cinntaile]

How do you mean? Do you mean infosec people usually don't have degrees?

[d4mi3n]

That depends entirely on their backgrounds. I myself do not. The status-quo here isn’t too different than anywhere else in the tech sector.

Many security engineers transition into infosec from related fields like IT, DevOps, Network Engineering, Product Engineering, or similar. This tends to work out well since security engineers work closely with all of those areas within an organization.