[WJW]

That is why being responsible for security is such a shitty position in most organizations. You have barely any upside since "we didn't get hacked" is the default, but if you do get hacked it is at least partly on your plate. Most vulnerabilities are things you never have heard of and possibly never will. Finally, you will be hated by every PM/dev trying to get something shipped and will continuously have to defend yourself from executives trying to get their pet project expedited.

Even worse than a full time security person or team is the dev who cares a little more than usually and gets manipulated into doing "security" part time while still being part of a normal team. That is just a fast track to burnout: massive responsibilities with almost no power. I've seen it multiple times now and it never seems to end well.

[catlifeonmars]

This is why it’s so important for the organization and C-level to be fully bought in to security. What I’ve seen work in the past is for the devs/PMs to own security for the products they develop, and own the liability for security vulnerabilities. In this model, the security team acts more like an internal consultant that accepts invitations to review products/services.